babuk | hxxps://bazaar[.]abuse[.]ch/download/79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac/

Resubmissions

05/11/2024, 04:41

241105-fa9m2axlfp 10

05/11/2024, 04:38

241105-e9f94avcnc 10

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac/

Score

10^/10

babuk defense_evasion discovery execution impact pyinstaller ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Babuk family
babuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (165) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	e_win.exe

Executes dropped EXE 4 IoCs

pid	Process
5756	79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
3060	valorant-skin-cli.exe
5024	e_win.exe
1164	valorant-skin-cli.exe

Loads dropped DLL 19 IoCs

pid	Process
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	e_win.exe
File opened (read-only)	\??\M:	e_win.exe
File opened (read-only)	\??\E:	e_win.exe
File opened (read-only)	\??\Y:	e_win.exe
File opened (read-only)	\??\U:	e_win.exe
File opened (read-only)	\??\I:	e_win.exe
File opened (read-only)	\??\Q:	e_win.exe
File opened (read-only)	\??\X:	e_win.exe
File opened (read-only)	\??\N:	e_win.exe
File opened (read-only)	\??\Z:	e_win.exe
File opened (read-only)	\??\B:	e_win.exe
File opened (read-only)	\??\S:	e_win.exe
File opened (read-only)	\??\H:	e_win.exe
File opened (read-only)	\??\J:	e_win.exe
File opened (read-only)	\??\L:	e_win.exe
File opened (read-only)	\??\P:	e_win.exe
File opened (read-only)	\??\A:	e_win.exe
File opened (read-only)	\??\G:	e_win.exe
File opened (read-only)	\??\K:	e_win.exe
File opened (read-only)	\??\W:	e_win.exe
File opened (read-only)	\??\R:	e_win.exe
File opened (read-only)	\??\T:	e_win.exe
File opened (read-only)	\??\O:	e_win.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023d13-250.dat	pyinstaller
behavioral1/files/0x000e000000023b43-256.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e_win.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
5268	vssadmin.exe
5540	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4684	msedge.exe
4684	msedge.exe
1444	identity_helper.exe
1444	identity_helper.exe
2916	msedge.exe
2916	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
5024	e_win.exe
5024	e_win.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe
1164	valorant-skin-cli.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1804	7zG.exe
Token: 35	1804	7zG.exe
Token: SeSecurityPrivilege	1804	7zG.exe
Token: SeSecurityPrivilege	1804	7zG.exe
Token: 35	1164	valorant-skin-cli.exe
Token: SeDebugPrivilege	1164	valorant-skin-cli.exe
Token: SeBackupPrivilege	5660	vssvc.exe
Token: SeRestorePrivilege	5660	vssvc.exe
Token: SeAuditPrivilege	5660	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4036	4684	msedge.exe	84
PID 4684 wrote to memory of 4036	4684	msedge.exe	84
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 3880	4684	msedge.exe	85
PID 4684 wrote to memory of 4908	4684	msedge.exe	86
PID 4684 wrote to memory of 4908	4684	msedge.exe	86
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87
PID 4684 wrote to memory of 1904	4684	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bazaar.abuse.ch/download/79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb397546f8,0x7ffb39754708,0x7ffb39754718
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,119346326213895314,17119318746897684376,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3168 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4488

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac\" -spe -an -ai#7zMap30289:190:7zEvent21667
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Users\Admin\Downloads\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
"C:\Users\Admin\Downloads\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5756
- C:\Users\Admin\AppData\Local\Temp\valorant-skin-cli.exe
  "C:\Users\Admin\AppData\Local\Temp\valorant-skin-cli.exe"
  2⤵
  - Executes dropped EXE
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\valorant-skin-cli.exe
    "C:\Users\Admin\AppData\Local\Temp\valorant-skin-cli.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- C:\Users\Admin\AppData\Local\Temp\e_win.exe
  "C:\Users\Admin\AppData\Local\Temp\e_win.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    PID:4372
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:5268
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    PID:2348
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:5540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
f0b8cb648784f6a45c5f9cbb40a43926

SHA1
f4fee41f67013a42014ecb2209a3549d5d3d7b7c

SHA256
f7fcb7a8f74605fba090a04c9b6abba5c224ad9d821e0a3277dd3d7b0a6fa483

SHA512
eda48a85c6fb9dc69eb4f522af9b70297673e073353a347ef890cc8ca79cd90037cf7ebee8d13eb722e7559a9808fb83c6ceaecd29cc264292aed9c579a4c545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6de5bd18bb13a6f0967bf5891c10902c

