95d2103d1135e79fc4bd7944ad9c326d0ec9359f9e2ecb9d4965ac96268142c9

Analysis

max time kernel
56s
max time network
57s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AngelTokenGen.exe
Size

38.5MB
MD5

aa97d3815027f5d8c624f9e86f7e2afa
SHA1

8d518b5e5472371f301777839939e5b0880736b6
SHA256

d9d78168039c7df2320493ac5cb03e6f94a18e92c6230e8371c409eab922ed76
SHA512

bb205dd500c8ddb197a424fa235ccb4b58849ff4c52b5f1b1a1ae877cf7f0a31cb9cbc443159f087312a8b0212a2845fc439bd93886f7feb78fe56a62c22c109
SSDEEP

786432:++gX4BMdhwzTQXR5FbPp6FcSS5U/LT2KzVyPVLBd+yCsKbXMb8wsqAU8A:cXGMK4XR3bLSCU/+6yPl3+KAcMqAU

Score

8^/10

credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
140	4644	captcha.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1880	netsh.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4224	chrome.exe
3152	chrome.exe
3940	chrome.exe
1788	msedge.exe
4616	msedge.exe
4756	msedge.exe
2340	msedge.exe
4692	msedge.exe
3380	chrome.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 6 IoCs

pid	Process
4644	captcha.exe
5492	python-3.12.6-installer.exe
1736	python-3.12.6-installer.exe
2016	python-3.12.6-amd64.exe
804	python-3.12.6-amd64.exe
4848	python-3.12.6-amd64.exe

Loads dropped DLL 47 IoCs

pid	Process
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe
1736	python-3.12.6-installer.exe

Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\\python-3.12.6-amd64.exe\" /burn.runonce"	python-3.12.6-installer.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
141	5012	msiexec.exe
142	5012	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
736	powershell.exe
2444	powershell.exe
3024	powershell.exe
5164	powershell.exe
3344	powershell.exe
5248	powershell.exe
4784	powershell.exe
3328	powershell.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	captcha.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com
1	raw.githubusercontent.com

Enumerates processes with tasklist 1 TTPs 20 IoCs

discovery

Process Discovery

T1057

pid	Process
5872	tasklist.exe
5780	tasklist.exe
2904	tasklist.exe
4652	tasklist.exe
5388	tasklist.exe
4428	tasklist.exe
5464	tasklist.exe
3384	tasklist.exe
6100	tasklist.exe
5556	tasklist.exe
5688	tasklist.exe
5028	tasklist.exe
5664	tasklist.exe
2880	tasklist.exe
5740	tasklist.exe
5988	tasklist.exe
3956	tasklist.exe
6100	tasklist.exe
1684	tasklist.exe
5992	tasklist.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e583ec9.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3BAB90AB836CDAAC.TMP	msiexec.exe
File created	C:\Windows\Installer\e583ed3.msi	msiexec.exe
File created	C:\Windows\Installer\e583ecd.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB9B54E82BFB851F4.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3FC3AEB56EC26AC4.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{901B913C-FA63-48D2-9842-7D7676739378}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF04B51212F4785CBD.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\Installer\e583ec9.msi	msiexec.exe
File created	C:\Windows\Installer\e583ece.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e583ece.msi	msiexec.exe
File created	C:\Windows\Installer\e583ed2.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF743190BE4381E2CC.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{537B2AF5-504B-4303-99CB-FDE56F47AA51}	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46C9.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2CCCF7B7776823F8.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7940D61BD9A00A84.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4457.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF07F81C0D61D9330A.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDD19362FD5BB0B36.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e583ed3.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFAC574FC7A55804D7.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AF1.tmp	msiexec.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
5248	powershell.exe
3328	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.6-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.6-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.6-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.6-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.6-amd64.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 7 IoCs

defense_evasion

pid	Process
5860	taskkill.exe
5524	taskkill.exe
5740	taskkill.exe
5848	taskkill.exe
5232	taskkill.exe
5540	taskkill.exe
5720	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876014139048767"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	AngelTokenGen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies	python-3.12.6-installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c004346534616003100000000006d5a2e8e120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe6d5a2e8e7c5a3d112e0000004b570200000001000000000000000000000000000000604b92004100700070004400610074006100000042000000	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	AngelTokenGen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e8005398e082303024b98265d99428e115f0000	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AngelTokenGen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}"	python-3.12.6-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Version = "3.12.6150.0"	python-3.12.6-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}	python-3.12.6-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	AngelTokenGen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\ = "{901B913C-FA63-48D2-9842-7D7676739378}"	python-3.12.6-installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	AngelTokenGen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	AngelTokenGen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.6 (64-bit)"	python-3.12.6-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-3.12.6-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents	python-3.12.6-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}	python-3.12.6-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	AngelTokenGen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-3.12.6-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-3.12.6-installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AngelTokenGen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Dependents	python-3.12.6-installer.exe
Key created	\Registry\User\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\NotificationData	AngelTokenGen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000007c5a4b11100054656d7000003a0009000400efbe6d5a2e8e7c5a4f112e0000006057020000000100000000000000000000000000000023e10c01540065006d007000000014000000	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	AngelTokenGen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	AngelTokenGen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	AngelTokenGen.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	AngelTokenGen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\DisplayName = "Python 3.12.6 Core Interpreter (64-bit)"	python-3.12.6-installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	AngelTokenGen.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4576	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
788	AngelTokenGen.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4224	chrome.exe
4224	chrome.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
2444	powershell.exe
2444	powershell.exe
2444	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
4644	captcha.exe
4644	captcha.exe
4644	captcha.exe
4644	captcha.exe
4644	captcha.exe
4644	captcha.exe
4784	powershell.exe
4784	powershell.exe
3024	powershell.exe
3024	powershell.exe
3328	powershell.exe
3328	powershell.exe
5164	powershell.exe
5164	powershell.exe
736	powershell.exe
736	powershell.exe
5012	msiexec.exe
5012	msiexec.exe
5012	msiexec.exe
5012	msiexec.exe
5012	msiexec.exe
5012	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
788	AngelTokenGen.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	tasklist.exe
Token: SeDebugPrivilege	3384	tasklist.exe
Token: SeDebugPrivilege	2904	tasklist.exe
Token: SeDebugPrivilege	4652	tasklist.exe
Token: SeShutdownPrivilege	4224	chrome.exe
Token: SeCreatePagefilePrivilege	4224	chrome.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeShutdownPrivilege	4224	chrome.exe
Token: SeCreatePagefilePrivilege	4224	chrome.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeShutdownPrivilege	4224	chrome.exe
Token: SeCreatePagefilePrivilege	4224	chrome.exe
Token: SeShutdownPrivilege	4224	chrome.exe
Token: SeCreatePagefilePrivilege	4224	chrome.exe
Token: SeShutdownPrivilege	4224	chrome.exe
Token: SeCreatePagefilePrivilege	4224	chrome.exe
Token: SeIncreaseQuotaPrivilege	2444	powershell.exe
Token: SeSecurityPrivilege	2444	powershell.exe
Token: SeTakeOwnershipPrivilege	2444	powershell.exe
Token: SeLoadDriverPrivilege	2444	powershell.exe
Token: SeSystemProfilePrivilege	2444	powershell.exe
Token: SeSystemtimePrivilege	2444	powershell.exe
Token: SeProfSingleProcessPrivilege	2444	powershell.exe
Token: SeIncBasePriorityPrivilege	2444	powershell.exe
Token: SeCreatePagefilePrivilege	2444	powershell.exe
Token: SeBackupPrivilege	2444	powershell.exe
Token: SeRestorePrivilege	2444	powershell.exe
Token: SeShutdownPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeSystemEnvironmentPrivilege	2444	powershell.exe
Token: SeRemoteShutdownPrivilege	2444	powershell.exe
Token: SeUndockPrivilege	2444	powershell.exe
Token: SeManageVolumePrivilege	2444	powershell.exe
Token: 33	2444	powershell.exe
Token: 34	2444	powershell.exe
Token: 35	2444	powershell.exe
Token: 36	2444	powershell.exe
Token: SeShutdownPrivilege	4224	chrome.exe
Token: SeCreatePagefilePrivilege	4224	chrome.exe
Token: SeDebugPrivilege	5248	powershell.exe
Token: SeDebugPrivilege	5740	tasklist.exe
Token: SeDebugPrivilege	5988	tasklist.exe
Token: SeShutdownPrivilege	4224	chrome.exe
Token: SeCreatePagefilePrivilege	4224	chrome.exe
Token: SeDebugPrivilege	6100	tasklist.exe
Token: SeDebugPrivilege	5388	tasklist.exe
Token: SeShutdownPrivilege	4224	chrome.exe
Token: SeCreatePagefilePrivilege	4224	chrome.exe
Token: SeDebugPrivilege	5556	tasklist.exe
Token: SeDebugPrivilege	3956	tasklist.exe
Token: SeShutdownPrivilege	4224	chrome.exe
Token: SeCreatePagefilePrivilege	4224	chrome.exe
Token: SeDebugPrivilege	4428	tasklist.exe
Token: SeDebugPrivilege	5688	tasklist.exe
Token: SeShutdownPrivilege	4224	chrome.exe
Token: SeCreatePagefilePrivilege	4224	chrome.exe
Token: SeDebugPrivilege	5872	tasklist.exe
Token: SeDebugPrivilege	5780	tasklist.exe
Token: SeDebugPrivilege	5028	tasklist.exe
Token: SeDebugPrivilege	5992	tasklist.exe
Token: SeDebugPrivilege	5848	taskkill.exe
Token: SeShutdownPrivilege	4224	chrome.exe
Token: SeCreatePagefilePrivilege	4224	chrome.exe
Token: SeDebugPrivilege	6100	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1788	msedge.exe
4224	chrome.exe
1788	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
788	AngelTokenGen.exe
788	AngelTokenGen.exe
788	AngelTokenGen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 788	428	AngelTokenGen.exe	78
PID 428 wrote to memory of 788	428	AngelTokenGen.exe	78
PID 788 wrote to memory of 1768	788	AngelTokenGen.exe	79
PID 788 wrote to memory of 1768	788	AngelTokenGen.exe	79
PID 1768 wrote to memory of 4644	1768	cmd.exe	81
PID 1768 wrote to memory of 4644	1768	cmd.exe	81
PID 4644 wrote to memory of 2880	4644	captcha.exe	82
PID 4644 wrote to memory of 2880	4644	captcha.exe	82
PID 4644 wrote to memory of 3384	4644	captcha.exe	83
PID 4644 wrote to memory of 3384	4644	captcha.exe	83
PID 4644 wrote to memory of 2904	4644	captcha.exe	84
PID 4644 wrote to memory of 2904	4644	captcha.exe	84
PID 4644 wrote to memory of 4652	4644	captcha.exe	86
PID 4644 wrote to memory of 4652	4644	captcha.exe	86
PID 4644 wrote to memory of 1648	4644	captcha.exe	87
PID 4644 wrote to memory of 1648	4644	captcha.exe	87
PID 4644 wrote to memory of 4224	4644	captcha.exe	93
PID 4644 wrote to memory of 4224	4644	captcha.exe	93
PID 4644 wrote to memory of 1788	4644	captcha.exe	94
PID 4644 wrote to memory of 1788	4644	captcha.exe	94
PID 4224 wrote to memory of 2044	4224	chrome.exe	95
PID 4224 wrote to memory of 2044	4224	chrome.exe	95
PID 1788 wrote to memory of 4116	1788	msedge.exe	96
PID 1788 wrote to memory of 4116	1788	msedge.exe	96
PID 1788 wrote to memory of 3096	1788	msedge.exe	97
PID 1788 wrote to memory of 3096	1788	msedge.exe	97
PID 1788 wrote to memory of 804	1788	msedge.exe	98
PID 1788 wrote to memory of 804	1788	msedge.exe	98
PID 1788 wrote to memory of 2896	1788	msedge.exe	99
PID 1788 wrote to memory of 2896	1788	msedge.exe	99
PID 1788 wrote to memory of 4616	1788	msedge.exe	101
PID 1788 wrote to memory of 4616	1788	msedge.exe	101
PID 1788 wrote to memory of 4692	1788	msedge.exe	104
PID 1788 wrote to memory of 4692	1788	msedge.exe	104
PID 4224 wrote to memory of 1972	4224	chrome.exe	102
PID 4224 wrote to memory of 1972	4224	chrome.exe	102
PID 4224 wrote to memory of 2964	4224	chrome.exe	106
PID 4224 wrote to memory of 2964	4224	chrome.exe	106
PID 4224 wrote to memory of 1944	4224	chrome.exe	107
PID 4224 wrote to memory of 1944	4224	chrome.exe	107
PID 1788 wrote to memory of 2340	1788	msedge.exe	105
PID 1788 wrote to memory of 2340	1788	msedge.exe	105
PID 1788 wrote to memory of 4756	1788	msedge.exe	109
PID 1788 wrote to memory of 4756	1788	msedge.exe	109
PID 4224 wrote to memory of 3152	4224	chrome.exe	108
PID 4224 wrote to memory of 3152	4224	chrome.exe	108
PID 4224 wrote to memory of 3940	4224	chrome.exe	110
PID 4224 wrote to memory of 3940	4224	chrome.exe	110
PID 4644 wrote to memory of 5104	4644	captcha.exe	112
PID 4644 wrote to memory of 5104	4644	captcha.exe	112
PID 4224 wrote to memory of 3380	4224	chrome.exe	111
PID 4224 wrote to memory of 3380	4224	chrome.exe	111
PID 4644 wrote to memory of 3344	4644	captcha.exe	114
PID 4644 wrote to memory of 3344	4644	captcha.exe	114
PID 3344 wrote to memory of 848	3344	powershell.exe	117
PID 3344 wrote to memory of 848	3344	powershell.exe	117
PID 4644 wrote to memory of 2544	4644	captcha.exe	118
PID 4644 wrote to memory of 2544	4644	captcha.exe	118
PID 4644 wrote to memory of 4572	4644	captcha.exe	120
PID 4644 wrote to memory of 4572	4644	captcha.exe	120
PID 4644 wrote to memory of 2444	4644	captcha.exe	122
PID 4644 wrote to memory of 2444	4644	captcha.exe	122
PID 1788 wrote to memory of 1648	1788	msedge.exe	124
PID 1788 wrote to memory of 1648	1788	msedge.exe	124

