hxxps://drive[.]google[.]com/file/d/1UhZuVquQSGbGRAjtlcJ9BiZcpGQeSjxl/view?usp=sharing

Analysis

max time kernel
218s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 01:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1UhZuVquQSGbGRAjtlcJ9BiZcpGQeSjxl/view?usp=sharing

Score

7^/10

discovery pyinstaller

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
4568	ransom.exe
4960	ransom.exe
6004	ransom.exe
3640	ransom.exe
5944	ransom.exe
5080	ransom.exe
4848	ransom.exe
5840	ransom.exe
4464	ransom.exe
1552	ransom.exe

Loads dropped DLL 30 IoCs

pid	Process
4960	ransom.exe
4960	ransom.exe
4960	ransom.exe
4960	ransom.exe
4960	ransom.exe
4960	ransom.exe
3640	ransom.exe
3640	ransom.exe
3640	ransom.exe
3640	ransom.exe
3640	ransom.exe
3640	ransom.exe
5080	ransom.exe
5080	ransom.exe
5080	ransom.exe
5080	ransom.exe
5080	ransom.exe
5080	ransom.exe
5840	ransom.exe
5840	ransom.exe
5840	ransom.exe
5840	ransom.exe
5840	ransom.exe
5840	ransom.exe
1552	ransom.exe
1552	ransom.exe
1552	ransom.exe
1552	ransom.exe
1552	ransom.exe
1552	ransom.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000001daad-277.dat	pyinstaller

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{86D88269-60E6-4888-BDAD-A5549DAED473}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 847541.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
732	msedge.exe
732	msedge.exe
1752	msedge.exe
1752	msedge.exe
552	identity_helper.exe
552	identity_helper.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1828	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1056	1752	msedge.exe	82
PID 1752 wrote to memory of 1056	1752	msedge.exe	82
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 1648	1752	msedge.exe	83
PID 1752 wrote to memory of 732	1752	msedge.exe	84
PID 1752 wrote to memory of 732	1752	msedge.exe	84
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85
PID 1752 wrote to memory of 2292	1752	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1UhZuVquQSGbGRAjtlcJ9BiZcpGQeSjxl/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe024c46f8,0x7ffe024c4708,0x7ffe024c4718
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1760 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6584 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,14558417759958642989,14939631130348433522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4bb3e23ahccc8h4b7fhb968hd5e4884d0f4c
1⤵
PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe024c46f8,0x7ffe024c4708,0x7ffe024c4718
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,3480054781022343347,13744909890964163490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:5968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5e92431ah4f00h4018h997dh963b6f71e1d8
1⤵
PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe024c46f8,0x7ffe024c4708,0x7ffe024c4718
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,16546846596666604686,8385796642655268324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta1c84fbeha4f7h4bdah8e60h9ead44f21f3f
1⤵
PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe024c46f8,0x7ffe024c4708,0x7ffe024c4718
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,821808570592997819,2097979476698782992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,821808570592997819,2097979476698782992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  PID:3640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5364

C:\Users\Admin\Downloads\ransom.exe
"C:\Users\Admin\Downloads\ransom.exe"
1⤵
- Executes dropped EXE
PID:4568
- C:\Users\Admin\Downloads\ransom.exe
  "C:\Users\Admin\Downloads\ransom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4960

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TroubleshootActivation
1⤵
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Users\Admin\Downloads\ransom.exe
"C:\Users\Admin\Downloads\ransom.exe"
1⤵
- Executes dropped EXE
PID:6004
- C:\Users\Admin\Downloads\ransom.exe
  "C:\Users\Admin\Downloads\ransom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3640

C:\Users\Admin\Downloads\ransom.exe
"C:\Users\Admin\Downloads\ransom.exe"
1⤵
- Executes dropped EXE
PID:5944
- C:\Users\Admin\Downloads\ransom.exe
  "C:\Users\Admin\Downloads\ransom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5080

