8c9a9e2dbd989b305b55eb0eb7ab418dfa647d9c2c1bd87cdee4fa4e8a14ff83

Resubmissions

09/05/2024, 16:46

240509-t9755scb3w 8

09/05/2024, 16:43

240509-t8g8bsca3v 9

Analysis

max time kernel
129s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MalTrade.html
Size

1KB
MD5

078d900d32e42eecf4d2f6be6c603523
SHA1

5788502989ef5cc8800f25b535102d81e83952b6
SHA256

8c9a9e2dbd989b305b55eb0eb7ab418dfa647d9c2c1bd87cdee4fa4e8a14ff83
SHA512

0f3d254faf443a773dc74e8bbf2eb46bbdf3e6d3d1437402e7b1713bbb1cf6e0f92d7c7aada8b1270d4f9a65f7aadbe1b59bde7b015330947c4d90a89389133c

Score

9^/10

evasion execution pyinstaller ransomware

Malware Config

Signatures

Renames multiple (213) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5516	netsh.exe
1456	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
6096	ByteVault.exe
4884	ByteVault.exe
5396	ByteVault.exe
3308	ByteVault.exe

Loads dropped DLL 20 IoCs

pid	Process
4884	ByteVault.exe
4884	ByteVault.exe
4884	ByteVault.exe
4884	ByteVault.exe
4884	ByteVault.exe
4884	ByteVault.exe
4884	ByteVault.exe
4884	ByteVault.exe
4884	ByteVault.exe
4884	ByteVault.exe
3308	ByteVault.exe
3308	ByteVault.exe
3308	ByteVault.exe
3308	ByteVault.exe
3308	ByteVault.exe
3308	ByteVault.exe
3308	ByteVault.exe
3308	ByteVault.exe
3308	ByteVault.exe
3308	ByteVault.exe

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ByteVault.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ByteVault.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ByteVault.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ByteVault.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ByteVault.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2380	powershell.exe
3848	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x00070000000234d5-333.dat	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{AB067118-6EA7-4A12-AF11-3F522D9127FB}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 467556.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
672	msedge.exe
672	msedge.exe
1656	msedge.exe
1656	msedge.exe
3180	identity_helper.exe
3180	identity_helper.exe
5204	msedge.exe
5204	msedge.exe
2656	msedge.exe
2656	msedge.exe
2380	powershell.exe
2380	powershell.exe
2380	powershell.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 4468	1656	msedge.exe	82
PID 1656 wrote to memory of 4468	1656	msedge.exe	82
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 1948	1656	msedge.exe	83
PID 1656 wrote to memory of 672	1656	msedge.exe	84
PID 1656 wrote to memory of 672	1656	msedge.exe	84
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85
PID 1656 wrote to memory of 3628	1656	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\MalTrade.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcba0146f8,0x7ffcba014708,0x7ffcba014718
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6240 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7060 /prefetch:8
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7620 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7520 /prefetch:8
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7592 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,14357063594918901746,4734727782034340000,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7856 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5264

C:\Users\Admin\Desktop\ByteVault.exe
"C:\Users\Admin\Desktop\ByteVault.exe"
1⤵
- Executes dropped EXE
PID:6096
- C:\Users\Admin\Desktop\ByteVault.exe
  "C:\Users\Admin\Desktop\ByteVault.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  PID:4884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\SYSTEM32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5516

C:\Users\Admin\Desktop\ByteVault.exe
"C:\Users\Admin\Desktop\ByteVault.exe"
1⤵
- Executes dropped EXE
PID:5396
- C:\Users\Admin\Desktop\ByteVault.exe
  "C:\Users\Admin\Desktop\ByteVault.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3848
- - C:\Windows\SYSTEM32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
199KB