C:\Users\Admin\AppData\Local\Temp\AngelTokenGen.exe
"C:\Users\Admin\AppData\Local\Temp\AngelTokenGen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Local\Temp\AngelTokenGen.exe
  "C:\Users\Admin\AppData\Local\Temp\AngelTokenGen.exe"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start /B "" "C:\Users\Admin\AppData\Local\Temp\captcha.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\captcha.exe
      "C:\Users\Admin\AppData\Local\Temp\captcha.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq chrome.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FO CSV /NH
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
    - - C:\Windows\system32\vaultcmd.exe
        
        "vaultcmd" /list
        5⤵
        
        PID:1648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --disable-extensions --disable-gpu --no-sandbox --restore-last-session --remote-debugging-port=8303 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --mute-audio
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd5de9dcf8,0x7ffd5de9dd04,0x7ffd5de9dd10
        6⤵
        
        PID:2044
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2636,i,12226210760144599196,383493334709778880,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2640 /prefetch:2
        6⤵
        
        PID:1972
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=3208,i,12226210760144599196,383493334709778880,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3200 /prefetch:11
        6⤵
        
        PID:2964
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=3228,i,12226210760144599196,383493334709778880,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3220 /prefetch:13
        6⤵
        
        PID:1944
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=8303 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,12226210760144599196,383493334709778880,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3240 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3152
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=8303 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3680,i,12226210760144599196,383493334709778880,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3520 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3940
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=8303 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3932,i,12226210760144599196,383493334709778880,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3928 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3380
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4564,i,12226210760144599196,383493334709778880,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4560 /prefetch:14
        6⤵
        
        PID:2252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --disable-extensions --disable-gpu --no-sandbox --restore-last-session --remote-debugging-port=8004 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --mute-audio
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x230,0x234,0x238,0x22c,0x2e4,0x7ffd5e25f208,0x7ffd5e25f214,0x7ffd5e25f220
        6⤵
        
        PID:4116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=1868,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1860 /prefetch:2
        6⤵
        
        PID:3096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=1920,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1916 /prefetch:11
        6⤵
        
        PID:804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2204,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:13
        6⤵
        
        PID:2896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --no-sandbox --remote-debugging-port=8004 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=3340,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3336 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --no-sandbox --remote-debugging-port=8004 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4000,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --no-sandbox --remote-debugging-port=8004 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=3992,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:9
        6⤵
        Uses browser remote debugging
        
        PID:2340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --no-sandbox --remote-debugging-port=8004 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=3952,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3248 /prefetch:9
        6⤵
        Uses browser remote debugging
        
        PID:4756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4560,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:14
        6⤵
        
        PID:1648
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --no-sandbox --mute-audio --onnx-enabled-for-ee --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4612,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:14
        6⤵
        
        PID:5088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5312,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:14
        6⤵
        
        PID:5168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1096
        7⤵
        
        PID:5828
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5396,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:14
        6⤵
        
        PID:5852
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5396,i,1942665580271740351,2318252986371698110,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:14
        6⤵
        
        PID:5764
    - - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        5⤵
        
        PID:5104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3344
      - C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        6⤵
        
        PID:848
    - - C:\Windows\system32\certutil.exe
        
        "certutil" -store My
        5⤵
        
        PID:2544
    - - C:\Windows\system32\certutil.exe
        
        "certutil" -store -user My
        5⤵
        
        PID:4572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
        5⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
    - - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        5⤵
        
        PID:5468
    - - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list:TERMSRV/69.48.201.74
        5⤵
        
        PID:5540
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5740
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5988
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6100
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5388
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5556
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5688
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5872
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5780
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5992
    - - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5848
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6100
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq chrome.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5664
    - - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        5⤵
        Kills process with taskkill
        
        PID:5232
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        
        PID:1684
    - - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        5⤵
        Enumerates processes with tasklist
        
        PID:5464
    - - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        5⤵
        Kills process with taskkill
        
        PID:5540
    - - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM Discord.exe
        5⤵
        Kills process with taskkill
        
        PID:5720
    - - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordCanary.exe
        5⤵
        Kills process with taskkill
        
        PID:5860
    - - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordPTB.exe
        5⤵
        Kills process with taskkill
        
