infinitylock | hxxps://mega[.]nz/file/gQ53HbCL#7bbz3SpvcEx89QOytcNzEwJSdXduzEbmgwveereRTOA

Resubmissions

12-11-2024 04:18

241112-ew4hgatmh1 10

Analysis

max time kernel
548s
max time network
552s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-11-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/gQ53HbCL#7bbz3SpvcEx89QOytcNzEwJSdXduzEbmgwveereRTOA

Score

10^/10

infinitylock bootkit defense_evasion discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock
Infinitylock family
infinitylock

Modifies visibility of file extensions in Explorer 2 TTPs 28 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 28 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 35 IoCs

pid	Process
5100	winrar-x64-710b1.exe
4680	Galaxy.exe
4588	Galaxy.exe
2644	PolyRansom.exe
5000	sGQEQQEI.exe
2860	ogoMwMcE.exe
5092	PolyRansom.exe
3364	PolyRansom.exe
1780	PolyRansom.exe
4872	PolyRansom.exe
3468	PolyRansom.exe
2208	PolyRansom.exe
1008	PolyRansom.exe
3688	PolyRansom.exe
5088	PolyRansom.exe
4804	PolyRansom.exe
4572	PolyRansom.exe
3928	PolyRansom.exe
3940	PolyRansom.exe
4180	PolyRansom.exe
1960	PolyRansom.exe
2432	PolyRansom.exe
4688	PolyRansom.exe
3328	PolyRansom.exe
1112	PolyRansom.exe
4544	PolyRansom.exe
2812	PolyRansom.exe
1588	PolyRansom.exe
4544	PolyRansom.exe
4596	InfinityCrypt.exe
536	PolyRansom.exe
384	PolyRansom.exe
4576	PolyRansom.exe
2688	PolyRansom.exe
6100	Seftad.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\sGQEQQEI.exe = "C:\\Users\\Admin\\UqscQgIQ\\sGQEQQEI.exe"	sGQEQQEI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogoMwMcE.exe = "C:\\ProgramData\\smQMIkQE\\ogoMwMcE.exe"	ogoMwMcE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\sGQEQQEI.exe = "C:\\Users\\Admin\\UqscQgIQ\\sGQEQQEI.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogoMwMcE.exe = "C:\\ProgramData\\smQMIkQE\\ogoMwMcE.exe"	PolyRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
26	raw.githubusercontent.com
27	raw.githubusercontent.com
84	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	Seftad.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	sGQEQQEI.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	sGQEQQEI.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\Wallpaper = "0"	Galaxy.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Confirmation.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\as.pak.DATA.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sign-in.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\swiftshader\libEGL.dll.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\dual_engine_adapter_x64.dll.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\fi.pak.DATA.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\MEIPreload\manifest.json.DATA.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\tr.pak.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Locales\ms.pak.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pl_135x40.svg.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\fi.pak.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\lv.pak.DATA.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\ca.pak.DATA.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\identity_proxy\internal.identity_helper.exe.manifest.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter_18.svg.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_selected_18.svg.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\pa.pak.DATA.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\learning_tools.dll.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\LICENSE.DATA.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\devtools\ko.pak.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Trust Protection Lists\Mu\TransparentAdvertisers.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Sigma\Entities.DATA.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover_2x.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE	InfinityCrypt.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-710b1.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Seftad.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Seftad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Galaxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogoMwMcE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31143175"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3241684311"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	notepad.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1876	reg.exe
4980	reg.exe
3292	reg.exe
3000	reg.exe
2676	reg.exe
3292	reg.exe
2120	reg.exe
2884	reg.exe
3900	reg.exe
1488	reg.exe
804	reg.exe
1600	reg.exe
1576	reg.exe
2580	reg.exe
4248	reg.exe
1128	reg.exe
1140	reg.exe
760	reg.exe
2580	reg.exe
2676	reg.exe
4968	reg.exe
952	reg.exe
2924	reg.exe
4724	reg.exe
4708	reg.exe
3972	reg.exe
1468	reg.exe
3360	reg.exe
2356	reg.exe
2520	reg.exe
4100	reg.exe
4036	reg.exe
2796	reg.exe
5088	reg.exe
1828	reg.exe
1960	reg.exe
2356	reg.exe
428	reg.exe
4204	reg.exe
2808	reg.exe
4724	reg.exe
2328	reg.exe
236	reg.exe
4740	reg.exe
3940	reg.exe
2092	reg.exe
4608	reg.exe
236	reg.exe
3568	reg.exe
752	reg.exe
4040	reg.exe
2992	reg.exe
1532	reg.exe
4688	reg.exe
4124	reg.exe
436	reg.exe
3028	reg.exe
2164	reg.exe
1008	reg.exe
2676	reg.exe
3116	reg.exe
2812	reg.exe
4036	reg.exe
2812	reg.exe

