babuk | hxxps://bazaar[.]abuse[.]ch/download/79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac/

Resubmissions

05-11-2024 04:41

241105-fa9m2axlfp 10

05-11-2024 04:38

241105-e9f94avcnc 10

Analysis

max time kernel
161s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac/

Score

10^/10

babuk defense_evasion discovery execution impact pyinstaller ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Babuk family
babuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exee_win.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	e_win.exe

Executes dropped EXE 4 IoCs

Processes:

79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exevalorant-skin-cli.exee_win.exevalorant-skin-cli.exe

pid process

5612 79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
4296 valorant-skin-cli.exe
1932 e_win.exe
6632 valorant-skin-cli.exe

pid	process
5612	79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
4296	valorant-skin-cli.exe
1932	e_win.exe
6632	valorant-skin-cli.exe

Loads dropped DLL 18 IoCs

Processes:

valorant-skin-cli.exe

pid	process
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e_win.exe

description	ioc	process
File opened (read-only)	\??\R:	e_win.exe
File opened (read-only)	\??\T:	e_win.exe
File opened (read-only)	\??\J:	e_win.exe
File opened (read-only)	\??\K:	e_win.exe
File opened (read-only)	\??\M:	e_win.exe
File opened (read-only)	\??\E:	e_win.exe
File opened (read-only)	\??\U:	e_win.exe
File opened (read-only)	\??\G:	e_win.exe
File opened (read-only)	\??\Z:	e_win.exe
File opened (read-only)	\??\X:	e_win.exe
File opened (read-only)	\??\Y:	e_win.exe
File opened (read-only)	\??\I:	e_win.exe
File opened (read-only)	\??\L:	e_win.exe
File opened (read-only)	\??\V:	e_win.exe
File opened (read-only)	\??\H:	e_win.exe
File opened (read-only)	\??\B:	e_win.exe
File opened (read-only)	\??\Q:	e_win.exe
File opened (read-only)	\??\W:	e_win.exe
File opened (read-only)	\??\O:	e_win.exe
File opened (read-only)	\??\P:	e_win.exe
File opened (read-only)	\??\A:	e_win.exe
File opened (read-only)	\??\S:	e_win.exe
File opened (read-only)	\??\N:	e_win.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\valorant-skin-cli.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exee_win.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e_win.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

6992 vssadmin.exe
2292 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings msedge.exe

pid	process
6992	vssadmin.exe
2292	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exee_win.exevalorant-skin-cli.exemsedge.exe

pid	process
1624	msedge.exe
1624	msedge.exe
756	msedge.exe
756	msedge.exe
1224	identity_helper.exe
1224	identity_helper.exe
6056	msedge.exe
6056	msedge.exe
1932	e_win.exe
1932	e_win.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6632	valorant-skin-cli.exe
6276	msedge.exe
6276	msedge.exe
6276	msedge.exe
6276	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7zG.exevalorant-skin-cli.exevssvc.exe

description	pid	process
Token: SeRestorePrivilege	2456	7zG.exe
Token: 35	2456	7zG.exe
Token: SeSecurityPrivilege	2456	7zG.exe
Token: SeSecurityPrivilege	2456	7zG.exe
Token: 35	6632	valorant-skin-cli.exe
Token: SeDebugPrivilege	6632	valorant-skin-cli.exe
Token: SeBackupPrivilege	7040	vssvc.exe
Token: SeRestorePrivilege	7040	vssvc.exe
Token: SeAuditPrivilege	7040	vssvc.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

msedge.exe7zG.exe

pid	process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
2456	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 756 wrote to memory of 4580	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 4580	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1048	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1624	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1624	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 440	756	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bazaar.abuse.ch/download/79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93b0346f8,0x7ff93b034708,0x7ff93b034718
2⤵
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
2⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
2⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
2⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
2⤵
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
2⤵
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
2⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
2⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
2⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
2⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
2⤵
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3680302464125257780,3486610138323006301,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5076 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1964

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac\" -spe -an -ai#7zMap8785:190:7zEvent8176
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2456

C:\Users\Admin\Downloads\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
"C:\Users\Admin\Downloads\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5612

C:\Users\Admin\AppData\Local\Temp\valorant-skin-cli.exe
"C:\Users\Admin\AppData\Local\Temp\valorant-skin-cli.exe"
2⤵
- Executes dropped EXE
PID:4296

C:\Users\Admin\AppData\Local\Temp\valorant-skin-cli.exe
"C:\Users\Admin\AppData\Local\Temp\valorant-skin-cli.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6632