        PID:5524
    - - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordDevelopment.exe
        5⤵
        Kills process with taskkill
        
        PID:5740
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5852
    - - C:\Windows\system32\vaultcmd.exe
        
        "vaultcmd" /list
        5⤵
        
        PID:5904
    - - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        5⤵
        
        PID:4060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4784
      - C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        6⤵
        
        PID:228
    - - C:\Windows\system32\certutil.exe
        
        "certutil" -store My
        5⤵
        
        PID:4292
    - - C:\Windows\system32\certutil.exe
        
        "certutil" -store -user My
        5⤵
        
        PID:3124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
        5⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        Suspicious behavior: EnumeratesProcesses
        
        PID:3328
    - - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        5⤵
        
        PID:5156
    - - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list:TERMSRV/69.48.201.74
        5⤵
        
        PID:4572
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
        5⤵
        
        PID:6076
    - - C:\Windows\system32\hostname.exe
        
        "hostname"
        5⤵
        
        PID:5260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-WmiObject Win32_VideoController | ForEach-Object { $_.Name }"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceDescription -notmatch 'virtual|loopback' } | Sort-Object -Property LinkSpeed -Descending | Select-Object -First 1 -ExpandProperty MacAddress"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:736
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
        5⤵
        
        PID:564
    - - C:\Windows\system32\netsh.exe
        
        "netsh" advfirewall show allprofiles state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1880
    - - C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
        
        "python" --version
        5⤵
        
        PID:5508
    - - C:\Users\Admin\AppData\Local\Temp\python-3.12.6-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\python-3.12.6-installer.exe" /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 InstallLauncherAllUsers=0
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5492
      - C:\Windows\Temp\{58F7C1B5-BC25-43B8-A24A-E19B53DD1FA0}\.cr\python-3.12.6-installer.exe
        
        "C:\Windows\Temp\{58F7C1B5-BC25-43B8-A24A-E19B53DD1FA0}\.cr\python-3.12.6-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-3.12.6-installer.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 InstallLauncherAllUsers=0
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3428

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C4
1⤵
PID:6132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5752

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\deal.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:3172
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2016
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250328021044.log" InstallAllUsers=0 PrependPath=1 Include_test=0 InstallLauncherAllUsers=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:804
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250328021044.log" InstallAllUsers=0 PrependPath=1 Include_test=0 InstallLauncherAllUsers=0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4848

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  PID:5956
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250328021044.log" InstallAllUsers=0 PrependPath=1 Include_test=0 InstallLauncherAllUsers=0
    3⤵
    PID:2228
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250328021044.log" InstallAllUsers=0 PrependPath=1 Include_test=0 InstallLauncherAllUsers=0
      4⤵
      PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583ecc.rbs

Filesize
8KB

MD5
513be4a1bdd277137f84df2fcdfbbe1d

SHA1
716840d0b4b3535197687de3a6453dec69c7ce03

SHA256
3d98db4b6dad3b35e9d3ee3188c09b963d41cfaf6500f8c79491a42e7f2bc7d4

SHA512
3c85341c1cd03723e1f2daad9301a6349ee1d9f702c0e39a97bf569dc6d7e60c1d196fab1b80cdfca510f02a5d4e7e1abd4b734c124f25b60b7d4975cf9b0973

Download Submit
C:\Config.Msi\e583ed1.rbs

Filesize
12KB

MD5
9b970bcd5675da466e690b6c7aa4f354

SHA1
0a2a93c4d1c8060624cb270ebe1961ab1a4d0ab1

SHA256
1878d37f7740aba8c11ad20b5d5d440d95671e5a84168d417ffe48d2dcc158a1

SHA512
5d1598ae962d8b8494a59cbd9e9c9cc19079a5feb65eeea840bc6107013c57a0f8640fcdec19449b93f63ec4b437521579b155e73fe8530bbc656b8d0d085f4e

Download Submit
C:\Config.Msi\e583ed6.rbs

Filesize
50KB

MD5
c636bf30f2448fd7887ed0c18fc46a3c

SHA1
1acd52532d17fbbe79f3f8b16bf96a6f16735bd7

SHA256
019660cfe6775ab45a77393525a7e9ea95d4d89866ee4bb3e96714edcf9c37a8

SHA512
b47dbf56cc20d4ec0d772d02330797473e7eed51d75b78b2fe8c956b31daeccb43a74bb4073567ddc553c4035d19e25322d90eb9d20ed2dbcaeb80442b75ed6d

Download Submit
C:\Config.Msi\e583edb.rbs

Filesize
138KB

MD5
8ffca327a25f2550fea031824f848b85

SHA1
7e2c24ea4b9d88e04abf54fc9d12b5ec2042ee81

SHA256
9c6a3b96672eeeb1c0f02347d6b59c3f1f3327a84f1a0a48a85aeda9d823bb93

SHA512
311b501f5847944abe79c7e52d3804c41ca8c65b550be44a8ed364fc4ef7693a15e28a8ce7b360a4bacfb03a1f32574bd22e311f25c63064894a011266ef8917

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
360a6726f0951c3b3426446f928247b6

SHA1
47922cb54f40e623ab6f651099925d33b18b9e28

SHA256
31c54eaa799cd744c85f48f317b377cdd1fdea3714f76cf229ba4532f3bdf0eb

SHA512
878fd00e4e2d84caf3b390845e86bbfda06e83820d0490dded8aa1fa948e91db108d1eabde63165e6db59bc75a19bba09b6683d8c19df7dbc4ce862717d65d11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e4c9916669545fadd4eb07b2ace43af2

SHA1
af38a02ff067c0c9029fc26099a9c6813c0b9ee4

SHA256
0c45b5aae056d61d73c8f43559ff7b143c68238f1b1b4cb354d4346f39d04e4c

SHA512
fa3dd0081d77359eb23041c5b3f6a2b2a475fd58b0b773cb063527484dd73ef37054bcc66e95c833b4243b8d0431e2864a009ed03e0947ff3006016a60a27b56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ab5dcf41-9488-4fb3-9ce1-52661f577322.tmp

Filesize
13KB

MD5
4b5a817ddde24ef729b125bfce14469d

SHA1
178163d9915dbed29a89fec0f0d570da2f4a3346

SHA256
121987d3b288daca3c19870484d8405c2d70d312a81853eb2719d9274f9d6ea9

SHA512
a7466b6d9163f5e16faa7becdb569d9adeb7b04ef7561ef89010e9aeaf040b9dfbb04f6c052d7808db9e9ad9e8daec6a1de9074b288762482ea822f7306c31ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
7d0ac759072b35cfd68fe476e1d910f3

SHA1
2656878733d0b05c5405f35ec54636aad0a20c79

SHA256
71adc774a4d4e3cd23dba2f068a91acf9f25822de1a92a262b7e8407efec3cc6

SHA512
a890fb9bbf8b7d7973c5f977f9f7fe4a144a7f78b8594482548184f17644b5a3eef80c222337487a2485989c7250afa24d2ac53c22bd225e8321b7cd2bbbc516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
15bf7eb5ceaf896adc0a8316456dabd5

SHA1
f87a01876bb53719dffaee1770a0ecd85ef025fd

SHA256
4a2aa6681d5f0f096e1e5e3170b6ec29e84c8483166a035671503feb26bdb841

SHA512
2ce9c00d079c1c38d1c6886c271babf79c5d7d68b36b9a2f3e08704adca6460736d88708dfd7c31df82c9ec02e9c5b3b267b41d60da97c6e422e5279ed896c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8165d331a65e980c7f75dba657342854

SHA1
44967c0388744de38b07e07e3a9cb174854eb7bf

SHA256
08d7b1fa1c3cdacb73cb9b34bb51a0516bfeac2f10ec54f2f27469d1c97820a9

SHA512
ee23180ed03c5042d6e6343ac2181a6d9ffbbb775e1031222e46b4a61eca4f1caf2dab50269271a07b284e270195595c91ce8c43d4cef77c8873845216546e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
02cf1313b32a8ab2f031cee39bee8fc3

SHA1
861cc0ab9ff881460dd6433e37075b822aac9355

SHA256
7e7fd13903a8d57f314d9e7dab6fa28975050b63f045eb315e96cccaa17d1e61

SHA512
f5464c94391bfb590f6755c2ae6896dd459a2a93d778601caebf272438c2ff127ec5de81dcf8efeec65a56609558477afc7be1c4993977a18fde7b915f7a8700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0310352b-5dd9-42e7-9f74-54dc709f5089.tmp

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
ccf663da401e54650caff134697a151d

SHA1
816e6b1ac2597b3bd4c468c9997594d5e2f489e7

SHA256
851eb5a4eaf9814ce30447446865fed42aef5da441d1062bf79f900c319d2253

SHA512
87185cdb4854262aa573850f079a42e371bfb83ef4fe01a9da8dc2e79d4509effba2977f82495c09b63c3ef2579f35b39cd1900a531bdbb8449a1df0b90b3acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
32KB

MD5
29614784970678ebde29b8ecdf6dfd26

SHA1
e6f135fb6d2d778efe8f29fd6e5b5c04cb49243d

SHA256
30d67e657ebb614a18c19d5188732851388565143cff58aa492457abf1ab255b

SHA512
b3cf6d3878f96660ac2a96bd9c7be6e7d0985bb805470f107d1a53e4bd0560e8791874c9ace50817f04687b9da6865ea7034c33811e27b18f14f42b6ae317aa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1e6296a1-756f-4e0f-ab51-0ef05e0aaa46\index-dir\the-real-index