MD5
585ac11a4e8628c13c32de68f89f98d6

SHA1
bcea01f9deb8d6711088cb5c344ebd57997839db

SHA256
d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6

SHA512
76d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
24KB

MD5
f782de7f00a1e90076b6b77a05fa908a

SHA1
4ed15dad2baa61e9627bf2179aa7b9188ce7d4e1

SHA256
d0b96d69ee7f70f041f493592de3805bfb338e50babdee522fcf145cb98fc968

SHA512
78ec6f253e876d8f0812a9570f6079903d63dd000458f4f517ec44c8dd7468e51703ea17ecce2658d9ea1fdb5246c8db5887a16be80115bbf71fe53f439d8766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
164a7f42ccabe7b2caf2fd48f2e81251

SHA1
f93a2e719df3b411b7983acd567128521623b29a

SHA256
9235f56910ac2d00facbcecf3bf4cccf10f3c806275341dc10d405519fdcaa4e

SHA512
0883859d0e3aceeaa4c5fb81162067cbf804000d6b506ad7f6343c4b60c8b70dbc632efab58e3ecaf1b48c5f8bce36db3d6d164d60ec1eec1d20e301c9de3175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
36e023b88caba6b2e18073fa346e375e

SHA1
a016a9e0caa8c2d520917a75a34af46ba1b074d9

SHA256
ebc6c978ceec5be3d99189195e59e008abeb0dcd608370118dca9b88a6f36c69

SHA512
d7fba5ce135dbba991c7e8f2c5e7e8cb160b8f67fef48843ab6aa7414979cc397ded3c5dab65f8d368a6d96e8d38edf019702066cf1f587dd06cb9dc08a7d41c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_best.aliexpress.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
86edf07946a84faa2a89160c9618eeca

SHA1
dea965a2cb0a21c70e2664ec7f34f851fa956f82

SHA256
9d1657b47ecdf69389095da1c28b5e5e4a0f7f8a76e0571af2c3a012c33836de

SHA512
4c20239b781f3e68de22cbf930b7ec67fc371d00e8831ab05ef91976d8e45ca3da6ab4bb7372c817b085b6fd69e5f6bf24d9e692a4a38d1fc6102a27784940ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5e229c2e24fc6c18e5e25b8300c7b472

SHA1
5e74574d758a5f32988e1e862903c712e2609300

SHA256
156804f909565b4f25cc68067bf2f9821bedaa5d17f1608f798961c1016627c3

SHA512
043f5a8f64d2c039c6e07239a89caebcc66ffe09d7ce269ac63f7d2a6e5d45eec8cc42412b073b60b0176df5174367e3e6f8704164d6be161af1c8d74234488f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
94574c2098fcc5618b03e72805dc9b6e

SHA1
07edfbaf0b6ba51fdd690299b5a121a147b89976

SHA256
029ce7ac8bf59034cb77b87b648df8b9edae80b19402f9728f6e397198672c87

SHA512
f1625b2c2883ec9ab43f05e893f75782260e40c078b1fe4d17f1d422189b7c8e2f7fe52b31715e5504087cf118d9fe8db583f7c4910f9c82c40cf31d62a05e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19c0b01a184468b1f46ee4a3b774ef3d

SHA1
2383e3fe7137a030887d1258f42d54bbbc7810d2

SHA256
e3eb4b85840bc7fbead8fe74bb61a5ca478c08613d47a2440b779026a9e37ea3

SHA512
25960588887b65f66b35e1a0e0e27a7fee1d0c815d79e0b86e34fc95cb0e1c0809e5481dbf19b4adda1ddb0cd729770420bee12a1c3e2220cde1e4cf331ddccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
51b691f90ad30e1f214092817d6b61f7

SHA1
3bb3d19011fa99068bf343a00f89c1a168c32f82

SHA256
4a6d31b3ba6560c2f54d2809493a4e56d6101c02ba2ddf82f8c98353ec1c804d

SHA512
a77773063529224bf6319bc0a1793584cc83e0096698ef64fe824d37b74324c6e89d9d6bcf74c6476120db399a84839f374d2bfaf3847fde6643ba97c7c1cc59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9f4e6c590de30f7bc53552a988669c15

