8216626036fdf57a5bdb426bef50a9ea1ef21bdbeb7da03313c8a3105a8fc162

Analysis

max time kernel
62s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PanSage_@ABYSZ_TROJAN.exe
Size

11.5MB
MD5

785f574ddadd7d9e754f66e9afeb8609
SHA1

d40142f8774726feb85020cf0d9d8bd8e40be3da
SHA256

8216626036fdf57a5bdb426bef50a9ea1ef21bdbeb7da03313c8a3105a8fc162
SHA512

74c5b7bf575b6d2521422af8d5ce6dc5bf437b5648ac2a3932cb65c42a66ba5f19e62e76ff5d62b9d66f322b134571cef30fe5c603ee727d3f638647ef85f721
SSDEEP

196608:KoFToauUxbAQvaNJm3AqowejuJDUX47dwdW0BBbnTWkYPy1hj4Trxu:JFZxy/m3poaUX47d47NB4c

Score

10^/10

discovery evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Loads dropped DLL 64 IoCs

pid	Process
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ipinfo.io
21	ipinfo.io

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
4600	reg.exe
2112	reg.exe
380	reg.exe
2220	reg.exe
3116	reg.exe
5116	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3284	msedge.exe
3284	msedge.exe
1276	msedge.exe
1276	msedge.exe
3944	identity_helper.exe
3944	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1828	PanSage_@ABYSZ_TROJAN.exe
Token: SeDebugPrivilege	1688	PanSage_@ABYSZ_TROJAN.exe
Token: SeDebugPrivilege	1520	PanSage_@ABYSZ_TROJAN.exe
Token: SeDebugPrivilege	4248	PanSage_@ABYSZ_TROJAN.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1828	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1520	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
1688	PanSage_@ABYSZ_TROJAN.exe
4248	PanSage_@ABYSZ_TROJAN.exe
4248	PanSage_@ABYSZ_TROJAN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1828	1916	PanSage_@ABYSZ_TROJAN.exe	82
PID 1916 wrote to memory of 1828	1916	PanSage_@ABYSZ_TROJAN.exe	82
PID 1828 wrote to memory of 928	1828	PanSage_@ABYSZ_TROJAN.exe	83
PID 1828 wrote to memory of 928	1828	PanSage_@ABYSZ_TROJAN.exe	83
PID 1828 wrote to memory of 1304	1828	PanSage_@ABYSZ_TROJAN.exe	86
PID 1828 wrote to memory of 1304	1828	PanSage_@ABYSZ_TROJAN.exe	86
PID 1304 wrote to memory of 1036	1304	cmd.exe	88
PID 1304 wrote to memory of 1036	1304	cmd.exe	88
PID 1036 wrote to memory of 4504	1036	net.exe	89
PID 1036 wrote to memory of 4504	1036	net.exe	89
PID 1304 wrote to memory of 380	1304	cmd.exe	90
PID 1304 wrote to memory of 380	1304	cmd.exe	90
PID 1304 wrote to memory of 2220	1304	cmd.exe	91
PID 1304 wrote to memory of 2220	1304	cmd.exe	91
PID 1304 wrote to memory of 3116	1304	cmd.exe	92
PID 1304 wrote to memory of 3116	1304	cmd.exe	92
PID 1304 wrote to memory of 5116	1304	cmd.exe	93
PID 1304 wrote to memory of 5116	1304	cmd.exe	93
PID 1304 wrote to memory of 4600	1304	cmd.exe	94
PID 1304 wrote to memory of 4600	1304	cmd.exe	94
PID 1304 wrote to memory of 2112	1304	cmd.exe	95
PID 1304 wrote to memory of 2112	1304	cmd.exe	95
PID 1828 wrote to memory of 1688	1828	PanSage_@ABYSZ_TROJAN.exe	96
PID 1828 wrote to memory of 1688	1828	PanSage_@ABYSZ_TROJAN.exe	96
PID 1828 wrote to memory of 1520	1828	PanSage_@ABYSZ_TROJAN.exe	97
PID 1828 wrote to memory of 1520	1828	PanSage_@ABYSZ_TROJAN.exe	97
PID 1520 wrote to memory of 1128	1520	PanSage_@ABYSZ_TROJAN.exe	98
PID 1520 wrote to memory of 1128	1520	PanSage_@ABYSZ_TROJAN.exe	98
PID 1688 wrote to memory of 2256	1688	PanSage_@ABYSZ_TROJAN.exe	100
PID 1828 wrote to memory of 4248	1828	PanSage_@ABYSZ_TROJAN.exe	99
PID 1688 wrote to memory of 2256	1688	PanSage_@ABYSZ_TROJAN.exe	100
PID 1828 wrote to memory of 4248	1828	PanSage_@ABYSZ_TROJAN.exe	99
PID 4248 wrote to memory of 2576	4248	PanSage_@ABYSZ_TROJAN.exe	103
PID 4248 wrote to memory of 2576	4248	PanSage_@ABYSZ_TROJAN.exe	103
PID 1828 wrote to memory of 3036	1828	PanSage_@ABYSZ_TROJAN.exe	105
PID 1828 wrote to memory of 3036	1828	PanSage_@ABYSZ_TROJAN.exe	105
PID 3036 wrote to memory of 1276	3036	cmd.exe	107
PID 3036 wrote to memory of 1276	3036	cmd.exe	107
PID 1276 wrote to memory of 4364	1276	msedge.exe	109
PID 1276 wrote to memory of 4364	1276	msedge.exe	109
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110
PID 1276 wrote to memory of 2360	1276	msedge.exe	110