NTFS ADS 15 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 418554.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 200278.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 483167.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PetrWrap:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Seftad.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 469935.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 77260.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AsteroidXevoV1Api.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 226325.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-710b1.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 78249.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2172	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4424	msedge.exe
4424	msedge.exe
4576	identity_helper.exe
4576	identity_helper.exe
3820	msedge.exe
3820	msedge.exe
2724	msedge.exe
2724	msedge.exe
1140	msedge.exe
1140	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
820	msedge.exe
4600	msedge.exe
4600	msedge.exe
2688	msedge.exe
2688	msedge.exe
4204	msedge.exe
4204	msedge.exe
4724	msedge.exe
4724	msedge.exe
2644	PolyRansom.exe
2644	PolyRansom.exe
2644	PolyRansom.exe
2644	PolyRansom.exe
5092	PolyRansom.exe
5092	PolyRansom.exe
5092	PolyRansom.exe
5092	PolyRansom.exe
3364	PolyRansom.exe
3364	PolyRansom.exe
3364	PolyRansom.exe
3364	PolyRansom.exe
1780	PolyRansom.exe
1780	PolyRansom.exe
1780	PolyRansom.exe
1780	PolyRansom.exe
4872	PolyRansom.exe
4872	PolyRansom.exe
4872	PolyRansom.exe
4872	PolyRansom.exe
3468	PolyRansom.exe
3468	PolyRansom.exe
3468	PolyRansom.exe
3468	PolyRansom.exe
2208	PolyRansom.exe
2208	PolyRansom.exe
2208	PolyRansom.exe
2208	PolyRansom.exe
1008	PolyRansom.exe
1008	PolyRansom.exe
1008	PolyRansom.exe
1008	PolyRansom.exe
3688	PolyRansom.exe
3688	PolyRansom.exe
3688	PolyRansom.exe
3688	PolyRansom.exe
5088	PolyRansom.exe
5088	PolyRansom.exe
5088	PolyRansom.exe
5088	PolyRansom.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4884	OpenWith.exe
2172	vlc.exe
5000	sGQEQQEI.exe
2860	ogoMwMcE.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2336	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2336	AUDIODG.EXE
Token: SeDebugPrivilege	4596	InfinityCrypt.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
2172	vlc.exe
2172	vlc.exe
2172	vlc.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4884	OpenWith.exe
4884	OpenWith.exe
4884	OpenWith.exe
4884	OpenWith.exe
4884	OpenWith.exe
5100	winrar-x64-710b1.exe
5100	winrar-x64-710b1.exe
5100	winrar-x64-710b1.exe
2172	vlc.exe
3592	MiniSearchHost.exe
6100	Seftad.exe
6076	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 5036	4424	msedge.exe	79
PID 4424 wrote to memory of 5036	4424	msedge.exe	79
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 1080	4424	msedge.exe	80
PID 4424 wrote to memory of 4788	4424	msedge.exe	81
PID 4424 wrote to memory of 4788	4424	msedge.exe	81
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82
PID 4424 wrote to memory of 4644	4424	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/gQ53HbCL#7bbz3SpvcEx89QOytcNzEwJSdXduzEbmgwveereRTOA
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd97113cb8,0x7ffd97113cc8,0x7ffd97113cd8
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1212 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1824 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7052 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1140
- C:\Users\Admin\Downloads\winrar-x64-710b1.exe
  "C:\Users\Admin\Downloads\winrar-x64-710b1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=876 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7300 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7484 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7156 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7612 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7672 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Users\Admin\Downloads\PolyRansom.exe
  "C:\Users\Admin\Downloads\PolyRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- - C:\Users\Admin\UqscQgIQ\sGQEQQEI.exe
    "C:\Users\Admin\UqscQgIQ\sGQEQQEI.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5000
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      PID:1000
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        
        PID:2464
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe "C:\Users\Admin\My Documents\myfile"
      4⤵
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:6076
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      PID:4572
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        
        PID:2000
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      PID:5492
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        
        PID:5872
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      PID:4252
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        
        PID:5308
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      System Location Discovery: System Language Discovery
      PID:5796
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        
        PID:5576
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      PID:5624
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        
        PID:1384
- - C:\ProgramData\smQMIkQE\ogoMwMcE.exe
    "C:\ProgramData\smQMIkQE\ogoMwMcE.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
    3⤵
    PID:1576
  - - C:\Users\Admin\Downloads\PolyRansom.exe
      C:\Users\Admin\Downloads\PolyRansom
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        5⤵
        
