8aa6805c5c2d73ff895044ee3a5817e9584df215d0b2d836251cc647c08a7e8e

Analysis

max time kernel
294s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Netflix Windows Edition_48472272.exe
Size

364KB
MD5

237a9e619e62b5c0a5eec0da67e9f40f
SHA1

afc7449a1710180192b206631ad1b1a7d7b3d220
SHA256

8aa6805c5c2d73ff895044ee3a5817e9584df215d0b2d836251cc647c08a7e8e
SHA512

855876aad0046ea73ee7470a1c7daf4ae58e82e8f884d04b671174f6932e920f12ab08ed8acb0d6afc71a30e89630491874bb577b676fc249d6f33633b1c2f39
SSDEEP

6144:gBGqhVjKHQin39l4yjs4y6WvnThIgq76v5r5bGMUU1aBXjwFMZAOzNGiSKJ4:gBGq3i39eD41UnThIgq76R5V1adjwFMe

Score

6^/10

discovery

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup48472272.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup48472272.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup48472272.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup48472272.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup48472272.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup48472272.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup48472272.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup48472272.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	setup48472272.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Netflix Windows Edition_48472272.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4980	tasklist.exe
60	tasklist.exe
4844	tasklist.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 7 IoCs

pid	Process
4832	setup48472272.exe
1372	setup48472272.exe
2452	OfferInstaller.exe
4508	Netflix.exe
3540	Netflix.exe
1620	Netflix.exe
4764	Netflix.exe

Loads dropped DLL 64 IoCs

pid	Process
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe
1372	setup48472272.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup48472272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup48472272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OfferInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Netflix Windows Edition_48472272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
228	timeout.exe
3168	timeout.exe
4236	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 62 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Netflix Windows Edition_48472272.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Opera GXStable	Netflix Windows Edition_48472272.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	Netflix Windows Edition_48472272.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup48472272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup48472272.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup48472272.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 201946.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 626666.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 561748.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 837101.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2280	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
4832	setup48472272.exe
2452	OfferInstaller.exe
2452	OfferInstaller.exe
2452	OfferInstaller.exe
2452	OfferInstaller.exe
2452	OfferInstaller.exe
2452	OfferInstaller.exe
2452	OfferInstaller.exe
2452	OfferInstaller.exe
3740	msedge.exe
3740	msedge.exe
1600	msedge.exe
1600	msedge.exe
1824	identity_helper.exe
1824	identity_helper.exe
3920	msedge.exe
3920	msedge.exe
4700	msedge.exe
4700	msedge.exe
1136	msedge.exe
1136	msedge.exe
4408	msedge.exe
4408	msedge.exe
560	msedge.exe
560	msedge.exe
2076	msedge.exe
2076	msedge.exe
2764	msedge.exe
2764	msedge.exe
2192	msedge.exe
2192	msedge.exe
2252	msedge.exe
2252	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
180	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	setup48472272.exe
Token: SeDebugPrivilege	2452	OfferInstaller.exe
Token: SeDebugPrivilege	4980	tasklist.exe
Token: SeDebugPrivilege	60	tasklist.exe
Token: SeDebugPrivilege	4844	tasklist.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4832	setup48472272.exe
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe
4700	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 4832	5024	Netflix Windows Edition_48472272.exe	86
PID 5024 wrote to memory of 4832	5024	Netflix Windows Edition_48472272.exe	86
PID 5024 wrote to memory of 4832	5024	Netflix Windows Edition_48472272.exe	86
PID 5024 wrote to memory of 1372	5024	Netflix Windows Edition_48472272.exe	88
PID 5024 wrote to memory of 1372	5024	Netflix Windows Edition_48472272.exe	88
PID 5024 wrote to memory of 1372	5024	Netflix Windows Edition_48472272.exe	88
PID 4832 wrote to memory of 2452	4832	setup48472272.exe	89
PID 4832 wrote to memory of 2452	4832	setup48472272.exe	89
PID 4832 wrote to memory of 2452	4832	setup48472272.exe	89
PID 4832 wrote to memory of 772	4832	setup48472272.exe	90
PID 4832 wrote to memory of 772	4832	setup48472272.exe	90
PID 4832 wrote to memory of 772	4832	setup48472272.exe	90
PID 772 wrote to memory of 4980	772	cmd.exe	92
PID 772 wrote to memory of 4980	772	cmd.exe	92
PID 772 wrote to memory of 4980	772	cmd.exe	92
PID 772 wrote to memory of 1724	772	cmd.exe	93
PID 772 wrote to memory of 1724	772	cmd.exe	93
PID 772 wrote to memory of 1724	772	cmd.exe	93
PID 772 wrote to memory of 228	772	cmd.exe	95
PID 772 wrote to memory of 228	772	cmd.exe	95
PID 772 wrote to memory of 228	772	cmd.exe	95
PID 2452 wrote to memory of 4420	2452	OfferInstaller.exe	97
PID 2452 wrote to memory of 4420	2452	OfferInstaller.exe	97
PID 2452 wrote to memory of 4420	2452	OfferInstaller.exe	97
PID 4420 wrote to memory of 60	4420	cmd.exe	99
PID 4420 wrote to memory of 60	4420	cmd.exe	99
PID 4420 wrote to memory of 60	4420	cmd.exe	99
PID 4420 wrote to memory of 3692	4420	cmd.exe	100
PID 4420 wrote to memory of 3692	4420	cmd.exe	100
PID 4420 wrote to memory of 3692	4420	cmd.exe	100
PID 4420 wrote to memory of 3168	4420	cmd.exe	101
PID 4420 wrote to memory of 3168	4420	cmd.exe	101
PID 4420 wrote to memory of 3168	4420	cmd.exe	101
PID 4420 wrote to memory of 4844	4420	cmd.exe	102
PID 4420 wrote to memory of 4844	4420	cmd.exe	102
PID 4420 wrote to memory of 4844	4420	cmd.exe	102
PID 4420 wrote to memory of 2664	4420	cmd.exe	103
PID 4420 wrote to memory of 2664	4420	cmd.exe	103
PID 4420 wrote to memory of 2664	4420	cmd.exe	103
PID 4420 wrote to memory of 4236	4420	cmd.exe	104
PID 4420 wrote to memory of 4236	4420	cmd.exe	104
PID 4420 wrote to memory of 4236	4420	cmd.exe	104
PID 5024 wrote to memory of 2280	5024	Netflix Windows Edition_48472272.exe	106
PID 5024 wrote to memory of 2280	5024	Netflix Windows Edition_48472272.exe	106
PID 5024 wrote to memory of 2280	5024	Netflix Windows Edition_48472272.exe	106
PID 1600 wrote to memory of 1480	1600	msedge.exe	109
PID 1600 wrote to memory of 1480	1600	msedge.exe	109
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110
PID 1600 wrote to memory of 2272	1600	msedge.exe	110