C:\Users\Admin\AppData\Local\Temp\e_win.exe
"C:\Users\Admin\AppData\Local\Temp\e_win.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
PID:3076

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:6992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
PID:7056

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2292

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7040

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\How To Restore Your Files.txt
1⤵
PID:5496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
43b59128fb98143042771a2d474d4d7a

SHA1
9f356b8d35eec05ec4a44cf88f48a9f579672427

SHA256
19673aed94a99c7a88b1e147f1a0b21bb4ec5dd3182432799dcf01dfcf7f7fd0

SHA512
8ad6c3caa487ba55e246804a5a532a37b2da496c0a2fd245abb4a6ef2af9463c26b0f02683a97d55696d9c56d3af75ce9c1b147968eac69e4991b5c50ffef87e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
369e032a2cf252c873bec3ddc86b1453

SHA1
b54d66c0e9a3f98345483517523bd4fd8eb16c35

SHA256
1f59616c2c70da6fffbe8b15e4e9d0f933086436d2cd849763a964ec5eb8f454

SHA512
9959460cf5f1eac1d3a1bcaafb77c7c473977fa51f247c79b953e044ae9c0888f77955f2cbc1b4daed4e9976efae3ffc1b7f9ac1c5e770b89c71cb1b18cb8017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca8578d8caf31b1bf19171c23824a31e

SHA1
6ae7aa07e2d7dd89bddc1e224f7521f6101da758

SHA256
7b3c8af0303c873a1983f173b1faedf6f8bbad6a3a485b9039e452aa3af9c232

SHA512
9d78945b922791302d35fd447a8ceb6027bfc830c91a90bed741febd67d7dc318caa58d42bef4f77090b1f08c596e140825bb888f9d3913b593dc748caac8e70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
168fbbad5e2cb49857cf74bdc0dc868d

SHA1
e6b29fd6ceda137e6143cc98b23b9ca55b873b95

SHA256
de020cc8844b6730a292536f14408c3041113981066b5ac24cc426261e266c4a

SHA512
9b49dbc35351f4df982d6bb02e40609d2bc76084eb0b67dc5b5301dea062510a39f238bb7e1324b56a0f8878da5e5864f839416296c557b17a7543fb70813b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8cfcc4b66abd03938040cec865c386ad

SHA1
fd46378b088bf99212e5740ec0422ef6d90c106b

SHA256
8ec8b1e91dae626929c6b4f00699273aa0ce3164c011ba8feb3a4ef237a73cd0

SHA512
2705868158e2690e8c6cdd7e9f4128b960a99f2f4048e326cd3b13225b9d6b2badb348fc70b103f05b65a8d96a6ecbd4aff3739555a47535a0651b574f95aa84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9da6aabd2a615122e5871b3b03db0dfe

SHA1
8a8a6106460d87b4b2fe2bde2f9593da67faa14b

SHA256
c20c9ab135ce37d6dca9211d1c8ee05a85304c62093f8acdaeb96ef85b0e4592

SHA512
ffceb980d58b2cd8ecb82097d45ee74957011ea37eb98f31202e1a10d76367105e60a9bcc2674be1bc5f83b0dddd4e47900cd2449a77e094b0de78bd793cc0f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
d8720f2935fa81341bc8c784715b300e

SHA1
73e595bb2e094387132f500146f29d05f3b2841a

SHA256
8ab2bb2d21fe5e730b8c7c2bd199d4d153a1d642942d67e04b8a6b7b4b167cf0

SHA512
0cd577e3e36d5a998b90878ce24e18586657c1871876021eb74f7ca84702ae955a6b528ffdcb11ac99b347f8392dd168477fc06da0796097b1e5942e42c247a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c18b.TMP

Filesize
370B

MD5
c9582c10277d08c20fe079a167f2c43f

SHA1
eb4a9bdf08b139e306290dd70cdbb0e3f0830046

SHA256
319328c3e2cec09c49fa2848db1c755569056e24a5b7c52b87aa3c3054e8e846

SHA512
0778a4ac666db94bc18b935cbaacef1dc3f2ef6e84916124843b48248432c1bcb85725c681367081dd62c400a8ed5c4a55e886498c4a2c4d60453158828fa0cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
032edfe68eee55a07adfef5a433ab211