SHA1
4d36ad4a9f468d3fdb72a75be36f09936f1aa570

SHA256
db4605db5c6c866d5eef211955bede8ca4288a074b349722168a376ceb6c5532

SHA512
5d25c8ba3b779a1e1b987b10ad65e6f426bf63e66486a83d6f9962bf4d3a1e44afaff8bac54588cb0dfada4a91262d0bae1a13103aa19376da7966c61859c827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c1497b5ca6c4cb4850a44757188c5197

SHA1
541b114fc877ffc2f4aafa4d45d23b86cd829a1e

SHA256
6a5e03d8c6fa2bde7f35e74fdcbb4db853271e72da0c001c05f89d323d96eae5

SHA512
7071a7c2d85e498ad8de8a824829254ffa5b2c076e10b910a0320d5d0fa445822ee5b5c7730855d82370e476d26c01b57a4d02c63d5a63de3562026740145ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
27a88870a487f525b50bba1a81984d93

SHA1
4a376b3f3ac69727df1bbbb737ba62bfe0a2eb24

SHA256
2dcb284353cea086a13aee44379bdd0e47aa2b365c1ba7af22e790f0b6d9c0e0

SHA512
c3449c1dc827a34dab6705fe26c220c780d57a2a12af71f73cb767c868291900ed47e406f09050445cd202b5111cf30d7c72bf65c9b326d26e1703ea1d20b282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
515fb512bee9c34e6df9777f248405fe

SHA1
6536b0f68cf915a53dca6e1b4ce309b3b0ac9d47

SHA256
f973492b64829c4b31ad5815207f3d4de2de0c35095f147629abd8e0c780c710

SHA512
816359968287e5697884fe514a5b3c1937caaffe16489c80e86d222fdd47112481ed49a262f51379bba4449022155740f2c22e1ee0e56b36dc10b3eaa3f1691d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
240B

MD5
661fd54b943a5fa40a461b7f91fd755b

SHA1
345e0b02f4af0c22e67759dec6e20a0af264f205

SHA256
e275dbe514dbc774f7c2b5b5bde581edfd82aca86f1fda4f369ec42e59dea344

SHA512
2f4b5ffa5cb296c9052db0f8b086152b1597696bcc75bdcb218180028e220fb13cd881013766f25d741ef43c621f4c64f5a7845dd619af0f197a08fd8c114604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
264B

MD5
b3de1552c10e961feb49fddbfe59a6ed

SHA1
95ebd104fb14ac1fd60a98b79ce9d8430d530bc4

SHA256
73589d580889e61268aa10754582501a653e0c6dacb1643a08b594a57dbd9616

SHA512
6594891858fc9bc0e6a2543398618c0040297992e0e59c0a9a6b0d76fe3dd2242b85a1098ce20159d1b94b1342c1fa4bf9a1effd6c7f02acc6ff8ce03ce702e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c3ec.TMP

Filesize
48B

MD5
2e90122e9da6244585a5296505f951d6

SHA1
1b3b359217e252976b6ae3b0bac2c32444e704c3

SHA256
316ae59b2c4a50cb3822c4f9b86c4bc1f0f516db88ed5cab73c9da4c272488db

SHA512
4c7dc4fbdb49061532ace40fa17a6a3b5922220bb70d25c248d2dd72b49db8171a092e7cf0b72b935b11b0ab60242c54741f2fb71d07b2c02e3f05105b37e0e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
41086f76a28cb62301607d6bb9c4863c

SHA1
674d222dcf8cfe13392a1c086c41d9e829c15abe

SHA256
aee388b0c00ffe05cc7bd479ff1b6d469e61b17fc25870cec293257c3d7b859a

SHA512
c54794923b4eb2950545db2a2afae8e559f7c2d9b24d1f733f1ada2275c9fc98e42b302612011d0573e1dcc6820807912069aae4806ebef7177e20cd366832f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
96591e7c6858a0e7d877be29b58db827