C:\Users\Admin\AppData\Local\Temp\PanSage_@ABYSZ_TROJAN.exe
"C:\Users\Admin\AppData\Local\Temp\PanSage_@ABYSZ_TROJAN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\PanSage_@ABYSZ_TROJAN.exe
  "C:\Users\Admin\AppData\Local\Temp\PanSage_@ABYSZ_TROJAN.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c lock.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\system32\net.exe
      NET FILE
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 FILE
        5⤵
        
        PID:4504
  - - C:\Windows\system32\reg.exe
      reg add HKLM\System\Setup /v CmdLine /t REG_SZ /d "cmd.exe /c C:\dosexec.bat" /f
      4⤵
      Modifies registry key
      PID:380
  - - C:\Windows\system32\reg.exe
      reg add HKLM\System\Setup /v SystemSetupInProgress /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2220
  - - C:\Windows\system32\reg.exe
      reg add HKLM\System\Setup /v SetupType /t REG_DWORD /d 2 /f
      4⤵
      Modifies registry key
      PID:3116
  - - C:\Windows\system32\reg.exe
      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:5116
  - - C:\Windows\system32\reg.exe
      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4600
  - - C:\Windows\system32\reg.exe
      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v VerboseStatus /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2112
- - C:\Users\Admin\AppData\Local\Temp\PanSage_@ABYSZ_TROJAN.exe
    "C:\Users\Admin\AppData\Local\Temp\PanSage_@ABYSZ_TROJAN.exe" "--multiprocessing-fork" "parent_pid=1828" "pipe_handle=968"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2256
- - C:\Users\Admin\AppData\Local\Temp\PanSage_@ABYSZ_TROJAN.exe
    "C:\Users\Admin\AppData\Local\Temp\PanSage_@ABYSZ_TROJAN.exe" "--multiprocessing-fork" "parent_pid=1828" "pipe_handle=976"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1128
- - C:\Users\Admin\AppData\Local\Temp\PanSage_@ABYSZ_TROJAN.exe
    "C:\Users\Admin\AppData\Local\Temp\PanSage_@ABYSZ_TROJAN.exe" "--multiprocessing-fork" "parent_pid=1828" "pipe_handle=1004"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://www.youtube.com/embed/QT8vnWfTMmA?autoplay=1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/embed/QT8vnWfTMmA?autoplay=1
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdbc3d46f8,0x7ffdbc3d4708,0x7ffdbc3d4718
        5⤵
        
        PID:4364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,6458963164401975822,3344575471669111713,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        5⤵
        
        PID:2360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,6458963164401975822,3344575471669111713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,6458963164401975822,3344575471669111713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
        5⤵
        
        PID:812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6458963164401975822,3344575471669111713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:1216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6458963164401975822,3344575471669111713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        
        PID:208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,6458963164401975822,3344575471669111713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
        5⤵
        