Filesize
648B

MD5
92b823cd1a3fdbf9a96c2d1f966cf5a5

SHA1
14f12a062ebf24c2e786b0a0c9f3e92b3648ebea

SHA256
e3b26b879cb279f00f328dfb420617838f4a3dd58f57bc929745812129b7adc1

SHA512
d5aa299941050792b909b96cfffb1bbfc2e1cb033e5bbbad3c4b69aa86176a52e48208be26b3c9cfe981cc7c1f64a9592937ec7365152ed0b46511374b2048f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1e6296a1-756f-4e0f-ab51-0ef05e0aaa46\index-dir\the-real-index~RFe57ad18.TMP

Filesize
648B

MD5
ac2c300f9f4fdacbcfd87d0ad906647c

SHA1
2b4761edb539ab95e88ec5db12b0ca29514d83f2

SHA256
00abe6cbba6135da28197e6550210ac29557582fb00e1e3cae38e04fe78f3de3

SHA512
a4f3579564cde1e0838e2ee557af56deb9345d73d75d3195fa47035394ae209c208a6fb5e902256a2dccb2183bf0662cc5db0df380df76321e43aafed4b48557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
729B

MD5
dade19582b08f9b5b6abab9d15cb013c

SHA1
5b7590f987804e349bff743b5fe1ffe69cd42787

SHA256
3980da09183965de65b2e77d923ef653a9240bae00f7777c3c630a4abc853c95

SHA512
44dd49e5c7ef94b5147ba0ce0e7c89a627cfc1fa54bc826c96e3a59f0271b570e2a06a9101fa537d11a84395fc06bb4d188167ad7dd284d5c5ec503ac6ecfaaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
1KB

MD5
b5838660ff4dde9966efa01fc4054d72

SHA1
3aa93a24d018b92f954729dbe542e8d4eaaf212e

SHA256
f414e567d335ce90c6de66addec76ddb88add442a3111a24d9c5938bbade4a94

SHA512
e6a1e31da9112aad6de40624eae10a59a11135d1b41aaaf0a5ecfd55505db9cf30bd0a3e81d012f39955b863d11a314f1ba06023b057461b9e37778506f5ded0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\favorites_diagnostic.log

Filesize
1KB

MD5
359419874e88b1699103cc08a914ca32

SHA1
264a2f4284361c305c61c9dfb031715a03513120

SHA256
c0df922267540886fccac03042c99ab94b2e01b68a1496e3b5015a2ca30363fe

SHA512
3c9b77fc0ef3b39e7d592eb64cc52c576a47b56759448a22884591af83825a133abb225b907744cbe1e72eaba7cdda14718cb74c792f2766aa837204067dcda0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
52bd9cfab00506d2ca7415d4f4091a01

SHA1
fd653e979562f4911462dd4e94ac6d7f46914253

SHA256
bff543175bfe1d4bd307772b247c956a42daf270d7661bf7b867a432b447cd40

SHA512
3c9b852617ad343300c2d6345b7709c3f384166efd7375c2870a5e6039be4679a407adeb24c08a02b945c03a4538d87b64a28c6bd99c8075faefa75517df1bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
f49f0ab523e28781d2313bd5c6f72df3

SHA1
48db39033d17e309163db00759a70ff3a99d5399

SHA256
1031a796483bb1611bc413a26b10b1c5397a7fbb5cd29f585900bb73a34df873

SHA512
f40478a725d3f0d9233435be9c414289504e6e77fca5586f11c5c8dfce303b09bb8feb649e1f9b4e54bb26e6a0a6c995a1250ede61c71b64682e642f93ff685d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
fc26a0291c573f0bd7dc8d7f81a4374b

SHA1
610c4579dff18550517f8d42e8d5752781ad6733

SHA256
8d4ec31acfe99fc329f27b6a41110b8f582118c346cb54cf67deb04e9d648a6a

SHA512
8921d57e870dde64a894ca0dfe05b14fe08d7ed6a8e742592a32ba0b0719ed4e640733e0d3a50a94db9b8c6a8ed34be79448981a42d747fd2cbaf65f953d20fc

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\doc_JustForMe

Filesize
5.5MB

MD5
7d2977bbcfa7d583bdf79fb43202408a

SHA1
f09d14f1d1f25844456effc7c39288d7a9ebcd36

SHA256
36eab15befd911d6640a109319d79a50124ac3b75e269e9b96ced13c63dff478

SHA512
6fd3db87c50bbad336412ac64afa5d7a942770435c52c1222adce0ecc2598e6691165e8646a99cf2c3055ea62b338a5dfa1a8026f6cadbfacacf3f29d3b4d9d5

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.1MB

MD5
f6ddadd0d817ce569e202e57863ae919

SHA1
3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2

SHA256
63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1

SHA512
7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
fd7e13f2c36fe528afc7a05892b34695

SHA1
14a9c4dfd12e1f9b1e64e110166500be1ef0abb1

SHA256
2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0

SHA512
7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax.zip

Filesize
3.2MB

MD5
999ab422739e06b9a507307f54dd45c6

SHA1
658c723a13e3ff9efbd111df03d7591df07b44f1

SHA256
27a49a8e344bc5c159a7e82d4b6d64b540082a9b6907d5bd7728a1edc8f363e5

SHA512
157c4c1d541cac40ed3b50109bae6f1c3c6f160648b74062fc746e81496d39d2b386a270cd8d1f8cb00f8d3d4b99895c704347cad4af5d0a59ac37836792d8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps.txt

Filesize
594B

MD5
c4bde4c7b9d2bd96b3a494b834b1fb5d

SHA1
7f60e4d587a393f40130430ad59288e0bdf8b81f

SHA256
dbb4d0149b3459ff2e3e769269b7b85b805a3c62142a12f74abb43f5a24a36c4

SHA512
378ffdb85115a709f78faeba0ea3c91c271b87cdbd15da9b7e36a2e66f407ffd92e37a653b34f16891b88614aab0256be1318db380853ab1dd51bf01260cc1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_1\CREDHIST

Filesize
24B

MD5
2e7a11600e2eca91c708f732249a37eb

SHA1
95de57a5301495fe77bd5ef79212ac9028d01ace

SHA256
883722eb5c9a568978a652e9adfaccfced7a9346890467adc8387914806d0e62

SHA512
1e4af8f0fc87a6a5d8593bf6936f6f8272b0a0be6a2d91082d4d2ca3333d4acde37c4db958f340d0ecdb2e8b7d138afe04ba0cfcd0b3fca9a986782a0cec41de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_1\S-1-5-21-994669834-3080981395-1291080877-1000\Preferred

Filesize
24B

MD5
184aa107a165da70cf685d72bcfac8ee

SHA1
12a4b66e079923e9e8f154efecb7958328281092

SHA256
4b8cb0087042a54b0f31d4ab9b8f7614923d6353e9a2062aadeb2fe6c6c15122

SHA512
cf7059f1d2c843897112a925169e605424934a2adcc7cc8f11ae96a1dbdae54f1fb9f8a80a8cafcfa33a092a77bc2822a79d0228c60f0b9cf6a2fbd7a185a5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_1\S-1-5-21-994669834-3080981395-1291080877-1000\c7ce1b98-afe3-49a0-9c94-ec233a77a227

Filesize
468B

MD5
bdaec1d6e2bbfc4d1275fdb63182f113

SHA1
953bf4f16f7fab73b800fee72781f788dd923284

SHA256
1a54665c9da89b5e963ba9c286747c12170716c36e86bd1fdcaaa2d212be4268

SHA512
37598614dcb8958cc31c38bc98db950b5e8b80f67359af0f1e00c4f11e45dc8f81c5472f3813500c83d421f9e4c4378168fb586f20f8925086ac6391c4d14f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_2\DFBE70A7E5CC19A398EBF1B96859CE5D

Filesize
10KB

MD5
5f1eaeafd9854c04e2e968b29c2d36fb

SHA1
bda83eac0408b0a86f3ab71707a0895e92594d54

SHA256
e62d6d828d3962c756962c0afa0790d5027735aff38495b2a6e198f8d193c679

SHA512
f504ac825f03fbf31147ed1b299bae0a117f1b3fe6275695b5ff50a9b76ab81d6695cc8e60ca595712e206a7873bf245413d7fc2fe1a8040b9baad19cab3ef34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\RDP_Sessions.txt

Filesize
499B

MD5
13ad7335611fcfb88efa3590a11f2212

SHA1
ae8de55bb91229e0e3e082697c2ffa877340c437

SHA256
1f93e1567b7b8ddcf5db5ea670eecf1ce717ce72346bb28c131be218f25bf8ed

SHA512
14e5393c6ad833c222d9f883006891190ce5811d484be079b820beb10fda99a8b0ec9c2470a091c8f0b118f5319b5425517849a50e72ed3c753beeba0132dc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\cmdkey_list.txt

Filesize
174B

MD5
c5b541fb56165a4259670f677dfb65a1

SHA1
09ba6da87cb59da020d7893fcc6a93f5f1171cf2

SHA256
c98f0a463a23076d898ad5efde30ff40f414d417ca765ba5baabad895b6dea57

SHA512
340feca551497900fb3b60bc72882f38ead17f6afba809df2de65326bdb49f7a764b4272d5c828052c64707668efbbff032d03f56f38c42691058f995dbc002d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\windows_vault.txt