C:\Users\Admin\AppData\Local\Temp\Netflix Windows Edition_48472272.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Windows Edition_48472272.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\setup48472272.exe
  C:\Users\Admin\AppData\Local\setup48472272.exe hhwnd=393496 hreturntoinstaller hextras=id:6799040925c8e05-FR-9ysQt
  2⤵
  - Checks for any installed AV software in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2452" /fo csv
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2452"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3168
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2452" /fo csv
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2452"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "PID eq 4832" /fo csv
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4980
  - - C:\Windows\SysWOW64\find.exe
      find /I "4832"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:228
- C:\Users\Admin\AppData\Local\setup48472272.exe
  C:\Users\Admin\AppData\Local\setup48472272.exe hready
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1372
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\file.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcfd5846f8,0x7ffcfd584708,0x7ffcfd584718
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7608 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4060 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7524 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3692 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7640 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5883974691534380014,15067005753190286397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4552

C:\Users\Admin\Downloads\Netflix.exe
"C:\Users\Admin\Downloads\Netflix.exe"
1⤵
- Executes dropped EXE
PID:4508
- C:\Users\Admin\AppData\Local\Temp\onefile_4508_133729587657887376\Netflix.exe
  C:\Users\Admin\Downloads\Netflix.exe
  2⤵
  - Executes dropped EXE
  PID:3540

C:\Users\Admin\Downloads\Netflix.exe
"C:\Users\Admin\Downloads\Netflix.exe"
1⤵
- Executes dropped EXE
PID:1620
- C:\Users\Admin\AppData\Local\Temp\onefile_1620_133729587772631880\Netflix.exe
  C:\Users\Admin\Downloads\Netflix.exe
  2⤵
  - Executes dropped EXE
  PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
04182aa154ffa629b2dd70db74fbf107

SHA1
839c73f7ffd1f0d89707e2f989777ef69c58f675

SHA256
16b142c8ae14c3ae22d809c6f632ae63df026ed5d527336f64b0eb6ec9311cbc

SHA512
4e6b0d28af6dd63bc6aa7644e14eb2cbc03bd93ba508f2e7ec3aae8ed5044ae459122872d29a54d00afe9b4f4861e23243bc409a32509e21887f03bd9af0bebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
96B

MD5
d679181a0507eece8e19329db1522675

SHA1
97ee8e6774725b367e9b25bff7372633a1140cb7

SHA256
a7cfe1297dd8ef8a55f7105bfe2ef4d28528f6435ec2088c87d27098bf97d8c0

SHA512
93a3d6bbbefae4c99ce34b1888b8fea445fc93e8a8c01a6e018aa458741659d8a04c00f2aac95f16aa122dc83b46ae070dc6292a93900c8c5b28c38ed8612fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
42b09e9081aaf0e43a096101f5ee2dc3

