hxxps://drive[.]google[.]com/file/d/1UhZuVquQSGbGRAjtlcJ9BiZcpGQeSjxl/view?usp=sharing

Analysis

max time kernel
113s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1UhZuVquQSGbGRAjtlcJ9BiZcpGQeSjxl/view?usp=sharing

Score

7^/10

discovery pyinstaller

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
624	ransom.exe
5756	ransom.exe
4812	ransom.exe
4808	ransom.exe
2104	ransom.exe
2752	ransom.exe
2236	ransom.exe
1788	ransom.exe
2736	ransom.exe
1660	ransom.exe

Loads dropped DLL 30 IoCs

pid	Process
5756	ransom.exe
5756	ransom.exe
5756	ransom.exe
5756	ransom.exe
5756	ransom.exe
5756	ransom.exe
4808	ransom.exe
4808	ransom.exe
4808	ransom.exe
4808	ransom.exe
4808	ransom.exe
4808	ransom.exe
2752	ransom.exe
2752	ransom.exe
2752	ransom.exe
2752	ransom.exe
2752	ransom.exe
2752	ransom.exe
1788	ransom.exe
1788	ransom.exe
1788	ransom.exe
1788	ransom.exe
1788	ransom.exe
1788	ransom.exe
1660	ransom.exe
1660	ransom.exe
1660	ransom.exe
1660	ransom.exe
1660	ransom.exe
1660	ransom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
10	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00070000000234a6-98.dat	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 371763.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
3924	msedge.exe
3924	msedge.exe
4212	identity_helper.exe
4212	identity_helper.exe
3648	msedge.exe
3648	msedge.exe
3056	sdiagnhost.exe
3056	sdiagnhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
1776	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5816	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 3140	3924	msedge.exe	84
PID 3924 wrote to memory of 3140	3924	msedge.exe	84
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 3572	3924	msedge.exe	85
PID 3924 wrote to memory of 4616	3924	msedge.exe	86
PID 3924 wrote to memory of 4616	3924	msedge.exe	86
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87
PID 3924 wrote to memory of 3768	3924	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1UhZuVquQSGbGRAjtlcJ9BiZcpGQeSjxl/view?usp=sharing
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e39c46f8,0x7ff9e39c4708,0x7ff9e39c4718
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,7914008511549459581,6191949769372063883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultba782538hd14eh4854ha79fh1e76f05e650c
1⤵
PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9e39c46f8,0x7ff9e39c4708,0x7ff9e39c4718
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6429575115748479689,12311748569662117525,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,6429575115748479689,12311748569662117525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
  2⤵
  PID:5132

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TroubleshootActivation
1⤵
- Suspicious use of SetWindowsHookEx
PID:5816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5336

C:\Users\Admin\Downloads\ransom.exe
"C:\Users\Admin\Downloads\ransom.exe"
1⤵
- Executes dropped EXE
PID:624
- C:\Users\Admin\Downloads\ransom.exe
  "C:\Users\Admin\Downloads\ransom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5756

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\ransom.exe" ContextMenu
1⤵
PID:4804
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWCFED.xml /skip TRUE
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1776

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jpc1jqmm\jpc1jqmm.cmdline"
  2⤵
  PID:3128
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3D5.tmp" "c:\Users\Admin\AppData\Local\Temp\jpc1jqmm\CSC895D1A121F334E869F8E7B9A119587DF.TMP"
    3⤵
    PID:3740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e5bhg2m4\e5bhg2m4.cmdline"
  2⤵
  PID:1648
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD443.tmp" "c:\Users\Admin\AppData\Local\Temp\e5bhg2m4\CSC659AF05514AA4072BF60541CEA7B3030.TMP"
    3⤵
    PID:3124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hcannqij\hcannqij.cmdline"
  2⤵
  PID:4496
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA6D.tmp" "c:\Users\Admin\AppData\Local\Temp\hcannqij\CSCAB280A45DB7244209B2731163573E99F.TMP"
    3⤵
    PID:5788

C:\Users\Admin\Downloads\ransom.exe
"C:\Users\Admin\Downloads\ransom.exe"
1⤵
- Executes dropped EXE
PID:4812
- C:\Users\Admin\Downloads\ransom.exe
  "C:\Users\Admin\Downloads\ransom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4808

C:\Users\Admin\Downloads\ransom.exe
"C:\Users\Admin\Downloads\ransom.exe"
1⤵
- Executes dropped EXE
PID:2104
- C:\Users\Admin\Downloads\ransom.exe
  "C:\Users\Admin\Downloads\ransom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2752