SHA1
6129152d99ea659837c7fa42bad3f315355446a1

SHA256
bca430ab85d09d52cff36ce77b8ec94917de66ac20a79e0ea5842b723eb58758

SHA512
cd768c323e6342fc182ad79b8ecca76892568a1ef6a74f8e6b46bcff4e14081098e03b06ac658969d7bc6b5b59275ce3c19a3bf2caab922b77e8754d4c3307c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d49e4e185dabb00c9556e1c1ebf1d444

SHA1
ac6fa110eee17929ac75f7187a857067aceffbd2

SHA256
c52a98dc30b7baeaff5a5369256580ca70875a5dd79d4b04d86d3cde503cddbe

SHA512
9bce44c458971f000688a93bfaff1de1bd2b1042eefeb16b4505ef376d79995b4616ca00ac2f1e540a049311ff6759a26e8332c9058281ce4f48e217354c8a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f4f2a4e5aca9d3b28a81e784dddcc7c2

SHA1
efe7aaa573aea7905bf8eb5722cc9e695dcc06ea

SHA256
b5387cf2f016cdeac38afc05ab8e1eaee6ef9997a2e692d4c95ffbe6e7a03935

SHA512
3bd58126b8d7e22489b5c48fc3e6998af18b23757698628d0ca126a4450930a2ead549c467475530e6cc1f980fb59e46a4d5e712117f269d50fc02c7416be0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\_asyncio.pyd

Filesize
70KB

MD5
45126a5a3995f890e5c942ba615a569c

SHA1
928aa2b9f2e2485dc835c6d0f92999f5d5581264

SHA256
490e3b87f7a570ee09e4d95a439c525883b4ab22b701cf89f68409a559e7bbf3

SHA512
dcc282bc6e6b524f1e9a66a042a10afb13aecc6a77f18414524d1e7db69aaa919b856a415e81acd79a58b069b2d5a8b12f61dc25f1f62c486805fab15f439232

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\_bz2.pyd

Filesize
87KB

MD5
92075c2759ac8246953e6fa6323e43fe

SHA1
6818befe630c2656183ea7fe735db159804b7773

SHA256
e7af6119b56ddd47fd0a909710f7163d7ef4822405fc138d24e6ce9de7a5022f

SHA512
7f3a4409859695f53291c96dd487bca2649815bad5f4610c2c6f92777411d39210e293d962573a20dfe73ea15331de7e6c18b017ae1d6f226387eab1fc1f586c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\_ctypes.pyd

Filesize
131KB

MD5
2787764fe3056f37c79a3fc79e620172

SHA1
a64d1a047ba644d0588dc4288b74925ed72e6ed4

SHA256
41c593c960f3f89b1e1629c6b7bd6171fe306168f816bef02027332a263de117

SHA512
1dc5bb470be558c643a3f68e23423697384bc547b1192cd398dff640e28f7df85563bc87643cdcde9b8b4f880f272e13a673a018ae251e100bd99790f993afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\_hashlib.pyd

Filesize
38KB

MD5
7808b500fbfb17c968f10ee6d68461df

SHA1
2a8e54037e7d03d20244fefd8247cf218e1d668f

SHA256
e2701f4e4a7556adab7415e448070289ba4fe047227f48c3a049d7c3154aff0b

SHA512
b4239e792141bcf924f61bfd46033934337079b245f423b34820d36c6599ca35ab06bc525acfff4cafa75e31975fcd0409dedd203377d642fc5dc55ec2c1fa27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\_lzma.pyd

Filesize
251KB

MD5
ab582419629183e1615b76fc5d2c7704

SHA1
b78ee7e725a417bef50cca47590950e970eae200

SHA256
5a45f7cd517ad396a042bc2767ae73221dc68f934e828a9433249924a371ee5e

SHA512
3f38441dd0b88b486dafaa1e15d07f0ee467a362c1603071a2fa79de770fa061ced25ca790f0d3139f31178c719cc82ac88601262e2a0ca809708dfa3f6f76ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\_overlapped.pyd

Filesize
43KB

MD5
73ed0ee50db2ea98118f704e78d5e95e

SHA1
93d6cf61c8848e70f2afffc698f9718a18ad74ce

SHA256
009cadfd046eee91e183489edf6b8ad8562e5c9e851ef4ad0034b5d88201c942

SHA512
efd98f373f2309bf50139b35fb17e0d1355bed421c827224d8eba093f3005c3325cc55ef2853cd2d55e2873c9a73e3867bbe4d267f52c6fab5cddc8f2d076a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\_queue.pyd