SHA1
3d08eb9c6c2ab2055e06c5d2cfd7945914a71aff

SHA256
38efbb9a7557220f7be350cdc7fe2926b62c3b3c7017c40cfdaf0c703c197ebc

SHA512
80d2c928947e9c077ec785c721d6245d25e16a7a8eaa9e0f2633da890e7bd2fbdd04092cf6d06a6ff1fa32f38ed7336c943a8c5da65b882224a644581d78b724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1e576eefc13908eae8509ee5fd7bd364

SHA1
3e2c78733bb434f30a34bfe22e066941360aeffd

SHA256
aabae0035adfc4e174533cdd9a1432b008378d804c40ac111f68dfc0c72ed5c7

SHA512
5775e527e63025192002ae3684ab1433da26e17e4040844a9512a4cd091d05f270f943176f0b647998b52246202e34b4330512967ab1f62bea1978ac2c5d53da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
19634f2f130ef812c825661051767ce4

SHA1
636289c18a33f97edcf856aa0587f490a0e0bfe4

SHA256
95c6c45fe00df696135866ffd1187dbb7242c4be4bbdf5d750e30b5e84602e30

SHA512
9873f696973488abbc77a064fa9f67b93442eb705417405901307d9f475d298f140845469a660cf698a0f5346eccf9a2a579813224fe949afce4327b230594cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e87a1fadaa86ac08183c863d32a4f161

SHA1
adc918fa020c84c3e5824542d4b9121b63520420

SHA256
f5af2da7f400bf493940f23c6921962f20c8f01cff84dd11b402e404563769f2

SHA512
028cb9677e67fe9d00a7d7098823feca61168f66e0469fe07cb34261ad497265ed75589e9ad766a017bfbb5700465f2469302a94ed9489af19284aecdefa3f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8e001966bb2382b541533f9979ebd0f0

SHA1
f789b2af8e8fc4e157c1eb3824728aecc289217b

SHA256
65a0869271f48efe2e6b96a01aa4d98d66d0111958f720369994f7060aa7781b

SHA512
617f9674831498528ccd11dfe0fe37a38ae0b570d00d93f9dd740839fa70ae8f3ca05181fa01f7e1e7c1b9acfe96f33dc880dc49526cffa74b004968d11d36ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
086fc9673230fc96278cd86f77d7c183

SHA1
9fbe11dd2e02243cadd1a39da4be7623e63db34f

SHA256
6955eac56b66b04251d503be02eb855734f663e534b105615896b428921becc5

SHA512
879716153d7043fb3e615371a9a9232d599138efa4f8bc301f122cc898ccbfd1e7a91b77c49e6a60aec7ed75cf3f538c028bddf1da8e7178dde58b07d3ce5963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fd27d36f33f714f3e71987e8c999c710

SHA1
636aa4eb56b9e5724010db89be6e8da6f7f9e6c7

SHA256
5d4a12767a4f9016297fea13f1daaff0c975d12e2fa3e5a6f4c3429ef955dc4d

SHA512
b946d0aa6c66e43040c7a843fc5fc06ae576a487ec1ea5bf6652f908a364bc4b8077a6f99a6b434a32db882a72bf6ebfcb5dc740fb010b580e9cfd02b374e444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7dbbe30cfe237435c8d69ceacdaea0fc

SHA1
f18a9bdea749388f0e10da88d8646b2db5e68a2f

SHA256
b43725ee0a22d7bf04236e17eb3a6010faaa15c7d5ad80e0c08c49f4bb000edc

SHA512
c5f3dd94f82ba728c5700cd79e22796a7c8ad3216c457311f0f4eac8eeba52067c8b265c2e7485f00dcb75f519d9f85081e46c0103e52440389d7af2fdd3fb74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
6831c96101f5d17c09dcd961d9440ad4

SHA1
2ccdcabf70a14410c32b9e678720a52b599db1ea

SHA256
38f57c5c0ed5c3f2e25e1499928f0b56630f44c2ad90314f056f7ea6aff43d64

SHA512
5fe1496debf8824532ece11ee7c7d76fa9e33f18c6146f3cade294061c1fb87f4cd068dc341f0f551dba132d4174a440f255368dbe7e0724e859257f4f8929fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
382d763a866ca4123b71b9410fcaf37e

SHA1
f4c3b641c95058efc38c1c10ed509709f29e8107

SHA256
f2b8e75d85f0a5935634b31946eeae04dc8adf7d9859a1aa17d5b6865b02d4cb

SHA512
7ce2c614e5c23decb068c7cc46a33ec698f854e1de4672868d2195710ad5283633ff0c91f6916bb3d125e60c747dfcc89f60ec137e9015cce38f3f0f3fef4650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\094ca731-199b-4f74-ab2c-2c838dd6e620\9248e3028e75e567_0