Filesize
336B

MD5
da510ee1496286415109f3ec58d6123c

SHA1
8886a1786606d8f5d693a6e87fef39054bd022af

SHA256
82c3ed7cb28a633ba026353c6349e8305423e5e1202f8c6030ec1b8706932e73

SHA512
f2b5b6e278e6a91e92d0dc296e7837c3d486505a23fe3f574a5c56735a369e30c06942a2695f09a110884d7988b512f02d9a599b82b6abe9bdb3f0e8d8286b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\ConnectedDevicesPlatform__connected devices platform certificates.sst

Filesize
653B

MD5
1134ae46119dfe568c9c85e25dc5835a

SHA1
00b85fa1249cc447c559f5ef338fe66221fa72fc

SHA256
aec7fd316e9064364802f8c2756224de33bbb781cfcf8217c9108a431410d400

SHA512
a66dc63b13ba15736b51a5e3f36d946c542d03dc6d206d3e80bfcbf6237a60b1fd7617f15c407b7b3d5f81d6a9cb9152cd638f42bbb6134012453f34d356e7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Documents__connectmove.rtf

Filesize
260KB

MD5
4990cab2093aee4cf29341c90fd10b86

SHA1
70802e67ad2d2df2aa3a8eb8057a591bd436608f

SHA256
39f6c1d3fb46deb90489069916a1f1d1a893908a57416cd608421c2c94959c65

SHA512
9e0154bd3553695a370b43782efabbba90433c435151f7f3e278ae8354c5544d4f85f386be7ae94d65b49339f2538ecaf013e12275391761e61d997717986208

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Documents__disconnectsearch.vsdm

Filesize
582KB

MD5
8f457a569600d456bdaef31f2ed0a0ca

SHA1
d569b57b826e8cf6b1de8f737cd691c3f2c962a5

SHA256
d6ead838587e07afa0d10b8e58f142a5ec5db6d81c25e451e3161dd2ce57088d

SHA512
3621a298b29c014bcdde93f99e201574112a916e4dd98d20596c33b3aa80b170e41646e5c9bab81a6b3e29b6874f6f81ebc26fd603e7d860f84f481fc6cea1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Documents__selectdisconnect.vstm

Filesize
310KB

MD5
526def8b098639a2fd1e1364bcb377b0

SHA1
506a7cd9145a19687e1f2253b3643dee9bdb88bb

SHA256
d0426b19507fa06dcbee8c9bc5a8d00cbdb829ae140fbebbfa71d737e5be103d

SHA512
3acfa23b3179f07724e210ad38235dff72232fdaeb07a17f8db5a592f43733e5799b2aa03c8ad9ccd5b314a178095fa9af79865d0b0fd0b355b3ca214d4aeba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Downloads__connectrename.htm

Filesize
207KB

MD5
76500d11c52f48755ac74ffe030de9ab

SHA1
9c47919f5b64947d985acddce7d80554a0e9ffe8

SHA256
75895439366e85cb80c3b6b07266d936223037ab9f2924c0fac86a249cc4ce8b

SHA512
1d1ed3c0c5ecaeb215cf1e7f5208cf50f486167803ee4d110d8751605cfab6a89af79dd1deacfeae8303565000e00e39febd6f915b8e728642f982755aaddf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Downloads__disconnectcompare.docx

Filesize
165KB

MD5
9ea5d0563620ffc6aa1e1ad62c893884

SHA1
139fbe65f2141716c5183fecb4860118159a34ae

SHA256
cdeb39dfcc8b8fbd70510317692f0b0376f944b06215a68762e25bced115f429

SHA512
6340ec2265113e3b34b270d8ee2f1630add50fb2c1f42294196c20102f0e228fddf95bb304991b6559db3d3fe7b415dc9fafed9f29c08b7506bfc9ef64b4ecce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Music__connectopen.lnk

Filesize
397KB

MD5
2fbc94edaa0344eaf16c60046e8384e5

SHA1
682cccde0a83430e389f5850daf7811985f42bfb

SHA256
8d061dd14a36d7679cd8b18e2f9d9a34786ea6ac6419f42425fc9b32cc88dab3

SHA512
f5c40d25367f5d12607d4688dae60728faa1d5012b4df6aba77fa239b4cc0546971149cd41f6c5384e9004224dca31bdd285689332395115dfbbc390161e317d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Music__connectread.3gpp

Filesize
313KB

MD5
ce8d7a4c7176f58acd2a231e5a484fed

SHA1
0d6a3bbcbaefc1067dfaec668117eca95c7c7507

SHA256
d3b070f9170cc24ce2997009ef570569ed4b7f02bc8ddbeedc07b02725f06a63

SHA512
17d959203bb54e70cda39b0a6b57bd5830a7bacfb82376a99c4d6caa4d12969b3b01ffba09eddf332a291ebea4bdd6adc1071bd0b3555a03922c8096d2802bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Music__disconnectcheckpoint.pps

Filesize
803KB

MD5
5b33e0a6ac0be7b96561f466230f61b9

SHA1
736fd604b8363bf217c7219c92cedbc1b514fc72

SHA256
5c947292ac82adf89077e243a1f7a767d6ce4be25ae914f0fb552ff2bc96cd07

SHA512
6f358cc47453761147345dbfc64566e3781afeecbf1263e95a35ef541e6f532fc0632bc131b045348f4e1ff143f61bb0876481c340faadee3e8b9f23a0f8d7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Searches__winrt--{s-1-5-21-994669834-3080981395-1291080877-1000}-.searchconnector-ms

Filesize
855B

MD5
23fe3da140035c37974e65953f20c2eb

SHA1
93e89f0dcc5c4e99eb0db5f16cd797a013eb6a0f

SHA256
d1c2fcd3dfefebc427d69d9b7c60594bc583c78c787e51f682ff68cbb55069f6

SHA512
d3f19d564f789a45eb9e944a558836fea687886edd9b734a847d80bb3a0d4b8040b9003b294ffc0f91e12b7005d3a6c64116c2a687e6b493cdfce0032bf31fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\WindowsVPN\windows_vpn_connections.txt

Filesize
862B

MD5
ac9b930e233d016346ff67d6a3f5a9e6

SHA1
fcf0e44ae5b569708eeef45826e2f46e611a8eee

SHA256
7fb38f1012513704aae95eb7f8cd64c3413f1e64609aa0ec59faa7698330487c

SHA512
7188664b63c0538f184225846df1e4ed50f724a9f1fd87c93b341fa107b705b2459afb1632f5e0205938ea0a6535d86e59a440c042e76bf616b3c230113b03d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Certificates\personal_certs.txt

Filesize
65B

MD5
8314c362164d829cb812467c333662a0

SHA1
3ae5f774269aaa4fdeaf4e5eb78b7a6f7625ab97

SHA256
354644ecf4d6b3ac97c0187d8581bb82cdb8caf8e438755b998c5df0f7fd85ac

SHA512
7b32320a2bc82f69a7470168d4515d1fbe1f44ed03f4f30330870732e6c7eec771104bc59a1f9486f4e82e869e1f2b9d84507a976ca5fcd511fdf9e5e1f2b3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Cookies\Prysmax_Cookies_chrome_Default.txt

Filesize
305B

MD5
3cc8ff993eca8d9c6f721bee546617f0

SHA1
4929b86c5100e4fcc652d3f2d6697135708fd8bf

SHA256
806f118e2244656b2578cf858edd07c520b291b131398b55bff4d7e8bb32b4db

SHA512
1e20864995d16b5f7632f51a502919169e2d3ab64f4360af0369a5ee0b3dd1c2b8010623e72e31aa090da25df3e9739a0ebf2019254a95889828158909abfdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Cookies\Prysmax_Cookies_edge_Default.txt

Filesize
2KB

MD5
c3cb3ce6037661b29d54161aa040ebe4

SHA1
3b6bd6f8efce826412f665c5a4055fdc7f4bc559

SHA256
faae5814434f8d17943616b813ad8e1dc657ab3af130e07490c3e774cc72b991

SHA512
2cbb81a48ac78b2d5196a7942594951ffca9b3b663de09235e9a5f0d776ce848c7f0b88fe5bea52116bd53a119dc5712340881ee21e727c64c6a7926e7f51517

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\screenshot_20250328_021004.bmp

Filesize
3.5MB

MD5
51c954934bbe17f742e663b54e81f333

SHA1
c352181798042ed6a66796be2cedeef3fb197ca4

SHA256
38052f62c87b9522cb6d8dfba8a7fed3244fa75118438209d88b38dcfea2feb3

SHA512
01bbee53adab72354d88c5b8972e64e59dfffe145439aec5af018ff746b2c828e4b310a555f651c65e6091d0e4a566a0fb61eeece8039c4b80190e9bde554131

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\PyQt5\Qt5\bin\Qt5Core.dll

Filesize
5.7MB

MD5
817520432a42efa345b2d97f5c24510e

SHA1
fea7b9c61569d7e76af5effd726b7ff6147961e5

SHA256
8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a

SHA512
8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_brotli.cp312-win_amd64.pyd