Filesize
27KB

MD5
a48af48dd880c11673469c1ade525558

SHA1
01e9bbcd7eccaa6d5033544e875c7c20f8812124

SHA256
a98e9f330eeaf40ef516237ab5bc1efac1fc49ed321a128be78dd3fb8733e0a4

SHA512
a535dadb79c1ca10506858226442d1d1fb00e5d6f99afa6b539e2506a6627a7bd624a7ee2bc61f55c974113de80fd7a95e6c18e9402736d32d5099077ca1b913

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\_socket.pyd

Filesize
74KB

MD5
10cd16bb63862536570c717ffc453da4

SHA1
b3ef50d7ac4652b5c35f1d86a0130fb43dd5a669

SHA256
e002a1bd6fba44681d557b64d439585dba9820226e1c3da5a62628bbaa930ae3

SHA512
55ee581c4005901661efaf9aad6ea39b2b2e265579539d464d62e4209638567b3b9fdd945d0bed0a1047f977d374a5707a970c621ca289077e2d6c5aeca491b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\_ssl.pyd

Filesize
121KB

MD5
8b5af5ac31b6bde9023a4adc3e7f0ce1

SHA1
c5d7eaaed9be784227a0854bfb8a983058410a35

SHA256
7040d3712f31b7d11882ce8c907452fa725678b646b900f6868f43ab3e4ddab6

SHA512
499aa2321a2e5492c700513d63cf08fc12d3a430a5e9f5d865279919f6d7b74385b6767bbee63616f84b52d02070b16b2d4c3921163c42864f33e7b5331b1444

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\base_library.zip

Filesize
759KB

MD5
5cb31103b8c5e6ceaaa78e4f3f961e2d

SHA1
cb14e1205c62cc3e8e808259f51731864724c541

SHA256
eff3e9c4b1a960c3cdc4f3a85d416b93c4d34ba1f76f3008eaba369f7fafeecd

SHA512
42b2776e7c20919805594d4fc1d6446eeecc27a60154577568fdb04fc811250cc5410dd1afdf25c61e22c8ef3f4f77670b01e586317b810a3365a877b5f6bdb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\certifi\cacert.pem

Filesize
253KB

MD5
3dcd08b803fbb28231e18b5d1eef4258

SHA1
b81ea40b943cd8a0c341f3a13e5bc05090b5a72a

SHA256
de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e

SHA512
9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\libssl-1_1.dll

Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\psutil\_psutil_windows.cp37-win_amd64.pyd

Filesize
72KB

MD5
eb2e7580f823b00576880cada4526092

SHA1
9195525a1e9cbac344171dd5333f2df0852c890f

SHA256
3ee35d8a42d5951c8498246aa6d302bbffecea65a2fcaa78a069011c6f543d59

SHA512
aaaef52e15a61490d87c2c1e49713590b3bfb65229c4318fa51bee92b9440e1fd546bfe8773440b559a55a9525f51ed2bfc9996fb4de50476533db3d6f284b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\pyexpat.pyd

Filesize
194KB

MD5
02d615171b805cc573b28e17611f663f

SHA1
2e63b78316b4eae6ee1c25f1f10fbbb84ecef054

SHA256
e60b5cbdf7480db1fc829e05ce45703d43d5ba25fdf7fba21cca1d38b1f3b3a4

SHA512
b61cd3d16d1a192016a50342ae71fee8f764c4c156e275a320f74cc4ec65755c91c022231d09a76b59d6225960f5a930f1887003b1d6984beeb5a9648b045427

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\python37.dll

Filesize
3.6MB

MD5
c4e99d7375888d873d2478769a8d844c

SHA1
881e42ad9b7da068ee7a6d133484f9d39519ca7e

SHA256
12f26beb439ddf8d56e7544b06a0675d5da6670c02f8f9cede7aad1de71eb116

SHA512
a5b79a919f15cda2c295c8da923ffe5dd30408376e459669e4e376b9d4d504d43671518d7085352bb90c4ce4efc6d81c91ac6cedbdaa896f916d80f7346a695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\select.pyd

Filesize
26KB

MD5
39b7c056bca546778690b9922315f9ff

SHA1
5f62169c8de1f72db601d30b37d157478723859b

SHA256
9514b4c40c35396b1952a8acf805e993a3875b37370f44ef36ed33c7151412ef

SHA512
229538131d83299ea90652818c99972c1ee692c070e7fea9599420c99dd8ae75fb2367e9509aad23984fe0a8d21221a59bd57493b5cd1d6c7391c3c55d714e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\ucrtbase.dll