Filesize
1KB

MD5
2517a6e37b4d1039dcf1ca8185346269

SHA1
9cc5240c1a6213b6301d12e0dc8ce30bfe0b3578

SHA256
34a56e502754943200eaf9b57988a7fb79713ff60730ee4fe0c278e3198c9ad1

SHA512
63c0a419153f3546b3ff2979463beadb6d110f84031b25c20caca7067cce8c0a0cf602231e8475299b3c1ab1a2ae6a1588256cb67d4be917494733f0973cffc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\094ca731-199b-4f74-ab2c-2c838dd6e620\index-dir\the-real-index

Filesize
1KB

MD5
b8a33d28e18aec999b50d5dfd9f51673

SHA1
3511532144ec6a71df72ba433012fc7ba55381b5

SHA256
52e9035f22ba2944adf388cdb41adb2e020f08f3f82dc7ecaffc8d2979d23987

SHA512
ee3aa4cee81e9d6ea8db1fbb168b40425ceefa3f4081c8e7887a264e31619db79f0521618733de5d8518810f8c57da52536305500b64732ad07f5660f2e8b2c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\094ca731-199b-4f74-ab2c-2c838dd6e620\index-dir\the-real-index~RFe597fc5.TMP

Filesize
48B

MD5
b9e3b3c7b206acceae06b546534bbed5

SHA1
aa6d9362182d3704225a813207a59f174d615f9b

SHA256
411614a9145270fa92a8a7c32ace267a7478adfc93447a7a7515d8e9adadf102

SHA512
f31e45fe2617aa5caa6913e3c0cf71713a8bcd25a1cab35f29cbe0910b319c6d7f3f8315e6cdfc9dba81ebd8aa7aca39e06c14c2a6e01db2183c4af98f54ca4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\7ed4fc45-c181-4450-be97-3e91b39374b6\index-dir\the-real-index

Filesize
72B

MD5
75a626589edc910f01d77eb53403bf2b

SHA1
c68a58180103cad80e7c59d23a5b28136d805749

SHA256
7095cd141094af7be3123837eaa9e66a35c49163f4529cc267bf45f1c7f8edea

SHA512
727a58c37d173d62f01d95ee2f74df85655d5021a075405ea7502d53b535f947dfb7c4ad3e7a9890ef7cebe2365758e80305495d2d068aa453285dd5ea7d866e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\7ed4fc45-c181-4450-be97-3e91b39374b6\index-dir\the-real-index~RFe5980af.TMP

Filesize
48B

MD5
f1cee88729a1fb33bb418c2855c3f644

SHA1
4389aed3279c54af64a4c52f2316279a024b9a09

SHA256
1a2445e448786954515dc0bba8e5b6a6e4d8bfa28fd6a2ff6ed079e26866984c

SHA512
23ace37690d5882f868f3bc7c35b3054da44c96a6703d8e498e04c8f6a014720f8be6ab3a7e31a74947fdd41b96bf47f5c6a5b89042201df6bf3e8f9a619d550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\f0e328f2-91f4-476a-a1f8-957243925659\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\f0e328f2-91f4-476a-a1f8-957243925659\index-dir\the-real-index

Filesize
168B

MD5
404b6c23e6943f0ed674d8b21145df34

SHA1
4ac30ed6a85c36ee1b767b98fd4deeb30820a4dd

SHA256
ce354a4dac1fe0ce57ffb0e04107a763ab0f4816697644ba5995874668f91ec7

SHA512
ef1b70b8a0172ee83a403966c45c895fa211dfbe3f1f0f71f2bb459deba30ef812ea95c612fb7d8b733845e518019a2f9000bc9417112f6486fc0afa2064a61a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\f0e328f2-91f4-476a-a1f8-957243925659\index-dir\the-real-index

Filesize
192B

MD5
2b7e052e6a6270d550a0daa06ef1b86d

SHA1
db7d1e7622e0985332a8a67251b9d135546acbc9

SHA256
edd809b2163313380daafaa182aaaf3dcfad436bc6417a4543b85015cacd6b7f

SHA512
f3b14c19c28ee555489bb24d6cf6f1d89752d17fd9e92facc14dcd1d236ed7064b16607ec317fc794e88754984b522013b1dbfff5a36c275c41ab548c20d7ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\f0e328f2-91f4-476a-a1f8-957243925659\index-dir\the-real-index~RFe59bb09.TMP

Filesize
48B

MD5
34eb3d72db50322aba6c11ef4b6839ca

SHA1
99b3e2c322a4e15b64e076f6dd904a08f3ba4bd2

SHA256
fc78860db85f5ef40ad38874898a17bd97d9c95095ba8f2d78a538525570ad80

SHA512
b67427b482afdc1ee5657602086219977c199bca24f71ef7a2d43e52861a256de31e0c1ddbe9fe27402bbae9c9dda68fb16e5b2ffb48dae69071c8718987a154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\index.txt