SHA1
ee09c1f562983126942cd12cf2ae694b496b7425

SHA256
9a66b0edd9386e247fceecd043306782ff806d98917c25e814d9b50bcadf6252

SHA512
230b7dba69711f408502ce092275abe9046da47d72f522e6a563651583efc1099e81f8b574f2d0b4dfd0526a572c6bc002f90df032fecedcffd668ef1acde6ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
159eb5ea9822f3bc2d13425733fa7c72

SHA1
6fd8036a68968274d68db67dedbb5280bba17e67

SHA256
b96b0c643efd48917ce59d4e5b3971c6b147d1654e12ca89b6f163c43ad2c987

SHA512
3deab7dc35d37af5225d1c943f95a75bbc6e185765d796182dc3fe840a0e0c850624964c30c99ba17d7c324dd73c0eebce68e783076eca00fdd92e84f203587e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9d51cd390b0fd6b9a96f1405f20572c2

SHA1
9a579157664ef49583322e1bfb418090a3bf07d8

SHA256
560736a4ca0da9c7755f17685729c6cc1ecf1ebef44b35b06748a766716f0451

SHA512
44479e992699ecbb85dc32afbdc904cb90977055ce98d70f69b03fdd24d7401da18e4e69e5c01c572cc842f1ebe0b0b35ee089da35271700a2f019cceba6546d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e77dc22b3937d5518ec56320a732673

SHA1
24cb0bc98e768d1d38488fb82dfe36daa9a317bb

SHA256
42567071bef2dfd8678381590cd32ccd5372a4f85eb6ee95ffbcfa62cc773547

SHA512
02b6ded37f8e59d439eab27ec732980ed64e79e3e50342d5e014a0c2d81711f2e15e4c1cc824e694dd3c72342df547c0341ec3459b019ecd0f6d9082ab5ba5bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
90aaed2dd8d8b54d8b441b8d66d0944d

SHA1
2a2b2bfaf17210002f809bb5201613e81e50aa4d

SHA256
d46d375d810fb19d99098984983af081b00811855be3b8fe9f665c3c17131635

SHA512
784867c40028e7e11715b19a30711b0e9ff2a689d8e7c4a438f2336e4f39951af42118395a5b5a5f4ea3dd7ea134308c555cb3e4f2b0e14e92858afc14652770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5fef3b1f8f38fbba3bb7c15aa3a010aa

SHA1
018451f227e66af46057d170e303fd83f438b580

SHA256
32c7b8f87e0b7272451e240d6b6599bf6309f087bc328eec869ecfc36e9f8248

SHA512
df4ffd04ce7e8df436fa41ce12af467251f42968dd913bb01fe8eef035aedd951c91871abaf18ae759f583beac6955bdc840db9ba6fedf2f2d4ea283e1216f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
368B

MD5
9788e6ff6452a85e47d85ee9f55e4c4b

SHA1
163736ab117a9a7287dd8d9b3cd3c9f3e9afaa10

SHA256
ad001fa8b3e074fd895c708eceb6baea1e02d75573536c702a15167746547f49

SHA512
8ab07902699a5ee13616db44270e0aa9a6c9657720825f2d470df42b5d891bb8b0941cf35731cc87ec749687f6426b11ab9a67e7339bd53c5aa1e86040dcfdb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
368B

MD5
921b494f844233350cbfb96a76fa1d6f

SHA1
04f7aeebce8aa0e3668cde9a729892dac9455061

SHA256
bfcb23fa612ab74621cb4b957e5ea641996cd82792065c9ae919e6587f23d8db

SHA512
a55e1d525146150bf7f59713d644a985ee717d70773be7f02747aeafcf8505d453872d80ce4e003047e42e3f3803636c778ce88f541383bb79cb48c3244fa925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58491a.TMP

Filesize
368B

MD5
136f70194a2e11173e84ecf86c97a94a

SHA1
1dfc97165f3089729015178bc65b3a869fc7c99c

SHA256
d5c00eaf6df28f69d13fccf08a844e5ed6f054648f730ea6f115faf816cac770

SHA512
44f2ddd12012cb273ba6f335c0bce9897dfbf5b79398c9fd3fd13e9818645222f0815fc5f749e51c101ba35f138972516943406b6414a5833fbf10a5693b465f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c806695a-b6ad-4873-9f59-cd15ed6979e5.tmp