C:\Users\Admin\Downloads\ransom.exe
"C:\Users\Admin\Downloads\ransom.exe"
1⤵
- Executes dropped EXE
PID:2236
- C:\Users\Admin\Downloads\ransom.exe
  "C:\Users\Admin\Downloads\ransom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1788

C:\Users\Admin\Downloads\ransom.exe
"C:\Users\Admin\Downloads\ransom.exe"
1⤵
- Executes dropped EXE
PID:2736
- C:\Users\Admin\Downloads\ransom.exe
  "C:\Users\Admin\Downloads\ransom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024090502.000\PCW.debugreport.xml

Filesize
3KB

MD5
5a728ba2928b53b3aa04d6847ac055e8

SHA1
2693a12c9c3cc06bae67341142077506e5dfd89a

SHA256
193e13ee9fccf61d29ca4c98286e4ab31d5bdd24dc08ab7cce8c5cf82fff6f40

SHA512
a28dbebfe910e68d0c506a6e1b5b2a10bbde0899b70609b934466f11b630b1e097563a01403b66a3ec1931bd5c25df9103c247b551723fb5d64d1f18eae8ff14

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024090502.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37ba24702bef3d08c773886387130d39

SHA1
1db554b058faf06719e12d1c268c2616b4fc7cc1

SHA256
bd4c51e5ed84450055eac2081ddb3a4ecc7e866a740817dd3016161ee4f9919b

SHA512
42c1665659fd5d16652b3b88be816ae0841d682fa6ecdf31bc066f17a4c5179f42cb869c08fb0520e1b6e8f8436bab1b445c40ddb0ef5dea228fade18ae073a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e94915dfb1e1059dc34e6beb39986f51

SHA1
c96d75f467aec89378f5c6ecb396b3e6c3b42a74

SHA256
64b61ba0a098b5ac84259a28cea2da007a3840d503579a0c66acf558105f18e0

SHA512
3afbee2943f43df794ca0abb5e40a0c6f840019495434aaa68e5a9ce1202bd621c6a4fb4cd36146684537991fcf8fb632cc3e2ef59c7206c6843076cb9c139dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
a2a1d6c4ef817f62081aaf68dab56db4

SHA1
f8c5b51b1b5e8d79af43d6a478a2f58ab73501e7

SHA256
37c9dd67c8061166995597009e8162ab352d71ecf46c13d0f9d978cd825b55eb

SHA512
549f145904efecf85b80edf1369c0da3bc0049d24890e33015819e9a5f2b7a75bd127ee640b95b2832858f013783741e2a6c22c643879a594ee14bc89a46b59f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d531020f45585d257de902fa197eeae6

SHA1
a0cc7ada84234f23772091935f188637cead1a03

SHA256
3ce0778e3134018dbdb2d9ae3ca431b23a78be2f91a476a86b5cacc194ab2a81

SHA512
09a828c2882c8c43fa1ec6dcf83a46b7fbc5dd82a162328363097c583dddac32e8f53ba204c0858a8d53fc9ee4809a0fd512d8094d122dfb53cce25c838cb260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0320e496fd3e7abe2ecbd96488d3f72f

SHA1
e30a60deef5c4cb2be396887a43afbeb4d78f19f

SHA256
0d062237e2bffa056e89eae764f647b2c091ceaa5d89dfc60cf832183c55e162

SHA512
758a240773d33aaab1d3c88851262bd9ec72ffb64f05e49ae700a6b9832de70caf38d8d30bc41dc4534106cbd9560b414485925868ba9d5f7d87f3413e7799b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e15923c3ce9ce9f21e4392d7fada835e

SHA1
c223d8e573c7889c5744fca49ed5ce1df1d93c48

SHA256
55378fb24d6bfb6e31d9fc1d6556c63aa5c3e0c5121ec9154df48322e503ace5

SHA512
0f5880c3b3667add37399502e38ab56092457c452aad83ce321f646e6778bea7b7e8ead0254b2dee1a9415b909fe6aef1b48db7ffce153526ecb8365ec07d0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
acbf14d911f9c8c65f85a6944e63005a

SHA1
b0da95c6ed43289288659855fa599627b84e00db

SHA256
613bc59bf0443f668baf51a42589a8e311644f55a16aa11acad1529b7aa0fb43

SHA512
708336bb10923b094014e46e13180d679e4aa964baf908b7ad1f8efd0b16cc6c6810068b3d1c94e6b8b812a1f61014fdeb7d190f39461a30c3ee7ee13dbe28d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65177e27d2c7555bcd02b9cd77663293