Filesize
90B

MD5
cece61ba9129e34bbf03756ce2eb81c9

SHA1
3062cbb7d3025e7006d03af7bf1cd1e331bbfedc

SHA256
4507b2027d065bbaccf9a93effff903c78adc7abd555085f2eb71898c8b5c70a

SHA512
73525c1a0543c9fcf427d8a178adae73dad195c3a2bca057bf47ded9e5aca0ab37f7edb7888b50b4fc9529da449f2cc319036d81d72f533bf7bf1db33c0cb12e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\index.txt

Filesize
183B

MD5
8f8f5acd5760e4140bd25d357767d65d

SHA1
b3af0ad2cf585fbb9359b4e9eea3f4851efeff9a

SHA256
e4d1d57a8e5b70bcc62564b623861bc82d30d74241a2090457ec00b1754e120d

SHA512
3000b35fb29f8175a4987d6500ab9e986a3ae69df6a4fe3ab2eae6f05a5256d6bfcf605656410b29b55609e310b7e22d4df2d964e35adf880276b089d4abd8f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\index.txt

Filesize
243B

MD5
087ccf86eacc027e79753f5c557f922f

SHA1
e6acff0b4f18c3b4dea2bf4c7b58730155c8c3f1

SHA256
7f13ccc25b66c3f56578112879c654c63203b664a228faa74965defc67d1b906

SHA512
3a780d12d9e8034a47226177d3704f267a5e9fd0f88d67a84939c47a2ae214f9c5607a57ffe766bdc4a40941d67e17c793967f5dfb06081b6e16118d451c250f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\index.txt

Filesize
303B

MD5
2f6d0e728740bdb3d5e6ddb65cd83783

SHA1
b16fb6e00d3e95b70294093518f9f8ce84d41175

SHA256
642cb072eee4369941910cfda73fea38a7a8949d150e370af3cdfa53d720e6b6

SHA512
fc4445050c166ce7f41b4cd2ddc720e3b14d53e9b81b8b6f8238fe635eb58aafb5d6503004a758657e81c92324eac2003483301e3d7aadf234de0fe995d31f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\index.txt

Filesize
301B

MD5
309a9a91a5af1a9cffdc0681b38396fc

SHA1
d811b5592173561ec11b2b18a810f347a7b06848

SHA256
b84b90b5682c7d93f74cfc8e89d726d483ecc7af8ba8e2c3d6b15816a4b2a824

SHA512
0d1fc4a94b2088493c9625914c483cfb5e467fc3d870fc0291d55e2fb5f1d3c2a88c1aab12ba83b8cc25bbba45d2170753083d0851bc6bf303b929a40e5a0990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f1cdb4e30d0801c9fdb54ee12ae6da90a8d1361c\index.txt

Filesize
301B

MD5
6a764ba5d724f5eacf82e34c2ebc2cef

SHA1
6fb21e7c5c491806d9ee97bc6c37d1558ef2b2c5

SHA256
833d58ffa2129d919bb804c961800c29f4b226918f2f87ac807f1fe520aeb1c2

SHA512
9c835d6d086cd8679a0bced8be34fa84843a8299ebc37bc4e85493919aba35476aff31253ce347910ff5fb0541b10baf2afe7f452769d229306bdf4f40e2d342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
4975ffb3a309a35df6e303cf5c36cd92

SHA1
76f00f89411957eccc5774deb427723636faa0fc

SHA256
69717f363428675ef00004c0dd61bbea55d6529a9de7fab7ac391ac9785a98a6

SHA512
35f5cf0ce5d58e7aed6cf12a27d1fae6c88cec5d1f069d46dc422377a802b7db583d03084bf8f38bd74f6b0eaa8f4c5d587143b3d7b76dccbfa6787787ef0f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe596548.TMP

Filesize
48B

MD5
c7a735c1fb7ea528078ad07be9eff6ab

SHA1
b1270760c7f2d555e55214cd14d66d8f519b3079

SHA256
07e29103d808a078111643796ce7496ca5e15f74b618495bb7cfe201e70146d0

SHA512
e73214ba424606bde1a8bd03031d669d78879a622e208a1cf4dc63f420bdccdbcf07e0378252b88ec3f4ac1d2ba40459d247f7b9b60c32ac29bb245384924713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
690ab1f4699ddb3f69757dd32c158e2b

SHA1
882c8f587c3c040a26711b87cef0488449210ccd

SHA256
5585dc86d6b64229daf421dd268ca4370dfedd7e06d5c4ea51e7c93bc0ba9d1a

SHA512
780ead82c9eb3a12281c0732b6deb6964f4c5c2c6a7f275c096ca79d6515148288ac32e8439e9e5c4cd868b9802419b62b118d3cbac34a24924cf03587355c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bfa9ece28cfbf0465754f6d412658488