Filesize
1KB

MD5
d2be9b37005c047769ad17270e670fca

SHA1
3b6f43b772c36ea5c8214f6a866869f7d2a9b4f7

SHA256
3c202e1f47b6668c90e87bcc48f27fb4f76bb046449cd89973d0461ff93bfa8b

SHA512
8c7f7cb805b4c6c26d95ca4c8476d13780931f07c0fef08b9808efb22ffaaf59141574f96994a62ae76a00aa1b2b2b54fae6f6715d558770a045fc6c202c8c37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bd5fff167d91cfbbbde98605fb0179d5

SHA1
c17743985f2d165cb44b4b1129cd115ab1f10840

SHA256
b4d1f3b6942465afca55ebcd9a5217e41cffa8579f93e2c0b811735f0a9fffbc

SHA512
11b2ad195db408bfa99fe61aa84d36b87e89c997e4267783e9699036bb7b25b5cd9955ad2e5a0f99cc30fb3157a2a056ff579ca31db561b863dbae413b84215b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4578a70db8df22f51dee80594bcd9ddd

SHA1
cf4d582947c38df7dc2e5fbf59289948a84fa9a1

SHA256
2a7e3d60d934947a35a45e1ab6c829c0a1ab2a313118ef25ae6dcedafa10f40a

SHA512
9a22988f9bf4cee529874fb9eb03ad772427b0f9fa3b6b765014b805b3140ed3d766e96e40262e8074a98bea35bb53f735d07eeab144fb82ab304e37c007d619

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\_asyncio.pyd

Filesize
70KB

MD5
45126a5a3995f890e5c942ba615a569c

SHA1
928aa2b9f2e2485dc835c6d0f92999f5d5581264

SHA256
490e3b87f7a570ee09e4d95a439c525883b4ab22b701cf89f68409a559e7bbf3

SHA512
dcc282bc6e6b524f1e9a66a042a10afb13aecc6a77f18414524d1e7db69aaa919b856a415e81acd79a58b069b2d5a8b12f61dc25f1f62c486805fab15f439232

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\_bz2.pyd

Filesize
87KB

MD5
92075c2759ac8246953e6fa6323e43fe

SHA1
6818befe630c2656183ea7fe735db159804b7773

SHA256
e7af6119b56ddd47fd0a909710f7163d7ef4822405fc138d24e6ce9de7a5022f

SHA512
7f3a4409859695f53291c96dd487bca2649815bad5f4610c2c6f92777411d39210e293d962573a20dfe73ea15331de7e6c18b017ae1d6f226387eab1fc1f586c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\_ctypes.pyd

Filesize
131KB

MD5
2787764fe3056f37c79a3fc79e620172

SHA1
a64d1a047ba644d0588dc4288b74925ed72e6ed4

SHA256
41c593c960f3f89b1e1629c6b7bd6171fe306168f816bef02027332a263de117

SHA512
1dc5bb470be558c643a3f68e23423697384bc547b1192cd398dff640e28f7df85563bc87643cdcde9b8b4f880f272e13a673a018ae251e100bd99790f993afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\_hashlib.pyd

Filesize
38KB

MD5
7808b500fbfb17c968f10ee6d68461df

SHA1
2a8e54037e7d03d20244fefd8247cf218e1d668f

SHA256
e2701f4e4a7556adab7415e448070289ba4fe047227f48c3a049d7c3154aff0b

SHA512
b4239e792141bcf924f61bfd46033934337079b245f423b34820d36c6599ca35ab06bc525acfff4cafa75e31975fcd0409dedd203377d642fc5dc55ec2c1fa27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\_lzma.pyd

Filesize
251KB

MD5
ab582419629183e1615b76fc5d2c7704

SHA1
b78ee7e725a417bef50cca47590950e970eae200

SHA256
5a45f7cd517ad396a042bc2767ae73221dc68f934e828a9433249924a371ee5e

SHA512
3f38441dd0b88b486dafaa1e15d07f0ee467a362c1603071a2fa79de770fa061ced25ca790f0d3139f31178c719cc82ac88601262e2a0ca809708dfa3f6f76ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\_overlapped.pyd

Filesize
43KB

MD5
73ed0ee50db2ea98118f704e78d5e95e

SHA1
93d6cf61c8848e70f2afffc698f9718a18ad74ce

SHA256
009cadfd046eee91e183489edf6b8ad8562e5c9e851ef4ad0034b5d88201c942

SHA512
efd98f373f2309bf50139b35fb17e0d1355bed421c827224d8eba093f3005c3325cc55ef2853cd2d55e2873c9a73e3867bbe4d267f52c6fab5cddc8f2d076a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\_queue.pyd