SHA1
edc0372b695f4ac9a519e9ddc50fc158c60710e9

SHA256
76cc3c208ec404bb7096faf8e8a61a66e95dd5b2c6e28c2550faeac59339b68d

SHA512
2e12524a40dade609c233c0439e58fb08580dc29588c65dc025d44bad3a0437837f84380ed5c49c478494ef00bd727bca604c611b2ed828892ea3f7a2c6e4441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1012646c1f5ab19ad55d471aa5752d56

SHA1
e2f097f99b0ca8329748070339292ab35ddb9e36

SHA256
62aa0d0f40344f82c30b971cb16b89048bfd19f8beff3ac6bcab1c6f8f043979

SHA512
2da0e7a57b3a96f9360a3b2356c24420a389a50bb004e56bf241cd1955574292c2450ff7bb2526ede1144c450b61ca199c34a2695a7319258ec9067bd49c3e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
39c7fba007ec60a74af780b33572cf28

SHA1
ff4dc167eadfb353dc69b00d99ccbd4855f2a977

SHA256
2fd4da7d2be4c886e0c09c7c65ce70950876ba5e88b4ceff5a211369bbda5a01

SHA512
cb0faf0270fd439fd371c9555d7dee3f8831093375053cdfe62fc3af6cbc604867ed4b06c83fe990ec18983cef4c5d2fc18973a2bc32ab638e81838e649eb863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3812547beca2ad5eda47e0238d5b8f23

SHA1
1f436778fae965dd099b27ea713c518ed4a92599

SHA256
c719f4075e7b860d08e532621ccf65bb5388e1a03a30fe741f3f2aa80242f42a

SHA512
4e4bdee6c71846173c959bfb0f4a5b60c7d33a66492e0134d4a83ee88d2c641e03dc5e58ac471dc0612cd977d180585ca1095a19403b4c783e2ff39c2b4d7f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cb25a9b62bff17e90ef4e9e6108ffe81

SHA1
33848012a7fa3f49fea766d250bcec1c708aa83e

SHA256
7886dcb890376fa75eec50d0b4f445097e10a6bd423ce48b979282434642eb24

SHA512
f766429220be93f655cdda2edb28d9f8d2a2ab10f2a7885c402300ab4a42a54d477f1d2f274d245e1f08c66e169bfbc8521a17ee678b42a5bcec6e3d2c8627fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWCFED.xml

Filesize
710B

MD5
34e204ef6472b794001b3d04b39dfed2

SHA1
a1e58de0174b139b1a3400250a9bac4cbecc1586

SHA256
400c151dc6d9ce73771b493278c7313e961fb5cd7c710a53f9f71e992ede6e09

SHA512
7e4a6a2ddda2dc9164efd05e788a73bf0d8dc764f6d3336d2578d5d4e9f9cc804278d051c10604fd20a1d5547c147bd4e335e204a96869ba73cff0e7adf69414

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD3D5.tmp

Filesize
1KB

MD5
ed23f00c7ccf4cd72215049be00cc8c1

SHA1
6dc231db308112c30edf0cd02669f29d6dd21dca

SHA256
2853145e97ae2dec2989968d88b9a62896af8c2ca540bc723d400bb494f31e08

SHA512
8ff06fd4daa759606d6214c72b5ebf033b4dab13aceaeba4840c2b407a91f35c2f1003a6b04b69796d7f97fb26e6eb3419c1ee5bc0f483818326b2500e4c4e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD443.tmp

Filesize
1KB

MD5
00c5bbd5196b7a390e2bed41063f97ce

SHA1
29b41c14c2cc4c9e1b73af673abdb1d2842e634c

SHA256
0c7430aa32e1ae6bf669b684d85e64a51f22d0bda67defe82c81f0af39fd166e

SHA512
2a6aacdb3937515948b76f32470a909a56119049c1efa37796f489b3f6dac4f26dae1897e9fb8f5d33ff9d0e1278c6e7d46a9d6a8c09333aad393ce46188190c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_ctypes.pyd

Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_queue.pyd

Filesize
31KB

MD5
6e0cb85dc94e351474d7625f63e49b22

SHA1
66737402f76862eb2278e822b94e0d12dcb063c5

SHA256
3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b

SHA512
1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_wmi.pyd

Filesize
35KB

MD5
7ec3fc12c75268972078b1c50c133e9b

SHA1
73f9cf237fe773178a997ad8ec6cd3ac0757c71e

SHA256
1a105311a5ed88a31472b141b4b6daa388a1cd359fe705d9a7a4aba793c5749f

SHA512
441f18e8ce07498bc65575e1ae86c1636e1ceb126af937e2547710131376be7b4cb0792403409a81b5c6d897b239f26ec9f36388069e324249778a052746795e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\base_library.zip

Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6242\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_su4lgru0.wdp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5bhg2m4\e5bhg2m4.dll

Filesize
3KB

MD5
2d774fcb220d3b252a5c4eeae51a7b24

SHA1
9b4b5be7bf29b7c0249987bf1fe0eca775d8afcb

SHA256
596d5e2a9acebf0e25cd73089ef8372ec00082731272501560f67f9464fc1d4e

SHA512
720db3783fae47fee35b24c0aeb2650f0cd3c57a5b225d8d92368feefc811bda28923f941adb26a8914aaf20662c4bd0a366052644aa8288b4c5df3cd314bc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpc1jqmm\jpc1jqmm.dll

Filesize
5KB

MD5
11ec4b5117018e2859971143559895ea

SHA1
3b0e4bf04363f4c61dbab6d7a3de1f500bf378c6

SHA256
c48ac9a5f9b5e41d17dafb442654433a208c787418439b40e399ce4696139c4c

SHA512
0f951c44eefcd0c1bb4c6ed9cfe330e2f707a948d3371e20fa50b19251f6adc3efbb6c63e9b7565dea3dc87f86e3cb8b74b383ffb73f1b14627713e0858cbd24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 371763.crdownload

Filesize
7.2MB

MD5
1daaddfb6b2dbed98782a04cd7170568

SHA1
e28c6ef02aab0bac41b09d5675b08f17ca03d126

SHA256
78b4892b566078b07e995d684dd1dddcf6ff5dcd7179978ebc3283ccab7f4f9f

SHA512
3af3a9b9b8d4a57e9926c32f34830f0aa29125a887dca45133d29408d8c743367037d5dfcec15ae7d43466094a22d3b15bc9eb6bd3a8d8bfa3796c4183aba4cf

Download Submit
C:\Windows\TEMP\SDIAG_333bf6ad-6be4-41c9-ac8a-5e553e23ce7c\RS_ProgramCompatibilityWizard.ps1

Filesize
49KB

MD5
edf1259cd24332f49b86454ba6f01eab

SHA1
7f5aa05727b89955b692014c2000ed516f65d81e

SHA256
ab41c00808adad9cb3d76405a9e0aee99fb6e654a8bf38df5abd0d161716dc27

SHA512
a6762849fedd98f274ca32eb14ec918fdbe278a332fda170ed6d63d4c86161f2208612eb180105f238893a2d2b107228a3e7b12e75e55fde96609c69c896eba0

Download Submit
C:\Windows\TEMP\SDIAG_333bf6ad-6be4-41c9-ac8a-5e553e23ce7c\TS_ProgramCompatibilityWizard.ps1

Filesize
16KB

MD5
925f0b68b4de450cabe825365a43a05b

SHA1
b6c57383a9bd732db7234d1bb34fd75d06e1fb72

SHA256
5b1be3f6c280acfe041735c2e7c9a245e806fd7f1bf6029489698b0376e85025

SHA512
012aadec4ed60b311f2b5374db3a2e409a0708272e6217049643bf33353ab49e4e144d60260b04e3ae29def8a4e1b8ada853a93972f703ca11b827febe7725af

Download Submit
C:\Windows\TEMP\SDIAG_333bf6ad-6be4-41c9-ac8a-5e553e23ce7c\en-US\CL_LocalizationData.psd1

Filesize
6KB

MD5
2c81a148f8e851ce008686f96e5bf911

SHA1
272289728564c9af2c2bd8974693a099beb354ad

SHA256
1a2381382671147f56cf137e749cb8a18f176a16793b2266a70154ee27971437

SHA512
409c2e953672b0399987ec85c7113c9154bc9d6ca87cf523485d9913bb0bf92a850638c84b8dc07a96b6366d406a094d32dc62dd76417c0d4e4ae86d8fcb8bbb

Download Submit
C:\Windows\Temp\SDIAG_333bf6ad-6be4-41c9-ac8a-5e553e23ce7c\DiagPackage.dll

Filesize
65KB

MD5
79134a74dd0f019af67d9498192f5652

SHA1
90235b521e92e600d189d75f7f733c4bda02c027

SHA256
9d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e

SHA512
1627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3

Download Submit
C:\Windows\Temp\SDIAG_333bf6ad-6be4-41c9-ac8a-5e553e23ce7c\en-US\DiagPackage.dll.mui

Filesize
10KB

MD5
d7309f9b759ccb83b676420b4bde0182

SHA1
641ad24a420e2774a75168aaf1e990fca240e348

SHA256
51d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f

SHA512
7284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e5bhg2m4\CSC659AF05514AA4072BF60541CEA7B3030.TMP