Filesize
802KB

MD5
9ad5bb6f92ee2cfd29dde8dd4da99eb7

SHA1
30a8309938c501b336fd3947de46c03f1bb19dc8

SHA256
788acbfd0edd6ca3ef3e97a9487eeaea86515642c71cb11bbcf25721e6573ec8

SHA512
a166abcb834d6c9d6b25807adddd25775d81e2951e1bc3e9849d8ae868dedf2e1ee1b6b4b288ddfbd88a63a6fa624e2d6090aa71ded9b90c2d8cbf2d9524fdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_bz2.pyd

Filesize
83KB

MD5
30f396f8411274f15ac85b14b7b3cd3d

SHA1
d3921f39e193d89aa93c2677cbfb47bc1ede949c

SHA256
cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f

SHA512
7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_decimal.pyd

Filesize
251KB

MD5
7ae94f5a66986cbc1a2b3c65a8d617f3

SHA1
28abefb1df38514b9ffe562f82f8c77129ca3f7d

SHA256
da8bb3d54bbba20d8fa6c2fd0a4389aec80ab6bd490b0abef5bd65097cbc0da4

SHA512
fbb599270066c43b5d3a4e965fb2203b085686479af157cd0bb0d29ed73248b6f6371c5158799f6d58b1f1199b82c01abe418e609ea98c71c37bb40f3226d8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_hashlib.pyd

Filesize
64KB

MD5
a25bc2b21b555293554d7f611eaa75ea

SHA1
a0dfd4fcfae5b94d4471357f60569b0c18b30c17

SHA256
43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d

SHA512
b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_lzma.pyd

Filesize
156KB

MD5
9e94fac072a14ca9ed3f20292169e5b2

SHA1
1eeac19715ea32a65641d82a380b9fa624e3cf0d

SHA256
a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f

SHA512
b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_queue.pyd

Filesize
31KB

MD5
e1c6ff3c48d1ca755fb8a2ba700243b2

SHA1
2f2d4c0f429b8a7144d65b179beab2d760396bfb

SHA256
0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa

SHA512
55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_socket.pyd

Filesize
81KB

MD5
69801d1a0809c52db984602ca2653541

SHA1
0f6e77086f049a7c12880829de051dcbe3d66764

SHA256
67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3

SHA512
5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_ssl.pyd

Filesize
174KB

MD5
90f080c53a2b7e23a5efd5fd3806f352

SHA1
e3b339533bc906688b4d885bdc29626fbb9df2fe

SHA256
fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4

SHA512
4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\_wmi.pyd

Filesize
36KB

MD5
827615eee937880862e2f26548b91e83

SHA1
186346b816a9de1ba69e51042faf36f47d768b6c

SHA256
73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32

SHA512
45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
d2043d893a31601b9d1336444f7f4696

SHA1
4cac5e2257a6fe0f740d09aa191db2eb82d4d3eb

SHA256
82ab7bc216508992cfdec3ff14189555ecbe5d01acee6de5e2070dc6b856bd53

SHA512
d56235b94033a91111cee03216cfbdc7d6f1ee08624527df3a83a6a1a8f99b69e8594f0ea6efd1de6795273eeb3b2cbd092cfcafedb3524d43c3128f403cf8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
1949d81624c9330484e0dfa04e1482a3

SHA1
8450a399c47eac05f543b573a3824321bca6a733

SHA256
757aba5ed6182009d9763d6d980d4a361d6c12b8901b56a02fe4f92a9ae356a5

SHA512
d661aa4b8508dc92084b4d4569465cc957194ece0cc1da9f14f0394d9109804871f50c52c67fb0973ac939a068b08024d3765e8bba7af19d5ecaf49cfa891316

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
4189dbaafa933dba6766c42e6f690c44

SHA1
429e3786fc8c9f7930102baf0e68c51d158c4b67

SHA256
6c421ee8595d76761cbd1ef6a6349bd52d41e417e6a6d1b90925390c02ded723

SHA512
4dcfc970fcb8e093d4a22d69da6dabc291b4f2fb695fe575cd5f589dbc90c883ad8060479deb74e9ee3258934752377b433371ce91573baf8f0218bbe02c5440

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
84aef7ab14dcd354604d1e5546fb6b69

SHA1
10de33ffc609f3b6656982c52740658a11dd7c68

SHA256
b9b605df898c40be2fe4a5aa107f2e2cc6aaec7275c1984c6c7b9c4ee17f044c

SHA512
474e5424a1d87f0f4e7f08ca57b6bd7c569698b9b4881589228de8f3c67b9e10608a07eb8b81936b28dc8ebae6b55ceaba76fde82471b8b1ac6eeffa22a359b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
c17b20b8f1f288b8fa0ac5b5a9741f7e

SHA1
4d4002660810784035357b79c7c8fd5738e2b638

SHA256
52409321d0592d076524d8dddfe26f2f667ff091ee18c6103818324eb9c57155

SHA512
7f387d176506037a99ef2df7ba14d51c848c6247c138759d91bf5b6896d746b6a8f9743e13da3db0edcb028ffaeff0133c48182a5bbd7d4a0d90919ea860f615

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
9e7a9badcbf6c7ec5b93aa616639d857

SHA1
368d663c2873c1d1450f84501a0cf31eabce5cff

SHA256
5637e943bff0c7c09bb75aecea1a4e5fc316ecaf9e68b65bb8b758c9c81bf34d

SHA512
de3a40cc19ceb9d0737cdd54679f6d8e2fa2f3f89fc154638583d2484259b0b58a584f09982048bcd6065601d21ee107c832c1a531c3292aebb81122fe2268ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
7af4a47eb3649c87e6508273f7c442d2

SHA1
60a71893ffe062d1efd50bf64c8c52e007eef75f

SHA256
41d981933ed13460e1b567c6ac379d471d9b93085ac682d3a55fa56469b312f8

SHA512
c8663b56c8c1c227261276bde5a216a1aa90eba0629d1267b58c30dbce8f005ace16069991742817f07a1b504cd26a55f2c226cdd3cfb211443b2936f1b92ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-file-l2-1-0.dll

Filesize
20KB

MD5
50abf0a7ee67f00f247bada185a7661c

SHA1
0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1

SHA256
f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7

SHA512
c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
994c41c4145b443983e4082030e176f1

SHA1
6319395d7dd1b444d594d5510c666d0e40e78610

SHA256
d1782ed45b2c4a2972dfa7355fdd3aabc4a3ef8a6fcdc43c922639995ff34d14

SHA512
10e2d605dfc5feaf111e7028f3ebe449f35fec4dc9c865bc75a324658cc9a1119794dbfb4dbe11a8f1a7a31eddb8a99f5fe804ca463f4134f55c0075e38d38d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
a1aced6cfd54910856c681081caa54fe

SHA1
98ba1e1814baab089eca55c165d0d6095363dcce

SHA256
c744f33dfb52ca3acacff0d5a9133f52d35a4d1320dfa9c33a66988fa1417f05

SHA512
1f1662826298942595a62734e12b31d3b0856efd2ae81c0e196e82743f9506931cdf24e1e48eec0ea310c463eeb417160b9e7cb2877a6145faa28697ff8790cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
2f38880849d32dbeac8f729166cfaf03

SHA1
254c260fd59331064385a22e2fedc87d0518e64c

SHA256
5fccbc985f1a7224d88957576548f6ba33acb93cba5f5711f79260a190702a3c

SHA512
23a506a6f2173f2a62b30ab8a7140257407a371e81d99d8736f9634201a6ff34e3f2cfa84cacfa3cf43260fc948ae670b33e94496a1595623c9fe8db1ce22c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
4295def039673b149207a34873bb6ea7

SHA1
31b40e3cdcaca670a3e2dedf868caee1b4a6b81d

SHA256
2ffc392a3824d624b819df9d99334330f4a7631b385f0a3663888ce3b3f9b858

SHA512
1bc62c7ad732c2d42b2f093c2026be8728a17bb1b58350872c0160553756b551dff5e06fb3db44353142d228d9dcde4cf9bc63ac86a979ddc99d2dd5f0d94e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
fc53a106dab19af6688b67904a36c08a

SHA1
f24ed7509557a1c0d5df37140e35f51a4bda5bc4

SHA256
91a3699844ddd7fb89f0d169aaf0016dc5d08fcb0993d0ebf8e0b0f81a359163

SHA512
a267f84bb52aeadb79609519f1f25f6e3c6b87678ecf9e05cd95055f97e565601d4204382ea24ab20f5e6c9b86684c1eabc8bf26a2828a4da0661cce42e75b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
bf6f55f08bc31d74a0af7fb1ab8deb7b

SHA1
c27d465693ead4c70c190d45acccea612f0a59ea

SHA256
df993b3115061d54732528e3b59ef09332f088b2fde1e114a4f85f78f46e8b87

SHA512
10e5a55b9cb2d9e1c654143fb636d7e7f57ccfc5dce697c9a1ce3c2e4129461195b7e035497971f02ee928256f2e80fa8d11115933ad261726d1c9976130cb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
0fe71200b97bdc31b2ba9370ad1164ed

SHA1
5c5ca44fb6a8a69794ca880d41dbe3c7de97cb21

SHA256
c1372ee2d82d88e230de0c69608cc710bb1fed26571972ebe3b3160bbb979621

SHA512
16609d1175f5ddb285bbfd667077384fccdfc61c10fa3f56e51820d75656aba3be362832788b2b2a1568afc10aa10e0c5bcc560fac7f40e372108f6250c98076