SHA1
8d933f1cabd51ff961d6c0be3bf32728f3e464a3

SHA256
68b456d0b00feb32b88ee27021ae67dddc297c3c5c22cfe925c6651aca406634

SHA512
3bacdc4e19dbe8c5e5c6b79edbca842ddbfd23814804fc5515ceb35fb85eca2c9d5e84f3b875d1cd7e55270de899ccf23334c4dfff76836fc08b768b7904361d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fa4cdb4dfebea4018777a742a14bcfa5

SHA1
b18237cf165ed8a04a6589355e13f4d0710f35d0

SHA256
14c0a042df36274223e1e53ddd3ae6801d032dee21bbc07b5df0202a406793a2

SHA512
6d55c89a6df31b15b4098078f6af1e26046433ac5dc04157aa315ebb94c32b2186b1dad6a1062d23cf1e77286667191039925381bfd413a79434580cc8ab026d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
34abd1642e197d6ad94fbc4c9e2cd2b8

SHA1
f265c3bbd6e302c8440736fe101405fb6d501c6b

SHA256
f1e31c030cd06580a475254a9f2c479db0edad5fb4911b9d19ea63de196915f4

SHA512
f21dac465681e6f77c3a957388d7a560fae7dac5dcd53ca41e8028e7530a01e29623075fabb46191366da388432cbdec2757883af1ec39d4925aacb208ec1c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3cd552cfd8dc4755433c7a286d3e1793

SHA1
9c2c863244df3e0634d269e9916dbb817876bfa5

SHA256
58434bf28a2dc3102ece06ff4bbfe3420b6e81c048f5c0067cbe87c7e5ce2ab3

SHA512
bb52d48a0bd9776e73debfea662739b0cdaa4b0006172a6938b3aa6d9a6b34839be18282c71f79d611a28e1cc1ca6e65a5f245fb20d453aba67ebb48266b915b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9dcef464980d19e0781f7b021e14b0c8

SHA1
52171638dded43c3a18b7bb4f1cbe9d4fd053f24

SHA256
fd1894df764b01c41a8b5e08569ff759d7ba47741a4e208aa89be55bd67f596f

SHA512
eb4eb2b5a164be73879451b260b782f1cb8c0fc82ad72d37eb36f109ea05432d3ed02b7257ba29e23e619f760f12fa9604d9c68c06101c43249eed6d134be120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5c42bef6bb91074985958c39ab7ff382

SHA1
876e9e40ae346a2eccc70d10a9ef46136cb37fcd

SHA256
58416622355322669793a9663012b54c9ae4addce877c8345f4ff293a3b51943

SHA512
1c81caecbebabcb1fd37bcb403c4e3eb2439c041af115b68e7787561d1f3e02772eba9d41af6a04dc87854d814fbb8870709ae95dc09c397848ed0d6379372b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
af697dd93c642faab9006d7da4154370

SHA1
72192808bcc561a11f1a57c6b6766a4a347a768d

SHA256
9ff712ca0a23513afe96b22f23d5f40d6e7c70a13e4f172eaf950b3653981d91

SHA512
4b0acbc621ded994af26b69093b9333e22bea08dcebbd448d44eb35f210897810846b2f8417e35c7dbfe1a0551a9ce44fcb7602f43621dd494fb46dd96d3bd3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9d1f6b34ee6125e73131de292623027a

SHA1
cbdd21a9161c4d52b4dc7d236325adeb8b1db4b4

SHA256
615df9c8c00ed9f9cd624cda978bf34d0df9964f17adf04872e2054a789234fa

SHA512
ab36668100dcbf81acf9767b13b8aae11521d42da8fa45a68743db89c2558a1d10f55a34c44023cd471cf0cb46cc5fea86c92ea9f431b424496b23a8575fac5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8e3a3a01ab33054ed948d40526748b9e

SHA1
263f5fe27263f8ccf8d6a10d976f4f31355eedaf

SHA256
eb2158bb3eb35f9e20f47951313adee4a94f82f33314de14c6cfbb59b246f3cf

SHA512
0945321c325e9da06d4a8f2c024ce43080be5a7bbe4a87b6cdddbad888ce32a4314a6bba91091c1178a0bb38763f17a22ee0fb42e6bda46234a35afeb4b9cab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5955d7.TMP

Filesize
1KB

MD5
6076a97d6ee699f3db3af4114e7a3f8f

SHA1
3207243548b1325e8c962a82ab473f22b134ba36

SHA256
237fbb5ab70417c91cba84bb56cbc123a23d134f6bc4555da875d5aea91992fb

SHA512
393aa5b809524fd0b92c26adf438eb78f956ea358aa45c68f1ae01e9bf842e33ac77f5aa25ef50ea68d5c3f6bc366c07524c11aa57efb503b6ac396b52d033c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
500d9e6284fbb8f0fa21f8ed33bf2853