SHA1
f0f8ebe4a94935fe203b6567d30c40a3242a8a34

SHA256
ad2d31a1ee37bbb9cd40d23523dbaa823fa042d834295cdd89397f546cad7329

SHA512
c6f75780f1cf3cf36a871fa0abc6c8a55e0e2dfe34d44229ae7f3224093200dab3687f498c8c0aa74e1470e7d06bd21c6105b51ee5768eff563d7a9274bd6783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b277.TMP

Filesize
2KB

MD5
c12ad157c857b195e653447ca4e3183f

SHA1
db56ea1efa90b5a571d1df121306af4b374b358e

SHA256
c3bfeda170015ddb14b3e8c3e4a5cdd6313db0e7bf30b0ef389aecaa3ba36975

SHA512
81adc29b48532ecf0fa1b89c8c82ddb5f24812ac1dcbc7aedfc645ccdee83be81c445e2eace261c9b22b896654e4dd345e206b66ef7d807c60039de9f1398c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3a5561e1b7e0368f8147e71fc4487160

SHA1
b3ba3b32888b9d3f2609b6415385266a98aaa633

SHA256
34295d92d969ae710f4a58bc989719a606a20242d64a9dfa649a23e5753bf4f7

SHA512
3974b9993e79bb7079e56c917bb184dc394bcb3958bbaed1573d705268289f4b34c1940f489ae7fe088f407a92fc34cbf77ce8eafddd29c5f4a0d76d06a120f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
68ccc3f1fa63c04c8b4c42b479e427aa

SHA1
289226dc851c2e48157f6fd8f88aea4b6c45a9fc

SHA256
7068ea57434bf7e25f8b63fa8fb8a1d5af994c4f6aa7cd2f4da0dce04c8944de

SHA512
dcfe847cdc1b2ae075adde6b35a81a42ee5b2dba18d534f571a9f9c7dc4d3f9d00dfb69601fad034d94eea678cc52deed9cb66bb23630591024003735221d775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bbd1a23a1fd70e173eaa9967fd625ec3

SHA1
a1309136e5ecb295a72f5a9eb77456bb82b78e56

SHA256
014eaf986320da1b0e06efe0ee4c6276731907193a1b44137aaab4006701b19f

SHA512
a3cf65a43be64fda176f3ddda053957b8dd913ceee80bbd74463551e19b49f2361b3344c2f6777a01e29db8a8932f04d8e1bca31ee304180163b25c30c499091

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\_cffi_backend.cp312-win_amd64.pyd

Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\base_library.zip

Filesize
1.3MB

MD5
08332a62eb782d03b959ba64013ac5bc

SHA1
b70b6ae91f1bded398ca3f62e883ae75e9966041

SHA256
8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288

SHA512
a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
61d63fbd7dd1871392997dd3cef6cc8e

SHA1
45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9

SHA256
ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5

SHA512
c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\python3.dll

Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60962\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_waz5siub.ztp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
7ad525852da6350dcaf89978d8b18c39

SHA1
00e0e2851edfff55d65cbd684d5c68b0fde30aac

SHA256
31920ace8f055d99c7fea46d55d1f7d5eaac39171ed5f5094794521e126ded9d

SHA512
342e8323d9e67622fa57886048bc675ab26c3cee874e4f1c1b0571e35c84c8ee143dc56bcfdf97c98847360d69ba8f1bc1218e3d25121f7b23627814733eb3a9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 467556.crdownload

Filesize
9.8MB

MD5
25a7375d3a6597707493a0841e878bce

SHA1
173a8e00b00d84830e06b1f3d63988fe895fa001

SHA256
7f65b5d7be7a9e563e1b577ff1d95c891b16fa9871dc748c7640e6589e6902db

SHA512
110518ee80839dcf0e826bfdb41c16591deac371865b3635ef08b005a823e53c296d9de0be9eeba3d6e1c5413905f4d4d8ef175748c2c6e48801b9149668cee9

Download Submit
memory/2380-700-0x000002625FE50000-0x000002625FE72000-memory.dmp

Filesize
136KB

Download