Filesize
27KB

MD5
a48af48dd880c11673469c1ade525558

SHA1
01e9bbcd7eccaa6d5033544e875c7c20f8812124

SHA256
a98e9f330eeaf40ef516237ab5bc1efac1fc49ed321a128be78dd3fb8733e0a4

SHA512
a535dadb79c1ca10506858226442d1d1fb00e5d6f99afa6b539e2506a6627a7bd624a7ee2bc61f55c974113de80fd7a95e6c18e9402736d32d5099077ca1b913

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\_socket.pyd

Filesize
74KB

MD5
10cd16bb63862536570c717ffc453da4

SHA1
b3ef50d7ac4652b5c35f1d86a0130fb43dd5a669

SHA256
e002a1bd6fba44681d557b64d439585dba9820226e1c3da5a62628bbaa930ae3

SHA512
55ee581c4005901661efaf9aad6ea39b2b2e265579539d464d62e4209638567b3b9fdd945d0bed0a1047f977d374a5707a970c621ca289077e2d6c5aeca491b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\_ssl.pyd

Filesize
121KB

MD5
8b5af5ac31b6bde9023a4adc3e7f0ce1

SHA1
c5d7eaaed9be784227a0854bfb8a983058410a35

SHA256
7040d3712f31b7d11882ce8c907452fa725678b646b900f6868f43ab3e4ddab6

SHA512
499aa2321a2e5492c700513d63cf08fc12d3a430a5e9f5d865279919f6d7b74385b6767bbee63616f84b52d02070b16b2d4c3921163c42864f33e7b5331b1444

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\base_library.zip

Filesize
759KB

MD5
5cb31103b8c5e6ceaaa78e4f3f961e2d

SHA1
cb14e1205c62cc3e8e808259f51731864724c541

SHA256
eff3e9c4b1a960c3cdc4f3a85d416b93c4d34ba1f76f3008eaba369f7fafeecd

SHA512
42b2776e7c20919805594d4fc1d6446eeecc27a60154577568fdb04fc811250cc5410dd1afdf25c61e22c8ef3f4f77670b01e586317b810a3365a877b5f6bdb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\certifi\cacert.pem

Filesize
253KB

MD5
3dcd08b803fbb28231e18b5d1eef4258

SHA1
b81ea40b943cd8a0c341f3a13e5bc05090b5a72a

SHA256
de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e

SHA512
9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\libssl-1_1.dll

Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\psutil\_psutil_windows.cp37-win_amd64.pyd

Filesize
72KB

MD5
eb2e7580f823b00576880cada4526092

SHA1
9195525a1e9cbac344171dd5333f2df0852c890f

SHA256
3ee35d8a42d5951c8498246aa6d302bbffecea65a2fcaa78a069011c6f543d59

SHA512
aaaef52e15a61490d87c2c1e49713590b3bfb65229c4318fa51bee92b9440e1fd546bfe8773440b559a55a9525f51ed2bfc9996fb4de50476533db3d6f284b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\pyexpat.pyd

Filesize
194KB

MD5
02d615171b805cc573b28e17611f663f

SHA1
2e63b78316b4eae6ee1c25f1f10fbbb84ecef054

SHA256
e60b5cbdf7480db1fc829e05ce45703d43d5ba25fdf7fba21cca1d38b1f3b3a4

SHA512
b61cd3d16d1a192016a50342ae71fee8f764c4c156e275a320f74cc4ec65755c91c022231d09a76b59d6225960f5a930f1887003b1d6984beeb5a9648b045427

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\python37.dll

Filesize
3.6MB

MD5
c4e99d7375888d873d2478769a8d844c

SHA1
881e42ad9b7da068ee7a6d133484f9d39519ca7e

SHA256
12f26beb439ddf8d56e7544b06a0675d5da6670c02f8f9cede7aad1de71eb116

SHA512
a5b79a919f15cda2c295c8da923ffe5dd30408376e459669e4e376b9d4d504d43671518d7085352bb90c4ce4efc6d81c91ac6cedbdaa896f916d80f7346a695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\select.pyd

Filesize
26KB

MD5
39b7c056bca546778690b9922315f9ff

SHA1
5f62169c8de1f72db601d30b37d157478723859b

SHA256
9514b4c40c35396b1952a8acf805e993a3875b37370f44ef36ed33c7151412ef

SHA512
229538131d83299ea90652818c99972c1ee692c070e7fea9599420c99dd8ae75fb2367e9509aad23984fe0a8d21221a59bd57493b5cd1d6c7391c3c55d714e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\ucrtbase.dll