        PID:4404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,6458963164401975822,3344575471669111713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6458963164401975822,3344575471669111713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
        5⤵
        
        PID:5164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6458963164401975822,3344575471669111713,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
        5⤵
        
        PID:5172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6458963164401975822,3344575471669111713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
        5⤵
        
        PID:5332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6458963164401975822,3344575471669111713,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user Admin YSIrXbmbrYhS
    3⤵
    PID:2804
  - - C:\Windows\system32\net.exe
      net user Admin YSIrXbmbrYhS
      4⤵
      PID:4984
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin YSIrXbmbrYhS
        5⤵
        
        PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 0ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:4684
  - - C:\Windows\system32\net.exe
      net user 0ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:348
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 0ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 1ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:3328
  - - C:\Windows\system32\net.exe
      net user 1ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:3336
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 1ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 2ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:1712
  - - C:\Windows\system32\net.exe
      net user 2ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:544
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 2ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 3ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:4812
  - - C:\Windows\system32\net.exe
      net user 3ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:2204
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 3ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 4ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:3092
  - - C:\Windows\system32\net.exe
      net user 4ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:3020
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 4ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 5ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:804
  - - C:\Windows\system32\net.exe
      net user 5ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:4788
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 5ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 6ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:4524
  - - C:\Windows\system32\net.exe
      net user 6ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:1944
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 6ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 7ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:4728
  - - C:\Windows\system32\net.exe
      net user 7ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:1444
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 7ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 8ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:4572
  - - C:\Windows\system32\net.exe
      net user 8ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:2200
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 8ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 9ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:3892
  - - C:\Windows\system32\net.exe
      net user 9ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:2296
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 9ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 10ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:928
  - - C:\Windows\system32\net.exe
      net user 10ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:996
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 10ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 11ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:3660
  - - C:\Windows\system32\net.exe
      net user 11ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:3300
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 11ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 12ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:3784
  - - C:\Windows\system32\net.exe
      net user 12ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:3992
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 12ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 13ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:1060
  - - C:\Windows\system32\net.exe
      net user 13ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:1908
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 13ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 14ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:4324
  - - C:\Windows\system32\net.exe
      net user 14ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:1712
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 14ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 15ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:4004
  - - C:\Windows\system32\net.exe
      net user 15ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:228
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 15ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 16ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:3784
  - - C:\Windows\system32\net.exe
      net user 16ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:4760
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 16ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 17ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:2784
  - - C:\Windows\system32\net.exe
      net user 17ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:3400
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 17ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 18ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:2080
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4324
  - - C:\Windows\system32\net.exe
      net user 18ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:2436
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 18ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 19ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:4272
  - - C:\Windows\system32\net.exe
      net user 19ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:3268
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 19ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 20ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:1712
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3400
  - - C:\Windows\system32\net.exe
      net user 20ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:2792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 20ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 21ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:2220
  - - C:\Windows\system32\net.exe
      net user 21ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:916
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 21ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 22ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:3300
  - - C:\Windows\system32\net.exe
      net user 22ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:1060
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 22ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 23ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:2220
  - - C:\Windows\system32\net.exe
      net user 23ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:2076
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 23ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 24ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:1020
  - - C:\Windows\system32\net.exe
      net user 24ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:440
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 24ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net user 25ABYSZTROJAN ABYSZ /ADD
    3⤵
    PID:4404
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2220
  - - C:\Windows\system32\net.exe
      net user 25ABYSZTROJAN ABYSZ /ADD
      4⤵
      PID:2620
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 25ABYSZTROJAN ABYSZ /ADD
        5⤵
        
        PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2220

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
a8d2472b6610b6496f77943e2bdd3ca9

SHA1
7979963bf5cc4fb37f7c2465d3209e35855a89d6

SHA256
09ffea5f4c8a8b44993510d9f8373c91024ef32ff24b0ffda4d5c8e601167d90

SHA512
19ccc46dd6cf1de622f34f84331bc4e023a0f77d1a053dff3f978a2193a85d9bbeb47be7b65a0a95aafb64a60fb67c4bdbd84c943a4b8a4e13bac7d772492424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
26b48a23b9c8104e38913d3ae6a97d5e

SHA1
bb2f31ae6d0548058379e50a94835150ce4d633f

SHA256
624f89a1f2fde1ee636f78b1467d3c0a8c3aa48a44f5488aecf9676090a30702

SHA512
18b8afc36708466a77d235a7cbe9a4d56f259729419ffe8b7430dc34f770e7d6e1b87994f59f93234ff205405cfa3aa8eac827a8c8fe2b6d2d436b6d695196a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e5f5f350c7f46f0ff63b2a8f4b042acb