        PID:404
      - C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        7⤵
        
        PID:3732
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        9⤵
        
        PID:5088
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        15⤵
        
        PID:4688
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        17⤵
        
        PID:4572
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        23⤵
        
        PID:1800
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        25⤵
        
        PID:632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:1828
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:1000
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        28⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        30⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        31⤵
        
        PID:4708
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        32⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        33⤵
        
        PID:2032
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        35⤵
        
        PID:3568
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        40⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        41⤵
        
        PID:2380
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        42⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:4124
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        44⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        45⤵
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:3292
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        47⤵
        
        PID:1240
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        48⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        49⤵
        
        PID:1964
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        50⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        51⤵
        
        PID:428
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        52⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        53⤵
        
        PID:2812
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        54⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        55⤵
        
        PID:4108
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        56⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        57⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leoggcMo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        57⤵
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        Modifies registry key
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        UAC bypass
        Modifies registry key
        
        PID:2520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICkMEYok.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        55⤵
        
        PID:1964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        UAC bypass
        Modifies registry key
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYYIgwIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        53⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIEcUsgg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        51⤵
        
        PID:1140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        UAC bypass
        Modifies registry key
        
        PID:2164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWwcEAQs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        49⤵
        
        PID:4040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        Modifies registry key
        
        PID:2120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        UAC bypass
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWYYwMYs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        47⤵
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMAwcAgY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        45⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        Modifies registry key
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        UAC bypass
        Modifies registry key
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCkAQMkk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        43⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies visibility of file extensions in Explorer
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYAkkgoc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        41⤵
        
        PID:2936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        UAC bypass
        Modifies registry key
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwcYoMkk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        39⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSgEQwQg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        37⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        UAC bypass
        Modifies registry key
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiAIIoEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        35⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        UAC bypass
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoQMIQMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        33⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zaoMkkYI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        Modifies registry key
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKgEkEwA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        29⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        Modifies registry key
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        Modifies registry key
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGIMEsYo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        27⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycQMYcwo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        25⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msogMYwk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkkogYYE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        Modifies registry key
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUwAsYMo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        Modifies registry key
        
        PID:428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEkcssoo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        17⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcIcgUAw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        15⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMIIUUUA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        13⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIEokIYA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        11⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        Modifies registry key
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAwYMAko.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        9⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsAosEAk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        7⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:2440
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1828
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3972
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruwIMYsk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        5⤵
        
        PID:2164
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:4724
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System Location Discovery: System Language Discovery
    PID:2520
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAIEAIwE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
    3⤵
    PID:2472
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7472 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4980
- C:\Users\Admin\Downloads\InfinityCrypt.exe
  "C:\Users\Admin\Downloads\InfinityCrypt.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7900 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7648 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6628 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7656 /prefetch:8
  2⤵
  PID:4848
- C:\Users\Admin\Downloads\Seftad.exe
  "C:\Users\Admin\Downloads\Seftad.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3516748343017465795,13603426269181121468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:1052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3604

C:\Users\Admin\Downloads\Galaxy.exe
"C:\Users\Admin\Downloads\Galaxy.exe"
1⤵
- Executes dropped EXE
PID:4680

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\UnlockSubmit.wpl"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Users\Admin\Downloads\Galaxy.exe
"C:\Users\Admin\Downloads\Galaxy.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2760

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3592

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5200

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4380

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\e24f75fd592a47ac8e6c6d73633dd1f9 /t 2148 /p 5100
1⤵
PID:5132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
16B

MD5
9cb58341fc83bc039603b2fd4c528d27

SHA1
1f2fe10ceada7532daa96653f640c49dc95ad53a

SHA256
3fa853ecbdf760946a2b03d6e2caadd4ce60846e5e0535b0a77442706e836e15

SHA512
cfb254aa06b8c37d3bc97cc10a119a7b30879e39eecf053f0520564782a149148aaad9acafa51a8160ee376a97b30ffb803bcc1437a53023b0cc0fcab0f7383f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
720B