Filesize
983KB

MD5
e3cbcb26ee85737e70ce55d498fcaa38

SHA1
8dcdcf5e8d9b621a149163cc3f12d01fde1ef4ac

SHA256
8ab85c80c5d9ad3618fd86aa45a878bb5a5d7e449528c317a8239c33876c75b5

SHA512
eb85a84f0d7e4f65ab67869e56b68f8da72a570b9b2fd0ee28e9d3ea9a80b4d35352261213b0e26d9d7592e750a0870e7b62df69e948bc060b0bfe6cea9fb12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30602\unicodedata.pyd

Filesize
1.0MB

MD5
d2ab7f9a441bb139feeb0e11eb600371

SHA1
467aeb881fccd4a43a16f319635da81f05279cc6

SHA256
465ab1b24c39a5a5da9415c96740dfdb4d071b25a7a87e275841e1d66a57e88f

SHA512
cf8eaae07c176fab5ca54a3935ec2fd6933e3f2d0ca107bf60f1389f2258865d101685918c7a04802da2a97980747935f1b56b0da3d1db3a1ea282f74db0b6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e_win.exe

Filesize
79KB

MD5
2298d910b2d34e870e0f561eda4dcfc6

SHA1
078b2cace5161e34aaaaeba6bfbe3f6259651f34

SHA256
bb845cf9c1674452a995f58b3971c04fd67a0a8d256288e58cb4454bb80a5efe

SHA512
6465216a71c116321a6e7d9e1746247cfe1c29a5897422f13ed55cfb3a0daa42ba673a7cc308bf5440c6bf5fb084d065a6b4aab84c11ca1d81fdf23c09cbfe33

Download Submit
C:\Users\Admin\AppData\Local\Temp\valorant-skin-cli.exe

Filesize
11.8MB

MD5
618f14f157f325c42d4ee192d218e704

SHA1
d7889120eeeb8bab7fc45e0391afdffcae4d681a

SHA256
f19ea07dc1e91fc2a19bffad3e0e7a0b3b76d05cc617bae40a43289691b9a190

SHA512
fe8d79303670d593670c32b804ebcfe905f0ce2f85e346e6972ec95591bd66b3b77def5657f7bbae49310df1b4e94897722c3035721463da77ebdaa5b66d4ee6

Download Submit
C:\Users\Admin\AppData\Roaming\valorant-skin-cli\config.json

Filesize
297B

MD5
570b1fdf399f507290125437e06b77e6

SHA1
660c6cdd4d6a257e7219f970a73c7a81d7509adc

SHA256
2d33a0d437b652881cf68883f1fe44f779e17c13ef32348b3d224890d9779b7e

SHA512
9414c42919e718da6e5e1648feeb9398a51b759e0d4ad51cafeeea0f1180a32d15fb4528711cd26234adc197e552e0c21715eb360cc041c2d47105dd6516b4b6

Download Submit
C:\Users\Admin\Downloads\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.zip

Filesize
11.8MB

MD5
da3a6bc284b2a0843a871c1541bfe2c3

SHA1
a5e2d60f0c46cfa5ef92cce7d65096edc48dac5f

SHA256
afe20206fff25e8c8d79bdf0029ef187d1d173409556f9b2d14d7d23e8ada5e1

SHA512
47c6af9ec1c7f496a2ab78f8bf55f050814dc96251084867b4032b053f85826706fbea15435152205a75c204840ce989b88ee5955a73e5eb4005c3afc9d29e77

Download Submit
C:\Users\Admin\Downloads\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe

Filesize
12.0MB

MD5
59d018958d77ee68568eac6250a4224e

SHA1
a5ac1b794b33da74b7d587b04394721f7aa96d0f

SHA256
79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac

SHA512
5f285f3920463646a77487c9e0b1c46ebe950f779fafb524d6064aa280ba84c3119cd19c2b88f3011e20a7f7b70a1341103d42baca28f1781d8670bca8737881

Download Submit
C:\Users\Admin\How To Restore Your Files.txt

Filesize
259B

MD5
f026fb213f419a400ba83e1a69d26472

SHA1
821f1318d077065fe1a3fe2075f053f1191d5739

SHA256
b87c7d852c60b34e5986e2d41fb4f644df11f7350ef2272ad58a469e476d2bc1

SHA512
6929aa4dccef21718625513ab21c9e39599969d6350dadfa00747cc8bde302d2d7158df845686f1e607b2b05126697263982f6ab61e189781117c9329176e50e

Download Submit
memory/1164-618-0x000002AF1FA10000-0x000002AF1FD52000-memory.dmp

Filesize
3.3MB

Download
memory/5756-267-0x0000000000400000-0x0000000001009000-memory.dmp

Filesize
12.0MB

Download