SHA1
90191a8c4079ddd554d4c918175ad1f80cdd79a1

SHA256
c452f032636d62c7f31fdc733a39b9334ae617c457a975cf16f27d0579dfac7c

SHA512
0a3095ed30c02ecf533d48720e57527d2340b8042af3fcc075ade444f669b7146679ba5481def8252d90c0b3833962823d277ae74f234ca0f90ad09d613f7d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fe23d982aa9a1e3e6f4afc50e78603ed

SHA1
299a86ab9257d27e60ea65884a148c0d562dc27f

SHA256
e8357ef2cca96a0835677fa003c4567e183f5043bf181b051c52a2537df660a8

SHA512
b77553873a732291c59db92f3e9d659b20d8a47c8655cbd2feea04634f587e2d00ce9838171e369a469ac467f89db0dd2022c4eb162d2ff0631513016b715c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
90B

MD5
057c1ba9d65a1dd11a173783bac7cb4d

SHA1
d4ac63345975f1e6b042c7270388d7c0c2c0fd7f

SHA256
939745ff821f8fa3e5f5ac40aabeda0049bfce89c8a95496ec54c6b19c6fcdbb

SHA512
35bf01446f0c9feca5da9740ae1f92260e965780b0a4252e06a64d86820341ede91c3eb0d808845b479218c788a84ac67f50505bf819f5d4ab1d7c4a205b1a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
68b2b022ac17dbfcd5784ce2e512472e

SHA1
f07e1d8199fbe3ba8319cf0d23b608c6a87f16f0

SHA256
d26a6cde7aba9b191148cf755f3c9eda4a202398bf60307835e16f003cbd7c5b

SHA512
9ba420d35e62bf04702379b2c029b9260abb4f46c33deb96ef9a6d14b5fcb4f3ce0a260451e583740a40e655a016dad1a79599200fa2a1f5b4610475376cbcd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bf7f84a122d4ceffad5f33ee67379e7d

SHA1
3f5de9503ab0f5d61d68f15799c082844ac1e273

SHA256
315057ec0ac065c893f7ff22457d59a34948f69b17f5c6fa113a25b45c7257de

SHA512
0d293c2efe5132df701c18f3b5654475f44d215b9bb9760611141ecc4f1d35efff2ecd737d7e6fc0871480de5222a3d836511e7641726fc600b8d620985e34e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_bz2.pyd

Filesize
82KB

MD5
a8a37ba5e81d967433809bf14d34e81d

SHA1
e4d9265449950b5c5a665e8163f7dda2badd5c41

SHA256
50e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b

SHA512
b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_ctypes.pyd

Filesize
120KB

MD5
496dcf8821ffc12f476878775999a8f3

SHA1
6b89b8fdd7cd610c08e28c3a14b34f751580cffd

SHA256
b59e103f8ec6c1190ded21eef27bea01579220909c3968eeec37d46d2ed39e80

SHA512
07118f44b83d58f333bc4b853e9be66dffb3f7db8e65e0226975297bf5794ebdaa2c7a51ef84971faf4d4233a68a6b5e9ac02e737d16c0ac19a6cf65fad9443f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_hashlib.pyd

Filesize
63KB

MD5
1c88b53c50b5f2bb687b554a2fc7685d

SHA1
bfe6fdb8377498bbefcaad1e6b8805473a4ccbf3

SHA256
19dd3b5ebb840885543974a4cb6c8ea4539d76e3672be0f390a3a82443391778

SHA512
a312b11c85aaa325ab801c728397d5c7049b55fa00f24d30f32bf5cc0ad160678b40f354d9d5ec34384634950b5d6eda601e21934c929b4bc7f6ef50f16e3f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_lzma.pyd

Filesize
155KB

MD5
bc07d7ac5fdc92db1e23395fde3420f2

SHA1
e89479381beeba40992d8eb306850977d3b95806

SHA256
ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b

SHA512
b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_queue.pyd

Filesize
31KB

MD5
e0cc8c12f0b289ea87c436403bc357c1

SHA1
e342a4a600ef9358b3072041e66f66096fae4da4

SHA256
9517689d7d97816dee9e6c01ffd35844a3af6cde3ff98f3a709d52157b1abe03

SHA512
4d93f23db10e8640cd33e860241e7ea6a533daf64c36c4184844e6cca7b9f4bd41db007164a549e30f5aa9f983345318ff02d72815d51271f38c2e8750df4d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_socket.pyd