C:\Users\Admin\Downloads\ransom.exe
"C:\Users\Admin\Downloads\ransom.exe"
1⤵
- Executes dropped EXE
PID:4848
- C:\Users\Admin\Downloads\ransom.exe
  "C:\Users\Admin\Downloads\ransom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5840

C:\Users\Admin\Downloads\ransom.exe
"C:\Users\Admin\Downloads\ransom.exe"
1⤵
- Executes dropped EXE
PID:4464
- C:\Users\Admin\Downloads\ransom.exe
  "C:\Users\Admin\Downloads\ransom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04e4b56a9ee010978f60a764c17a7514

SHA1
252e64bdfcb658a990183cf38b774c758399345e

SHA256
09dbbafef71b60b083042fdd95d87253b8dceee0d1859ef8f6d7f315a5ccd41e

SHA512
386a2f55475ba61170702447c94104a867c0084fcceff45473036716b02eace44a1a6aafc350c90a5eab66fadf7e4f0689162f00d9c105f62b529922ac78348a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c6f8bc1855d77f959789fc4aecbea583

SHA1
945d9a1e1884e7dbe8198df7b1c7bf9f54821348

SHA256
722a07cf042231cd939f3b092db61f1a9481609c3204c020b8c42ddae506f2df

SHA512
242d9c02fd97a4410a4d63d7a88af48cbf1836c698730060076442af2332b84489762ccaaa74f5042f7cd276fe50da39367e12403cd3483bc4f8e2568599a2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
66f22c9bad2b593ea61933d93228153a

SHA1
78c49c4971e4b6ed15ae33d1be8fd366edaf2019

SHA256
f05657cef67c0a38fdd29210a218bbc950d0728fa8568e3eee373c2d6c2b5956

SHA512
278ab8315ca15d5ac83c26814e30524254003dc3702fb7e1ba845a54b2606682ea6dc01224a0b9cd54142eeacac024a2099d3a6f453a20ac16c48286affd8da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ccedfac6f7171e3f9ffffd3f3d36991f

SHA1
8b3d2b854e445b52805529615f4a8b880d53dc06

SHA256
2de91b35f8bf78c48b5db3cabcc71a4580de1f2362a47d703af0bf422e884cd8

SHA512
7e88c006d8d180d36a51cb86bb50ae9a9d6b4a67bb7b15c2c8b1527c3c35028bc4d9ac031748f3cb4be7646fec9afb81c6bba61c100d5a90e37b6630268031e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
af6d69358927c0ca0b3a29bdf4ae0127

SHA1
702a53803a7e1117224b6b3aa8b0be3723f65175

SHA256
43f8a1ebfc8d79ea4dfdcce2ca1dd811a037fe3efdfbb77fc1d151193275af20

SHA512
d35e36a52acb9cf0d59584e338e6ee97b11103fc1af2081e6694f1c1593ea75ce37b6af6b29361ad95a02fd2af729dbfb3998634c23bc6b2c828bcb862f37ad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8b5f2d012e4e07ee4c4c57a2dcfbe788

SHA1
e1cd25faae6039eedd60e43a30fc1a1c825e7f3b

SHA256
d21a82facd18aa33e854a2b494084073eb3e8de8037edaeba772b8b1bc4d7c81

SHA512
4f4809672e6d9dc2fa32ac0dce53c623b6363987796c70b24bc4f4ffcf2a9c1309ba5ada96a5f0b08d6847f1ac5d0c8469e1e3135367e42516b466c379053fdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0ca52b4a60fbcb67cd225214c2a16764

SHA1
1f822ca8112b1c4253c691a350d08663b94f34f6

SHA256
0c4b56dd28dc0e6d638f66a52a0855cf13cc57222c838d6351041855e3dc9ef1

SHA512
977a517ba3832889607ab24e9a234db964dd3f09076f47c778d90b8cff2cc3a6117f797bcf0ef0a9791a8a5d5a7ae51085a0c2fc7ab6801ed93fd84c03d100b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f067058d91bf67edeb8abcabe34a8fd4