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0858761bcca8ca0b2d19014a0fdaeee9

SHA1
cb5b00b5521aca111f0ece818ebf84102dabf324

SHA256
0cc62cf54bf207b3d840ab84631875459551f0c9599d9fc97fffd95f169d5d39

SHA512
891b67e63434fea7bc6292fc50198b0f0aa3596aa0e41bdfcdf98d4fdb8fe3548788ec93017922f69d211010d8ba1f72744730f3c14f915a5dba499980bcfc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
512e1701e060c08af71e4423756bb3fd

SHA1
c55615c772156fc72b759949b568b55842d302c9

SHA256
040484d95335e636997eb1420ccd25373df08e4b8966452eae04001129c009e4

SHA512
ea1ba6cced4a5d2b2ea950695aace7acc14b9f9f3ba4cc104cb2b23b6ad3e76d6b24d432cf823cb6910ee6bf8434e8050f24b00b7ab6a8550160c64a4c92eb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
f7735e120f85686d4cc95ffaec44f265

SHA1
3358d72e006cdc15dbc3e6e3990bdb1b12fcb153

SHA256
544496a7c788cf654525ac3a251afc1e0ee2388312049463be601e39266bd3ec

SHA512
291e26bfa539c3284e57bbb666c9900aa20c4f4da57d94f7b4e93f1a54e7d29bb735abb7df2978d233da7766083cb2e6cd4f5b7706e995bd940cec801a696aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
5ab151b11da26298ed96fa0e73480859

SHA1
d15514cdf15126440d898ecaaa4d7625dd7cc6ab

SHA256
e41fa81b75b996d901bf4423d5ed3ab3fdb6cc1983583c83dbb5ec673ff613a5

SHA512
c0e09fda92ed68eae1ccb86630fdeac9b1a5ca972a4a36ab87dd9470f731d7ec734dde8edbdbf6ccfa1ae2d5333ab903a3ff4740d20710076751581ecc1c324d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
34cf29021a0061e881a3b3dcd233ce0f

SHA1
e42a17a7fcbd6eb80a2122931f435e768800559d

SHA256
1eca84535031dc72a682375a9ad70c3cc4479ebb5983617407610ced722ea3a2

SHA512
790461f99a2294012642be36699d59291f372ccc79872a87dca076824861f0cc373a3c448917cad04fac1d939f8135b4243a3d520f94d6584749602646c67362

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
7004348cf2b453c2c4c9f517aa7deb95

SHA1
5c74f2f72ed83e4d236d78f1874ad5762689a06e

SHA256
47a46e9c574e3bd8144d6d7ed31b9c5d0ca0b1ffc584b5eb3b37dd793d036a38

SHA512
c798b11045ccd317df8b0f3ea101ab74bc09717eb6aabd11024d3df877821ce2eb3ea8c4b3cee36e45448e2a0a830e803557220792ae34d9aeed6aa71637ffb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
58bfb6250fcd2dff0f0d3476a1665b54

SHA1
7fb990a070db633f3dc58994ad3130743ee34dd1

SHA256
ef2c75cb8d359cccc0e504ec5d82d6a97dce44442f340f6d28b8c4e61b817aa2

SHA512
c20c524f198da32e1f67d79cadec309774b2ca59cb422c42aa26493b3febf42266ba7467f8db7de8d74174024b6e5cf87b43c24fe6f060201bae2f7851e5eaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
c02cff688ae7ef4bc898d9e859ae67cd

SHA1
11473a42490bfa6c8dd88cef871b41534d4ae6ec

SHA256
0779d4e8c5a2725d5e022039e41a8ced8b2818d66e43110b225d39662163f3e6

SHA512
5028f09926c74e1bb7fa39b2bf6507a4a63834c6932de5cc5ec962c437eb6b7be97c96c1fb828e1ce393677c712ea1aab505a276e4584bdd683eeb686d3605c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
cd59d138bf6d0935ff9b8d06ec181690

SHA1
2e383a5e2c3eea645a7ef5621395bcbd6ee246e3

SHA256
d7a58b7537fb4fab7388849eb3a44ba50dbb0c33f5bf1765a0800a4a2c522fac

SHA512
84ee3125485901a9bf2481731b2860b0430ebda9e1a91eff1dd9f546288e8b638f8e9e761bb04fe816db58bb35b6ec705c70b184e3ad00827804f86ef0674c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
54f67f4836863b70e4176ebf6575535f

SHA1
edb6b54053961be5fe0d65cdaf1245d3e8f15eeb

SHA256
2663e7d276be5a3b39cabb680d856adfc1b9669e10ef01a7866219f6e81a1d43

SHA512
9a7874ceaef6ab7c9ca16a4493f9a45c81b4207f6ab39d609f73e52fc56fcea81d18042539b937a0db36cbcfb6dcb75703666b246d3c76394b73862b981a068a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
a1e71c645000ff43c17e471b1d256e30

SHA1
3b923cafded6c7fd2b54b235f9ed124b3b98a7a1

SHA256
984c2f8ec4f7f46e0e7da550affe12df3bd3078b7575b86a34b4b2940133a7dd

SHA512
e7d4de802de416bd30c04d47b6f38bb9dde1bcaaf434487b7a41a0cea4fe52324a40f463e8e42577731091aa6ba8d6e81f4aefc0fb080cb59e59cde77b7a320e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
2941a8bfee796045453f8e7079e96bbd

SHA1
fb1c5e223b5fa9a222ca453d1ebc2f2bd2604751

SHA256
eade742fb10867f86328bebd0f78fde7ed7c513f56489913f32f582315564329

SHA512
eefd7ecf25be36a2b1a9104565481825e9dd0750a476d6215d278194d5ac7ee31230e47b57613091057be00737412096c7f6a422a2d78b1534551eb66b00b7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
b410b8e4f9205a71b1cf1b2611f22f3e

SHA1
fe0bfff225abe77ef5df74246b48202b8bc1e880

SHA256
d314c0bf7a78674ce535e97986416791712094c8ab5fdee527644e5664736ada

SHA512
8fe10365c7144fa6bcdfa08678d000b9ccd8baaea61a838302e991b658d9fbbf006c334142a80de0c2e54cc3d824a89a061323e6dce532e298faa5050afdde56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
4ffff771ae44274d7a86e3b3af01b70a

SHA1
e7e0d3c6217429a0a83925cf8610ffdd0c291aef

SHA256
adf45ff1c58be6d1a83865357d19002689062b6ca72c76782dbb499d27b15d15

SHA512
bc599a79c9fa6a9ca7c3e2a3b7320cff733365bf4f4895aa86f5689d32c3a9d8519ce70a8a28dc4b827708034279ca71a1a7f99fa8d0545360589f30dcf68798

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
f7f96e3bd87efe15e741a631575a114e

SHA1
4abc930520dc0913da07ee23079136472262c34f

SHA256
e96f46bdb5574f60123b0870fbb06cd7910d3d7218c865afc55a6fc76a749ec4

SHA512
e85cf43b65964e2eced871a0abf73ab7ca885306f08a2e172b8fd395635a81200c07e7890de6570b463ee9350c93474c32015a477959ac961ed1e13f5ac85494

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
76e90bc8cdad95952ac6aca110c16a41

SHA1
5bc8f277ff48282d346dc34a769a15885e117dc0

SHA256
b729880c5040bcff86eba9d18bd6da2d9fa7f8efad519cae0f4abe6157a1decd

SHA512
307333756ed0f7964fc5f89b9b0705883559a972f8bbc790708f0e2bafaee64866b89975ad4fc15b80bdc23923dcb808e46be6ead323d57b642b3ebdaeb6d049

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
481d045b710f84be573659047eb9e8b6

SHA1
f9ba744875297861d06a4647c7a4f76ec18cdf82

SHA256
132e12343708d4ede2650864105b09bd49e2b24d062d854a3e70d32d2094f3b7

SHA512
f08a9a07c8c2e69722603447b8b245b26dc26965fd453c395b10374c08ec2cd5c79a532834dd38d39f0ece2d83f16b6feee46c3e2cc4b9daddbdea0a7dbbcb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
717f461bd9bb88a128a69c56be78b6dd

SHA1
73841c3125153e7216f294a4a3622e5384d6db9c

SHA256
76762745125dedae0414b1b23561fb712f592bde1c9c2e5d015a3739c6683ece

SHA512
618a313975188f97901d59eee850d3bba7b5e65aa16189c6c051c94848c03e4ac627579a92c8d1b73be0dc0e3d224bbfa600322e2cf4eb1c06fe746a51a10992

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
ce69f9895b4f351e30d1ab5419bf6659

SHA1
33dd53876edf03b89f67646404568797b0c58006

SHA256
ac2371f6d3194665c8ac85d7872d713fae3f65a051d01859eedb3e5f5fc8c5ab

SHA512
fa17bb5befed1d9b045e8feaa9e9c272cfb621b74b50d04fb0e3a8ec59296cdcf0bd2b226a86e06b66ac6b9f5168125a833b309a14f4d8742ae9de033a3cf1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
6d754012190f80c6c194e175bfb6a2bb