Filesize
652B

MD5
5150c5663c9f9e02e412b62bb6d28b95

SHA1
6fad771d0023fb09016e8fa90d25d7438433aaef

SHA256
3b80adaa9c15220798ccc5a184ed04503a2539e2b256da900f83c25d65bef228

SHA512
0a1f00464badf589e35557187312bfd751eb24e9c5d6e2b166bf14f6f3cd0b22fe9296b08ce8c7c8763ace29c23b24ad4e02ee96133179a090b9f2d5d7bd1cd2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e5bhg2m4\e5bhg2m4.0.cs

Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e5bhg2m4\e5bhg2m4.cmdline

Filesize
356B

MD5
efa7124837d431ddf4086a42d94f82ca

SHA1
6b258650d4fc6603ded9c37402b65e560ba858c7

SHA256
6dfe3bf85e6bd06ec68d86c12e5b81ac46fe0b258c60b118a3d7178f0229a2af

SHA512
4288a5f71543e8ccfaa38fc01863c31b1e82eca0b6bb3eb453b00086bbf401b6de6ac58990e31bb8727e3739d392d93a97f3144c06abcb4450d1640033fd8d6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hcannqij\hcannqij.0.cs

Filesize
11KB

MD5
acf1a7b8aab4c6efda423d4842a10a85

SHA1
ac55b84b81527ad1224a85640c5a2555b19b685d

SHA256
af0a7036a5f650570990f2d562a7c7636b6eaa54f53b6ce3f43aaa070188dafa

SHA512
22e5a8b633a0189e836adb0c34c84b5029e8069e2f0a77803da91ce2b0da14b8fa231ddd1f1b164992d534b8a4ccc51c270e8ff2ff3f2f34536432b4abfc04e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hcannqij\hcannqij.cmdline

Filesize
356B

MD5
32688a51e54730e9bee8cdc435bce912

SHA1
b43b726179faa05fa67cceae41f6c9e32dbfa34d

SHA256
eb24411e202201aa4d784065b687fc2f395e668f23c535d1725cb03a95643ba4

SHA512
f9dfb6b0a04bc2a03ce78520672579c3597742f41135abfc294da244ce6c4694b64f197cbc7141b1b0481ee5e657cd5a067d0690ce90c9bc75616c3e9f6d8355

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jpc1jqmm\CSC895D1A121F334E869F8E7B9A119587DF.TMP

Filesize
652B

MD5
a553292b78b35cb79c230d78032fac6a

SHA1
6d17e7079ba8e69aafd5d62dc31f9f90a5d8213c

SHA256
d7a3d85b3bb1da15cb9a18f4496d73ee58b9c86e6d87622ae011cf5ab071a4ab

SHA512
62c53c3e2fd627d54465072a8b3ab36bde522ee37ec4720d9a4e016f71d69d36ba82de52b5999bd5e6a9dd8416dfd721656b6cd4fcb2d93e8acc0b3eeb51c1d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jpc1jqmm\jpc1jqmm.0.cs

Filesize
5KB

MD5
fc2e5c90a6cb21475ea3d4254457d366

SHA1
68f9e628a26eb033f1ee5b7e38d440cfd598c85d

SHA256
58fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77

SHA512
c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jpc1jqmm\jpc1jqmm.cmdline

Filesize
356B

MD5
10ca97d34e3b8d1cf11facafe0ec1256

SHA1
84535a68dcc5f50bfb48ed5fddcdb72aeab142a3

SHA256
2b3fd2a6cb01ef567039b7c0a5938e4cdf9edaed486455f0b4f7083af7f5db1f

SHA512
90df9517ca17e27019b9ccfaab0ff30f72daa9fca3f8414be87bb938cbc00da16bc9f7d69db65ba5297631cdd804f352a9fddb58b10c8bfb910b1427918e959e

Download Submit
memory/3056-500-0x0000022710D10000-0x0000022710D18000-memory.dmp

Filesize
32KB

Download
memory/3056-514-0x0000022710D50000-0x0000022710D58000-memory.dmp

Filesize
32KB

Download
memory/3056-485-0x0000022710D20000-0x0000022710D42000-memory.dmp

Filesize
136KB

Download
memory/3056-526-0x0000022729560000-0x0000022729568000-memory.dmp

Filesize
32KB

Download
memory/5816-179-0x0000029F806C0000-0x0000029F806D0000-memory.dmp

Filesize
64KB

Download
memory/5816-178-0x0000029F806C0000-0x0000029F806D0000-memory.dmp

Filesize
64KB

Download
memory/5816-177-0x0000029F806C0000-0x0000029F806D0000-memory.dmp

Filesize
64KB

Download