SHA1
6706822d5915c302654fca40290065e6d33c29ef

SHA256
cdcea6f75ed4c3e7b74e2ea936f3242023a163df91041469891c1d2b321b2cef

SHA512
8987660ff079bac4d07ebaba6e39517ced132e2bd904f61035e4acc7eeede59d042b237358501c15ea7ea7a99018d0691ec2693f773b67f33ce0de7e04724a68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
344d62a35ce0cca0b003c373d77538af

SHA1
9c49f8cce3ef86de459c6193435411a65b052a99

SHA256
4a4f40a33449cdc3ce41c65c7bc980e725c1a0e0cee064cf253f88ff693b19fa

SHA512
f35cd62b0855325f728102610c51afc3de921e912e9baca03e3971604fcba2ff8e67a4ca1ca429afb694d23bc3952abc817651061af6173cc8555ec1c647d9ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
57b53af1e254a261614dd7afcd8056dc

SHA1
eea732bbe9c217c161cf7ae0ea31a3c2e90927f0

SHA256
0dbe06d651e0b330e71933bae56f71958b6971ca8e0ce9efd206b1389dd7b7c4

SHA512
4d657e850a8ab81cc426b14219100f0f521b24ef4abd7fcd5f3534d4212de7e69f85cc811ba740af85fcd2c63b03e5d7bbecb1c0c49f243ef54274bfe7fdbbf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6175703bc81d66d741f655f9999b9935

SHA1
17b9a4ff48d8707e76433067c79ceeb517ee7b49

SHA256
80a5ca55c55a6d733b3a4673b41dd64369caf26e411e4b0f4f9e09079002ed5f

SHA512
b857caa95efe8654cf8715d48e9181931692935e7ee8caafb9dd24d2f24bcf86703f79144f1ca3881a7b077e11a8b75eec45b4ea700ed7f30a49fe1874185338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c2afdba28d9f0ddc05de345a628e15d8

SHA1
f70f8c636e83b33bc08e925ab20d2f481cbc274a

SHA256
05f4cece3645d7ac3359974c24facab20ad0c28a3082a59ed626ebf95283aa8b

SHA512
b2ae26c84d9cac222e47b78aafb2cc991b3c2ce1bb90034dac60d0ed51b9b9a810c4dd096b2e561949aefb3e39992e8c5ef47c0e854332d1cfdf68b54cb948f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
20b436938d161a2cb18b18cbdf58f00f

SHA1
a8e9b729ecf62ea3218f546804744346794aa0e8

SHA256
a3a49c8844fc706db3ab724c22bd4daf93c9838c4f20b3f85d9f917a8a0a3955

SHA512
fc97f69c0f1cf8b6357e96733e34c521c9a4146080d8ba5c64a93b1e56d7ccccb6a171bf74813be43d36fe41cbc1283a6fbf53e71afa80ad73f3a6345d1658b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6f2da59401ccc5978a1d1b43a7c4b937

SHA1
edc7b3ccb2eba5e211a976662c97bd8bc3659e17

SHA256
a7c69e8710149020f025c187a20be6b8b41641238ed8ac9aa1e3d68b8979a299

SHA512
88332636771bb4ff57bbdd9e72ebf3a59cd6406a6499fcd051b01fe9c383adf223558eee131a67b9d9c99f9449dd4f226e8dc40b8fc674a9c80f62f6e84d4cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
14421f1a40c8d57e3747f7cd68a5010f

SHA1
4eb4ae623d37a4ce16afe88d15fe0b8bb0c67440

SHA256
68d2c00f203b0cc2f968cfdfcfdf39fd63e1c8c4e3e041915afd8931d4885531

SHA512
4592fc4c476955e6967b14dee744b749c4721655cdd442c5ccfe5bfaef61b561196efef3f61177cd48814fc089ce485c2480d1c82e675a2beb9fd302d297cd11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
732a739d669fb7b8f7fdf759bfcbe141