Filesize
77KB

MD5
290dbf92268aebde8b9507b157bef602

SHA1
bea7221d7abbbc48840b46a19049217b27d3d13a

SHA256
e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe

SHA512
9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\_ssl.pyd

Filesize
157KB

MD5
0a7eb5d67b14b983a38f82909472f380

SHA1
596f94c4659a055d8c629bc21a719ce441d8b924

SHA256
3bac94d8713a143095ef8e2f5d2b4a3765ebc530c8ca051080d415198cecf380

SHA512
3b78fd4c03ee1b670e46822a7646e668fbaf1ef0f2d4cd53ccfcc4abc2399fcc74822f94e60af13b3cdcb522783c008096b0b265dc9588000b7a46c0ed5973e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\base_library.zip

Filesize
1.7MB

MD5
948430bbba768d83a37fc725d7d31fbb

SHA1
e00d912fe85156f61fd8cd109d840d2d69b9629b

SHA256
65ebc074b147d65841a467a49f30a5f2f54659a0cc5dc31411467263a37c02df

SHA512
aad73403964228ed690ce3c5383e672b76690f776d4ff38792544c67e6d7b54eb56dd6653f4a89f7954752dae78ca35f738e000ffff07fdfb8ef2af708643186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\charset_normalizer\md.cp311-win_amd64.pyd

Filesize
10KB

MD5
fa50d9f8bce6bd13652f5090e7b82c4d

SHA1
ee137da302a43c2f46d4323e98ffd46d92cf4bef

SHA256
fff69928dea1432e0c7cb1225ab96f94fd38d5d852de9a6bb8bf30b7d2bedceb

SHA512
341cec015e74348eab30d86ebb35c028519703006814a2ecd19b9fe5e6fcb05eda6dde0aaf4fe624d254b0d0180ec32adf3b93ee96295f8f0f4c9d4ed27a7c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
113KB

MD5
2d1f2ffd0fecf96a053043daad99a5df

SHA1
b03d5f889e55e802d3802d0f0caa4d29c538406b

SHA256
207bbae9ddf8bdd64e65a8d600fe1dd0465f2afcd6dc6e28d4d55887cd6cbd13

SHA512
4f7d68f241a7f581e143a010c78113154072c63adff5f200ef67eb34d766d14ce872d53183eb2b96b1895aa9c8d4ca82ee5e61e1c5e655ff5be56970be9ebe3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\libffi-8.dll

Filesize
37KB

MD5
d86a9d75380fab7640bb950aeb05e50e

SHA1
1c61aaf9022cd1f09a959f7b2a65fb1372d187d7

SHA256
68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b

SHA512
18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\libssl-1_1.dll

Filesize
686KB

MD5
86f2d9cc8cc54bbb005b15cabf715e5d

SHA1
396833cba6802cb83367f6313c6e3c67521c51ad

SHA256
d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

SHA512
0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\mfc140u.dll

Filesize
5.6MB

MD5
598536e5ce9c6b10db3579ac7b8bcc49

SHA1
193f8433207de516baa1b38dd8de31bac065d456

SHA256
ffc74cd49df7d8b6ddcb94de1e12a399897aebf066e4884c9e563067ed399c89

SHA512
e53a0fedce5adae83874c6d4bba0d9d0e523c6a65ae307dc1086271d81e09c878ac148a8ecfba67cfabdc6e59db464bd22a0d44c7d2c3474323b920fe75c14f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\psutil\_psutil_windows.pyd

Filesize
75KB

MD5
5e9fc79283d08421683cb9e08ae5bf15

SHA1
b3021534d2647d90cd6d445772d2e362a04d5ddf

SHA256
d5685e38faccdf97ce6ffe4cf53cbfcf48bb20bf83abe316fba81d1abd093cb6

SHA512
9133011ae8eb0110da9f72a18d26bbc57098a74983af8374d1247b9a336ee32db287ed26f4d010d31a7d64eacdc9cf99a75faab194eff25b04299e5761af1a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\python3.dll