Filesize
983KB

MD5
e3cbcb26ee85737e70ce55d498fcaa38

SHA1
8dcdcf5e8d9b621a149163cc3f12d01fde1ef4ac

SHA256
8ab85c80c5d9ad3618fd86aa45a878bb5a5d7e449528c317a8239c33876c75b5

SHA512
eb85a84f0d7e4f65ab67869e56b68f8da72a570b9b2fd0ee28e9d3ea9a80b4d35352261213b0e26d9d7592e750a0870e7b62df69e948bc060b0bfe6cea9fb12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42962\unicodedata.pyd

Filesize
1.0MB

MD5
d2ab7f9a441bb139feeb0e11eb600371

SHA1
467aeb881fccd4a43a16f319635da81f05279cc6

SHA256
465ab1b24c39a5a5da9415c96740dfdb4d071b25a7a87e275841e1d66a57e88f

SHA512
cf8eaae07c176fab5ca54a3935ec2fd6933e3f2d0ca107bf60f1389f2258865d101685918c7a04802da2a97980747935f1b56b0da3d1db3a1ea282f74db0b6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e_win.exe

Filesize
79KB

MD5
2298d910b2d34e870e0f561eda4dcfc6

SHA1
078b2cace5161e34aaaaeba6bfbe3f6259651f34

SHA256
bb845cf9c1674452a995f58b3971c04fd67a0a8d256288e58cb4454bb80a5efe

SHA512
6465216a71c116321a6e7d9e1746247cfe1c29a5897422f13ed55cfb3a0daa42ba673a7cc308bf5440c6bf5fb084d065a6b4aab84c11ca1d81fdf23c09cbfe33

Download Submit
C:\Users\Admin\AppData\Local\Temp\valorant-skin-cli.exe

Filesize
11.8MB

MD5
618f14f157f325c42d4ee192d218e704

SHA1
d7889120eeeb8bab7fc45e0391afdffcae4d681a

SHA256
f19ea07dc1e91fc2a19bffad3e0e7a0b3b76d05cc617bae40a43289691b9a190

SHA512
fe8d79303670d593670c32b804ebcfe905f0ce2f85e346e6972ec95591bd66b3b77def5657f7bbae49310df1b4e94897722c3035721463da77ebdaa5b66d4ee6

Download Submit
C:\Users\Admin\AppData\Roaming\valorant-skin-cli\config.json

Filesize
297B

MD5
570b1fdf399f507290125437e06b77e6

SHA1
660c6cdd4d6a257e7219f970a73c7a81d7509adc

SHA256
2d33a0d437b652881cf68883f1fe44f779e17c13ef32348b3d224890d9779b7e

SHA512
9414c42919e718da6e5e1648feeb9398a51b759e0d4ad51cafeeea0f1180a32d15fb4528711cd26234adc197e552e0c21715eb360cc041c2d47105dd6516b4b6

Download Submit
C:\Users\Admin\Downloads\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.zip

Filesize
11.8MB

MD5
eb220745352308754ac0266fecff0317

SHA1
77cdd90af621fb57cfa0c55f0afc2517dac90c1e

SHA256
f987ae9fe193382c0022bdb9aa3ea42fa92c0dda3c3adcc0bf7effe75d2b3420

SHA512
36945fa9da33331f478b47fcb3a37278d65140242e5f88a76aaae40f104d5c18400a613369038110b9154e764ccdb13eaeb49c043209910489a5d791f1698066

Download Submit
C:\Users\Admin\Downloads\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac\79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe

Filesize
12.0MB

MD5
59d018958d77ee68568eac6250a4224e

SHA1
a5ac1b794b33da74b7d587b04394721f7aa96d0f

SHA256
79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac

SHA512
5f285f3920463646a77487c9e0b1c46ebe950f779fafb524d6064aa280ba84c3119cd19c2b88f3011e20a7f7b70a1341103d42baca28f1781d8670bca8737881

Download Submit
C:\Users\Admin\How To Restore Your Files.txt

Filesize
259B

MD5
f026fb213f419a400ba83e1a69d26472

SHA1
821f1318d077065fe1a3fe2075f053f1191d5739

SHA256
b87c7d852c60b34e5986e2d41fb4f644df11f7350ef2272ad58a469e476d2bc1

SHA512
6929aa4dccef21718625513ab21c9e39599969d6350dadfa00747cc8bde302d2d7158df845686f1e607b2b05126697263982f6ab61e189781117c9329176e50e

Download Submit
\??\pipe\LOCAL\crashpad_756_IVXJSNXCSZYYEAFO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5612-180-0x0000000000400000-0x0000000001009000-memory.dmp

Filesize
12.0MB

Download