SHA1
e57114d093f6586cdc45052de27c8bb0660f47d7

SHA256
0904f7ff7e1aac72e471772bc2f40e4d19fe36db53658bbdc9f7dedf56351008

SHA512
f47af2b0de7198a3b5f845f5051d69cab731535e24028dc4b533574907e75d0d4e28cb14112af2887bc757a291b25e8e03b587b11681476f034a34af36d285c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bce5e837fa28f616ffbf0c5f0e840acf

SHA1
6ea85dc7ec3101d1772168875a97898379afac60

SHA256
473ca7ea76d43882ce1dd0c03ff5753913bf8a80e8410b04d3b57357c2436bd7

SHA512
1dff94954141e4ad2bff8262578bd9fb21c3b8b38817c198ace6de8af049cef65e62478c567ff400b72ef2b6b7e04397229f9d14253712ea3cda4f380af2b04d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dede1b5ccc139114362133ed6cd70dc4

SHA1
2bc8ab1162c9566ac682187f627eb1ae2d45e58a

SHA256
b98b0de660e58517640d216de569492842afd852a07cffe523aaaaf3d890d5f3

SHA512
05e3b59d29ff945c95395c0870fb95d4589b5e26a5ce491f90ea62a087a3735cb3885f7584abed2e8ebf0cbbd79bf3414b64d42e8abb09d5b869f401f2a47c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
db998c4ba35ed9fbf58f43cd6b4dbd54

SHA1
3253ff6509ed14601a2e03342c525c89751bfd69

SHA256
ce693239aee1c8712d654e090540bc18401c332d76c9eee69fbc04cd0112f9a4

SHA512
b6ff7a954ba2e50f2d5b821b65fecbfe8ef01be1893d76ea4b19e7e931c10de0f07e112a2339c4aeec81e098203f0e38eb3114fd5f988e86529209067a274c52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ef5fa242767b7686a05062f5c8da1b98

SHA1
06e0dae71506137b47972f3ea86ea1fc6691c781

SHA256
f395fcdebb4382a4e9955127444f3c81bfada53261144f25e964b9e7913c5bda

SHA512
802eba7badbef89aaf52e4629acc063a70a79792b3502d808b1d664ea018e0ddc243e185b5938d67a72c1327651579ab0fb9befb50ab55ed2f5fd234f0ba1f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\_ctypes.pyd

Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\_queue.pyd

Filesize
31KB

MD5
6e0cb85dc94e351474d7625f63e49b22

SHA1
66737402f76862eb2278e822b94e0d12dcb063c5

SHA256
3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b

SHA512
1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\_wmi.pyd

Filesize
35KB

MD5
7ec3fc12c75268972078b1c50c133e9b

SHA1
73f9cf237fe773178a997ad8ec6cd3ac0757c71e

SHA256
1a105311a5ed88a31472b141b4b6daa388a1cd359fe705d9a7a4aba793c5749f

SHA512
441f18e8ce07498bc65575e1ae86c1636e1ceb126af937e2547710131376be7b4cb0792403409a81b5c6d897b239f26ec9f36388069e324249778a052746795e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\base_library.zip

Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45682\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 847541.crdownload

Filesize
7.2MB

MD5
1daaddfb6b2dbed98782a04cd7170568

SHA1
e28c6ef02aab0bac41b09d5675b08f17ca03d126

SHA256
78b4892b566078b07e995d684dd1dddcf6ff5dcd7179978ebc3283ccab7f4f9f

SHA512
3af3a9b9b8d4a57e9926c32f34830f0aa29125a887dca45133d29408d8c743367037d5dfcec15ae7d43466094a22d3b15bc9eb6bd3a8d8bfa3796c4183aba4cf

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/1828-375-0x00000127D3710000-0x00000127D3720000-memory.dmp

Filesize
64KB

Download
memory/1828-376-0x00000127D3710000-0x00000127D3720000-memory.dmp

Filesize
64KB

Download
memory/1828-377-0x00000127D3710000-0x00000127D3720000-memory.dmp

Filesize
64KB

Download