SHA1
d16b51dd76101abac068315e284a90c040f6a750

SHA256
7d321636547f88ecff2e7a31d77f6cb1992d2f52ff50f561d8c1546afcbf9c31

SHA512
fddb19976b7e28319e605bb87f05e936a2bde20de776e66436431010f0799981318aa6a2f185135e0153ad8f0f02b113c4aa440d1d7ae7364c77460f90cb3b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
9df6633b6bb93da9d77fa9dc649ffeae

SHA1
24b618d799db544ca8ac83029f36ccb02b1003e0

SHA256
25c1c1b0ba09b79c155d98c6d1bb334464b99aaafb329fbf3ead45bdd85ad4a1

SHA512
0b3aab7189d4bd96de2f9c3e47f70fef1d492f4175987625a7239a89a03d5a6d2b72f030368942a1392cdb27710fa77544f64fe0ee9f400e59663e2dc2191bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
803850769913e915ac887659c76c709f

SHA1
cad239aeec9a452d76ac22c9b4262fb22a4c02b9

SHA256
fc028cfcfe6bfe7c50380f1edbe9d684ef5545e19e55bd3d5e42d02e2f37d963

SHA512
2fcf3fd515377135261f7c5209250927639b91146e70e0def4dcff299a075696e449f534fcce731a05bd896ceba9cb382ebdefe09ed86927e6340172efbad434

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
25b0e96659cc12ad7468a6c72a68eb50

SHA1
ef5bb48e0715d373bc39f3051581ba103c3f37dc

SHA256
46f50ab159c3d8eef9d7ba4cafe2222bb2fcc7a0a9f86b3f30df8e89ec4f163c

SHA512
bd3fed56d8e361e7b960cd3ad989dbca7e075c33249073993ae5f6e63749e3b7db97906037206b5c13324e8d3b0a26b11cfbda5180796639c2588858aa42b814

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
4bba3573fe3fed3ca662edbd03520d59

SHA1
a234888589c7ac8d89a3ca040e1c00a1bd318772

SHA256
a37c680e5108011dc4d12980a12d518e781c11fd3876c4f37e766fe5e1d9637a

SHA512
84c78631c5e8c6e17f3ee9485a007375abfe75b0acd1e9be1f77cf944dcacd5d643dc63ec5b5e878472d04992b71c14331fa8e79d26a1b38184086132eec27ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\base_library.zip

Filesize
1.3MB

MD5
21bf7b131747990a41b9f8759c119302

SHA1
70d4da24b4c5a12763864bf06ebd4295c16092d9

SHA256
f36454a982f5665d4e7fcc69ee81146965358fcb7f5d59f2cd8861ca89c66efa

SHA512
4cb45e9c48d4544c1a171d88581f857d8c5cf74e273bb2acf40a50a35c5148fe7d6e9afcf5e1046a7d7ae77f9196f7308ae3869c18d813fcd48021b4d112deb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\logo.ico

Filesize
115KB

MD5
5fa6184192bddacef85d9b29283a3eda

SHA1
b5c4cce2f6a8cfce8f766c4f1d01c94ed1efa134

SHA256
cd9acec8aaf096838a29f30af15173ba73b0fe6314225af702137c16b128c000

SHA512
92933587cea8483cfa3ecfe1036e61104231c249210c31d0a371b55d1ffc50ad96fc5fd437530160a8467ad526d19ba573c473eeb355a93adc04f2ca0bb5649f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\logo.png

Filesize
2KB

MD5
7f32b781cac5cc74e22089fa5171d20e

SHA1
ba983803344c3decf38c3bfe50bbee8d0dbbdce5

SHA256
b56b8c651ad8c35811c6f5b4255876b5f7bd7a1d66d2b68bcb8b3c9d8c0c61dd

SHA512
72fc28d6a931b6dc84b126c0e232925b9e595886769d08a6ac077ae9f6065fb636c00d712851e3f27410eb22d1407faf9beef8a1ebb8c4f6a9dd86993f04a313

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\python3.dll

Filesize
66KB

MD5
5eace36402143b0205635818363d8e57

SHA1
ae7b03251a0bac083dec3b1802b5ca9c10132b4c

SHA256
25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2

SHA512
7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\select.pyd

Filesize
30KB

MD5
7c14c7bc02e47d5c8158383cb7e14124

SHA1
5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3

SHA256
00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5

SHA512
af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4282\unicodedata.pyd

Filesize
1.1MB

MD5
a8ed52a66731e78b89d3c6c6889c485d

SHA1
781e5275695ace4a5c3ad4f2874b5e375b521638

SHA256
bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7

SHA512
1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_quj4n2p0.hih.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff_bookmarks_tmp_2521804435.db

Filesize
5.0MB

MD5
c8fcc6f4855c1cb5b64a57590b0d4a75

SHA1
e2741f8636e2bf3389711953ddf0836fdfcc9c34

SHA256
e739d4bb39b4448b96616f5bc389724a6cedb44801691c6827c087f7a6545075

SHA512
b70019e2543b1c403a8f289d5c7b6ef1c06e23406b7ad7d55831abb827e94a5e36cee5bf1b38a1d54486f6154419eac8a9c6edb031f927d764bc6481efa0e257

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.flag

Filesize
22B

MD5
84e950a7708ef522a79d9931a2ae6955

SHA1
8d8493b417e5e0322f96486f2c2cd8c089cfeed3

SHA256
1048527cc96078d6cfb412572dedb7854cfec47a596dea5622dc572ae770c296

SHA512
60344904789b7db2c05e351a8ab2f14910f7eac8838a8acae4daa2849900059a4604cc2971635678f0430f88e09d80f095b602c3431001163d73f11c07177b6a

Download Submit
C:\Windows\Temp\{235D9131-F0D0-4505-B7C6-0E677D83AB9A}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
C:\Windows\Temp\{6D173546-14ED-465D-A957-3405BD6CC992}\.ba\BootstrapperApplicationData.xml

Filesize
95KB

MD5
38af91023632743c59002443eba8fdd4

SHA1
2df0b5491b355d75d2370ed1c302660801f7a996

SHA256
a53a02eef6e5c586246abc099346d65c3f4380c3355637cb3aedfebbd9a740d3

SHA512
f0ceedc93a435803ef61114627470d8a05dbcff5dd3070c8e332edf99779b2eb17608858c7c9b15ed9a93d1010c985f9220356bf3374562e19e3444728289cee

Download Submit
C:\Windows\Temp\{6D173546-14ED-465D-A957-3405BD6CC992}\.ba\Default.thm

Filesize
11KB

MD5
4a006bb0fd949404e628d26f833c994b

SHA1
128bf94b6232c1591ee9d9d4b15953368838d8ef

SHA256
be2baed45bcfb013e914e9d5bf6bc7c77a311f6f1723afbb7eb1faa7da497e1b

SHA512
b77383479e630060aeaacbb59e4f90aa0db3037c9c37ebf668cf6669f48b9f57602210c8e0c20b92a20d1bae1a371a98997b35f48082456f77964c7978664cd4

Download Submit
C:\Windows\Temp\{6D173546-14ED-465D-A957-3405BD6CC992}\.ba\Default.wxl

Filesize
9KB

MD5
411d2dc96fff95e6be82a9bbe882af7b

SHA1
73a8637bf5b536b099c724e7176186b57257060b

SHA256
1529fad8a804911b2854233dadba6e36ceba35edce6aa1838818142cb3936384

SHA512
3259a5aa3c37847e28ea5c07b18533551500be750d20675686231eb4807d400e480e6fe0fa7bd48884d758af6be0e8526eaffcf06bf5a7b64c2b4a72bdc9f990

Download Submit
C:\Windows\Temp\{F602FA4C-724A-47E8-80D5-E4FBABBE7AF7}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{F602FA4C-724A-47E8-80D5-E4FBABBE7AF7}\.be\python-3.12.6-amd64.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
C:\Windows\Temp\{F602FA4C-724A-47E8-80D5-E4FBABBE7AF7}\pip_JustForMe

Filesize
268KB

MD5
494f112096b61cb01810df0e419fb93c

SHA1
295c32c8e1654810c4807e42ba2438c8da39756a

SHA256
2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80

SHA512
9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704

Download Submit
memory/788-246-0x0000013F566B0000-0x0000013F566C0000-memory.dmp

Filesize
64KB

Download
memory/788-243-0x00007FFD70DF0000-0x00007FFD71053000-memory.dmp

Filesize
2.4MB

Download
memory/788-245-0x00007FFD5F1C0000-0x00007FFD5F701000-memory.dmp

Filesize
5.3MB

Download
memory/788-244-0x00007FFD5F710000-0x00007FFD5FBFC000-memory.dmp

Filesize
4.9MB

Download
memory/2444-621-0x0000026B64BF0000-0x0000026B64DB2000-memory.dmp

Filesize
1.8MB

Download
memory/3344-360-0x00000271D2DF0000-0x00000271D2E12000-memory.dmp

Filesize
136KB

Download
memory/4644-1489-0x00007FF72BF80000-0x00007FF72C4C5000-memory.dmp

Filesize
5.3MB

Download
memory/4644-842-0x00007FF72BF80000-0x00007FF72C4C5000-memory.dmp

Filesize
5.3MB

Download
memory/4644-1213-0x00007FF72BF80000-0x00007FF72C4C5000-memory.dmp

Filesize
5.3MB

Download
memory/4644-1317-0x00007FF72BF80000-0x00007FF72C4C5000-memory.dmp

Filesize
5.3MB

Download