Filesize
65KB

MD5
2ad3039bd03669f99e948f449d9f778b

SHA1
dae8f661990c57adb171667b9206c8d84c50ecad

SHA256
852b901e17022c437f8fc3039a5af2ee80c5d509c9ef5f512041af17c48fcd61

SHA512
8ffeaa6cd491d7068f9176fd628002c84256802bd47a17742909f561ca1da6a2e7c600e17cd983063e8a93c2bbe9b981bd43e55443d28e32dfb504d7f1e120c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\pywin32_system32\pywintypes311.dll

Filesize
134KB

MD5
1696732a242bfaf6a50bd98eb7874f23

SHA1
090a85275c7c67430d511570bab36eb299c7e787

SHA256
6583c15de0f5a1b20c8750b0599e5cf162f91f239f8341bda842485d8bbc9887

SHA512
70a03adb89649cece59e6b84a2f79ad53cf7c308ffaca8b19c0b64b59858e73a75addd131776d54b5bf12b747bcbb1ff9a4ce0e35d06bb995e34c5687dd3a25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\select.pyd

Filesize
29KB

MD5
4ac28414a1d101e94198ae0ac3bd1eb8

SHA1
718fbf58ab92a2be2efdb84d26e4d37eb50ef825

SHA256
b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5

SHA512
2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\unicodedata.pyd

Filesize
1.1MB

MD5
2ab7e66dff1893fea6f124971221a2a9

SHA1
3be5864bc4176c552282f9da5fbd70cc1593eb02

SHA256
a5db7900ecd5ea5ab1c06a8f94b2885f00dd2e1adf34bcb50c8a71691a97804f

SHA512
985480fffcc7e1a25c0070f44492744c3820334a35b9a72b9147898395ab60c7a73ea8bbc761de5cc3b6f8799d07a96c2880a7b56953249230b05dd59a1390ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\win32api.pyd

Filesize
136KB

MD5
3210cb66deb7f1bbcc46b4c3832c7e10

SHA1
5c5f59a29f5ef204f52fd3a9433b3a27d8a30229

SHA256
bf5147f4fffbffa77d9169b65af13d983e2fcccdbca8151d72814c55939bb2c4

SHA512
5d51ede8f464ca7e151bfaaef0b7e81f5ce16678d35a573cae2994db602c2d93f0463c3936fb896dee1cf5192b69fb1051594efa5d4f248a02226ca50b6bfa5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\win32gui.pyd

Filesize
237KB

MD5
0f02ac658a741ce27a82cdda63169e85

SHA1
01bd4cc73f048e3273902b6c8265eb16571cc92a

SHA256
d720e0b83caf8f3ef9cc4af5677e2d5f376b558aeedf3dc2d0c06557ba666a0f

SHA512
e040dd72be8966677271d2422d158cdac478465e479a61a872b3be544286fc9a93babe6905222bab4f3c0109f12740aad5a5d956b06176af482451401e43bb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19162\win32ui.pyd

Filesize
1.5MB

MD5
7e3a34f9ac65d3b92bcd4b531f5cfdd1

SHA1
26654fc95e84905434526c1301dc3c2710958be6

SHA256
8376a3885961d2416481f6d180dff9f10fa93114fd4ba1e4b50719a95a2dca02

SHA512
253f4be8a4b3570f915cabb4b4147eb9bfe721dfa165fd056cbca4bf1fc015f2d741250641cf77668209011e276cb651bff785a9616e8081ff3968d65202058a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lock.bat

Filesize
1KB

MD5
72d8c4fe0394a7e6601cf453482c47f5

SHA1
4aeabf85fa56cb33f1428e9e3857df9845e53340

SHA256
3f0d9d2279c08280fb2ce2f3258e1f996911fe9a70d3a285308ec936740acc72

SHA512
4e6e075e9db7d40f5f46f2d5f3ebe79b5627dd9388e4092de7d918fc33711195e2d58970a0fb9b210b71ef2d8b2fa8df39977051f54380fe272d2eb4e0d563a0

Download Submit
memory/1828-213-0x00000248142B0000-0x00000248142B1000-memory.dmp

Filesize
4KB

Download