MD5
f2682230bdc0479f154a6001c6659a06

SHA1
1645ed00ce32df10bced1b816d79dc88810c22fe

SHA256
f49544507ccf03e46ff3f49b09718e16101e36c14fa18f08ae0cf629144ccb31

SHA512
ce8bb983305cd858d5491253230b7c18f2f6ba4eaca72113e0fc400e6aabac163653d87795131ea82c0608e36c1185353a6808ef68c5e9387beda3244ef2b131

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
688B

MD5
a2eb9da09714e68f2381f13fdec32656

SHA1
83c460a41afab4c9606870127e776bfe83bc86c3

SHA256
acc5c45cc03e96ad81ed5cdb79cc8b8d3f62d041c48b98077b59f93981025b4a

SHA512
7dd57a933a330fab182b48e86495abe3bc289c68e5520bcba8a2c936295b17067b83349fe70df86a6650cacbc1427aa298f23bf240fd014fe3c32301a176bd82

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
1KB

MD5
e7fa7f6a84efc8dc9ec6652239015693

SHA1
997e1a26fbe8099db8406d1cfcbb5857170e0eff

SHA256
8f460e6c0a94abbf52e6d7b2eef0b4487ae93a35429477f8a1c64668accb9d81

SHA512
65a4707890fbf8349fc8b584f2770644c5c7c2ae0a97e9058a1bb7c9c4938b9623491fcb686541d9b5d8d9b72998c98dd8c164486781f7ee933d3f095a43bc29

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
448B

MD5
adc148b589161349ea1396db18a07f4c

SHA1
71ba0811280f68ae5b34bb621b687ca13f52ce0c

SHA256
9fa00821ec275096a8fd8f85a7b2ba23d37120aff412ce677d8f719e13157ab3

SHA512
e71079a37864b68713b7878dac31480a76b1e96b2058eb1ba9ae745416d5099929bc36e1eb4be05bf7de7eb73851d98eca278834895632ae836d2289aded56f9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
624B

MD5
8ec72de6a5c78569115b3c2c8a688f7f

SHA1
e05dd4d59aa8a81a4496eccc5fd3e11e9787ef14

SHA256
705de708b1f4946fe13650251c58893b74a393291b122651c223b6dc45409123

SHA512
77ad8106409a57a01e21bed906a3a988f49154227a0a43ab2b25808d822a24b75fcfb10c84022be47b5dc8db4ff551ea1afe98aea671c44ad4a8c371964483ac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
400B

MD5
0592ec3af781428b2cad6fa5b2be1f25

SHA1
1ac8d5272356eec1d289ec3a698aa14b0d1c0332

SHA256
5587df2bc728f616a557a721c3635246394b7002206be2dc9ab5c4fa0c15398e

SHA512
b548bf553bd93f147fbfd4a18ecbf58cca462df6c61f9633347a38cc12e4c774bf2a355317a98e9be1936375d2e0f76163744e9b7b2c83dfa0343aaa5fa51362

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
560B

MD5
346704764439c73f0f1cca9cb7a9e97f

SHA1
25cd84ead52b854a94f89aea653f7179a0e5a429

SHA256
62c9372dd1ba29abf7fedac272ced765bebea62f664700518ab553c848d84df2

SHA512
bfe7535d78362479b0d2a097bc62893947c5516e915c5506c6f42d0cedb7e8524c6e0037049e58ee726b5557ff9fc39a92b934aa4b2d1e50c0b46d94fe3dfd2a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
400B

MD5
3b782491442b8298bd0dec2c72468637

SHA1
f61cb96c220549532a351fd765a5e7afc15c5b2f

SHA256
ee3e829507c0121c5c8ebc7e9033011385a80f6b0d4289a52f521ca99f9de289

SHA512
83dffaf5e2b28b8c27ce8c21c181adacdabb995de65049d73c737d895045348018f99741522ca4c4a66cf2e56ef064ba5269b41dbb831212a7be1fd4e10439f5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
560B

MD5
c1c5af08de2e850a5662c90bc92223f9

SHA1
cce3240018bc0a94672ee5b6639f91ad90ffdc2e

SHA256
f01161eec0cbefdb6dfa10a4dee58a30deca47ea508fdbeb67a771b1fc04e3ff

SHA512
561de2d02e08ce1de2606790016f38956abb6bcb405333fd653aa2873f3d2d5a439e0bf8f85c1762930fc1cca784d0eaeb707955eeab5f93295d94e042d33334