SHA1
fe5c1244f8987fbe6d2355f9dbb407d30be005b0

SHA256
1e1fe4624878bb165bd88e01e18b37af5ea93e97113098336472574ae6d0dac3

SHA512
59afd0df8da431cb85880bddec7e1fc9f92907ec35e83a148a98417af2a6ae9ced5ba3560d4a53836cf666b3864239ea8773c3b87d05bfc8b38c35e3c9fc76ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5974ecbecfacc77d80772753c9a8ed04

SHA1
d5515aa0e59c99146f2225c6891d684f6af902e5

SHA256
7392e86fd1ca627e057c6ddaf3c3d9964fad7d71826a24d3cc07d9aff568701c

SHA512
572805dc602c94c318ada19fa32fa8c935aeef4c8e9d07055b5070f8899e6a97b522cfcd8b77d7e999994b90c853f1d6fea8a9f2f320ef95b70f7b15ed11e82e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e5db8190fdd98956a8c9340a2e4ba32f

SHA1
a0d0ae691e49cdf8e861069ed4383b8616256bd1

SHA256
9a12b9f34296faae971e8854ff28e6c15109c6f51b631d4039a375838ae703fc

SHA512
6730ae249c355b292e961c276f51f8cccf93a126b3010d61ec3702e11ea13f8ad3bde5d3161cbb9469fa096a5b3805c459bc275fa8a36b91d0883991991fae2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
68c2e394621eb6db1f360ddabc860f8c

SHA1
038c6e2e41ba34ff13c77118a7165751dd4052e3

SHA256
d8752a7822bada2d7ad33cec6e2b4721c380df0b55762118f4118449411bf93a

SHA512
dda25ea34586759386e5948ce76124d6fbfebcab98412138bde4100ac3026884ef956e0b52f631da1f7603755b2d95e016aaa89d54b45636c53f611d2c7295f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e45d67609af0951d9a38e29cffbca0ca

SHA1
e007177bd657c87cf1152ec59c8082aaeb596fc0

SHA256
1fdbc50b574552de08516560d66ddb466647be31fb131080c6a77da0e87bb564

SHA512
5257e5fa1487615da5b88e8398111762acd38dfa50aa96b2d592bbb4b6d6da0f76479c20963b9496b834fbcf78cc7c49adc7cb27446a20a882f2d3bd5bcba4ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
67bf0428f403313fb60db66e6eaaca13

SHA1
2871905ff8dcd251a0927122f976b44309168930

SHA256
35b49624eed74dd20ea0cbc0bea1373a29e564dd07bcaa24a54890e73129f427

SHA512
3668492b9ebb849129172f7e7bf44088251c17bede0da86cd57d4a346304c80a199e377cde9ce202caeadaca1cc6f0fc823157c0ba344b61c36c9a8eb6bc4716

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe

Filesize
26KB

MD5
cef027c3341afbcdb83c72080df7f002

SHA1
e538f1dd4aee8544d888a616a6ebe4aeecaf1661

SHA256
e87db511aa5b8144905cd24d9b425f0d9a7037fface3ca7824b7e23cfddbbbb7

SHA512
71ba423c761064937569922f1d1381bd11d23d1d2ed207fc0fead19e9111c1970f2a69b66e0d8a74497277ffc36e0fc119db146b5fd068f4a6b794dc54c5d4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html

Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis

Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico

Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll

Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1620_133729587772631880\tcl\encoding\euc-cn.enc

Filesize
84KB

MD5
c5aa0d11439e0f7682dae39445f5dab4

SHA1
73a6d55b894e89a7d4cb1cd3ccff82665c303d5c

SHA256
1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00

SHA512
eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5

Download Submit
C:\Users\Admin\AppData\Local\setup48472272.exe

Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
C:\Users\Admin\Downloads\Icon.ico

Filesize
5KB

MD5
9424db24bdce91054609b9cf97a0bb57

SHA1
e2e15731b3004c210ec639651182b5475aa5943e

SHA256
4a84923caf6a55579fae89da97b9b90b074ca2a7e6bfced73240ec85918d2c3c

SHA512
496b029fadaa336b484eb8cef0884f77a62ef7c5987e2cbaad394b59f44bf2f7c9f43263b0dc73d2280ab8b2f89cf62a9da45e1ddf26e5aba4ef5dd4ae46365c

Download Submit
C:\Users\Admin\Downloads\Netflix.exe

Filesize
23.9MB

MD5
1b9214626c9b690c82d3a38fd7ecbd8d

SHA1
a2b22931e016a59e6cf9800ad4d826973aa89489

SHA256
04bb4cbf25fb5b3463838e81b24cd7bb2d307c7c856994c12baf1a891c9190e3

SHA512
9b2c824f4553e22716e58ce312468bbc163a762fcfcd9bd308566d02821d85ee9c89c596ccfe1b04fa49a7ae0e69c6686486ba032251a089efae76a2aa2f35f9

Download Submit
C:\Users\Admin\Downloads\Netflix.rar

Filesize
24.7MB

MD5
557d66f321ff4a89b36dfda05ffe3cb7

SHA1
99db9455580281075db487603d006ae7acfbc3bf

SHA256
9faeefa145612695c0127337942617e57635c6c11943125fe935aef8bf680f23

SHA512
afca5acabda5e166392b0e4f46560bd69f9dc7892a32f8a059a83c8293a59e08ef69c4f353682c3a0ec75a8a9d34bc2837dba7d327b7fc1de39869a1a1f7f4c4

Download Submit
C:\Users\Admin\Downloads\NetflixUI3.dll

Filesize
1.4MB

MD5
94870d5b516b8cbe3fbd8d1a4bef261f

SHA1
7af923a503dea048ade8d3cbd3c8e7cf9360be1b

SHA256
21d0bac305542823624d2eaf2e643ebd1fa2206712150f0ceba87bb04d829492

SHA512
ea519a3086ec01b60d7a2bae5254e6d171eda33ee4a2e615dd81f427fcc6b6e9799e081d176265cf9c3e005dd1ef1a324c6aa30a52590aceeaf6cf72ff9d8f9e

Download Submit
memory/2452-292-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/4832-295-0x0000000073600000-0x0000000073DB0000-memory.dmp

Filesize
7.7MB

Download
memory/4832-275-0x0000000073600000-0x0000000073DB0000-memory.dmp

Filesize
7.7MB

Download
memory/4832-268-0x000000007360E000-0x000000007360F000-memory.dmp

Filesize
4KB

Download
memory/4832-224-0x0000000007AC0000-0x0000000007AEE000-memory.dmp

Filesize
184KB

Download
memory/4832-201-0x0000000006C00000-0x0000000006C92000-memory.dmp

Filesize
584KB

Download
memory/4832-196-0x0000000007AF0000-0x00000000080A4000-memory.dmp

Filesize
5.7MB

Download
memory/4832-190-0x0000000006F80000-0x0000000007524000-memory.dmp

Filesize
5.6MB

Download
memory/4832-187-0x00000000067A0000-0x00000000067AC000-memory.dmp

Filesize
48KB

Download
memory/4832-181-0x00000000063B0000-0x0000000006704000-memory.dmp

Filesize
3.3MB

Download
memory/4832-180-0x0000000006010000-0x0000000006032000-memory.dmp

Filesize
136KB

Download
memory/4832-179-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/4832-174-0x00000000060A0000-0x000000000612C000-memory.dmp

Filesize
560KB

Download
memory/4832-155-0x00000000059D0000-0x00000000059E2000-memory.dmp

Filesize
72KB

Download
memory/4832-139-0x00000000052F0000-0x000000000530D000-memory.dmp

Filesize
116KB

Download
memory/4832-129-0x0000000005360000-0x000000000538C000-memory.dmp

Filesize
176KB

Download
memory/4832-121-0x0000000005310000-0x0000000005318000-memory.dmp

Filesize
32KB

Download
memory/4832-105-0x00000000052C0000-0x00000000052E4000-memory.dmp

Filesize
144KB

Download
memory/4832-113-0x0000000005240000-0x000000000524A000-memory.dmp

Filesize
40KB

Download
memory/4832-97-0x0000000005210000-0x000000000522A000-memory.dmp

Filesize
104KB

Download
memory/4832-89-0x0000000005250000-0x0000000005282000-memory.dmp

Filesize
200KB

Download
memory/4832-81-0x00000000051E0000-0x0000000005208000-memory.dmp

Filesize
160KB

Download
memory/4832-73-0x0000000005170000-0x000000000519E000-memory.dmp

Filesize
184KB

Download
memory/4832-57-0x0000000005110000-0x0000000005134000-memory.dmp

Filesize
144KB

Download
memory/4832-65-0x0000000005140000-0x0000000005168000-memory.dmp

Filesize
160KB

Download
memory/4832-51-0x0000000073600000-0x0000000073DB0000-memory.dmp

Filesize
7.7MB

Download
memory/4832-48-0x00000000050C0000-0x00000000050D4000-memory.dmp

Filesize
80KB

Download
memory/4832-29-0x0000000000340000-0x0000000000718000-memory.dmp

Filesize
3.8MB

Download
memory/4832-28-0x000000007360E000-0x000000007360F000-memory.dmp

Filesize
4KB

Download