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
400B

MD5
b243d3e6ace2623df4a495fb0c3c8601

SHA1
631ea169ec8cfee817400899859ec9617addfed9

SHA256
9324020f7b1d57df7b2271bda11d7991cfa777c39771064b3737088c86c7597e

SHA512
21706090863777cdc863dd37144d6b612b37abeb2f763dd24184c26c92df253a606a8c40c356358ec436a1f906859c3b1072ac74ecc6b17a70ea30ea16652929

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
560B

MD5
562b505ed9604195318d866bb14cc804

SHA1
9e55727d7f93a9bca3e37ad59e02d103686f9e55

SHA256
19fad4704c73cdff573ed6897e4d8cbc6d7152c5e5a58535da8b8002cdfec77c

SHA512
e5240ff33b59266b95d38d64722837a447dc36cb888f0536ec752a8cd83827503e8cd0ba17a8ddcc4df28e9c84e0d0f10e8a9324ae2d8ae59b763cd9987d6754

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
7KB

MD5
1fc973425b7e373150f854ba8c078561

SHA1
9c294e21cc8246d91c51593af530a38d10162c8e

SHA256
f69c719c15eaeac105d930e6d0d9f8173449b4686cf8f63efae82e21ea56f143

SHA512
1489c4458d106514f7a57bc7b6afb1719d392b029cc5e0a8d07fa232925550090c819d16d965a0a41b191f9468c0cdd67a24b6d1583e5a7a3bdaa799fc5538e3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
7KB

MD5
25fb2bbf5f8da7b58b05d3c0171d6d84

SHA1
49378455f0aaeca04041b25ea4e7dac06a5e380b

SHA256
5fafff668e132dda5cd7a561c5251df45a8db0331548248a94dc992085178b2e

SHA512
3502763bfd03a0ecbcaf8d519d5e6f65a31e4112205f6f2cd7f53d8a70e722f715e3cec652e0c027cb9878ea9f5bb217a7f254cc086f038e085fd90d5d56cd1f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
15KB

MD5
82c6a72aac10cdf26cdc6e95e3b2388f

SHA1
798b3eb9866fef8a4922f9e611bd94a9613505d7

SHA256
12af6648f76331e88367e7535813963aa74de58da588e2832fe2cde2898a7071

SHA512
34aea3c87ff71552ee7d18b0bf7e3158032863b0d74c6ed34eeee81ded4eee2dc20f0ca34329fede905d86f80e2096e951080e0b17bef9fac935e586678a5b5d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
8KB

MD5
7062a0890f78242ce980934218097e88

SHA1
24e984313a842fba31670c3815972d39a40d950b

SHA256
49a99fb572aca2c10ca910ebf788126af3baa2dbf5923c6d08ea5a90a6bb7ba5

SHA512
e8ceb48ef1bb48b05392f0966a211adc769c99663be2b05d0c64faaaad2ff2b6ebd5ec84e06620a585112f5e3c4586b05c71df8ce4b1e011ea222f49a5c20fe6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
17KB

MD5
a05da52fef341910e61e01474a03f935

SHA1
0e7960c5b6136ba6aaf4f2a3e6d85bc64702976a

SHA256
4dfbcfc7731a895b139ced8ba27a552b3ff5b6033a465f18e44f36f6d0854b48

SHA512
a35713f1009bc2fad96a7995ddcaa06afcb8ef77ef7683fd7396f2129b54be7d54825aa8373155d8140a52c1658a0964497ce264cca4d7e2d68a737f557ca646

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
192B

MD5
a2ea2099755462ffaadc3b2f0dc3ee11

SHA1
0d727695398ff255f7e0a47c35de3a5b717af437

SHA256
4e79aeeaa3a0832561398942241dc4f2b147258ac97a99c691eee2c7df80ae36

SHA512
2f57383ed2e304c51111a20fdafae710ff97512e3956aeb319fca8a370b8c19e228df32f54f2496af6bd9f114aec2d84269b15afcd8e230e45bf49f88a682690

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
704B

MD5
8ed970bce80d67deffae1b2b5bcc0f31

SHA1
d3cfb7822e7bcbc1961b32e479068f9fefbf543b

SHA256
bce96e2cb2ad25a423be5e21547645dd5969097b36790592aa0802cf31523e1e

SHA512
959d15773290515a4b4de7427b09292bda87f058eea06dcc78814f93af7b168e28254b51f953652c43e568cdf2519352fb64ef0ff5338ba10134e11a3bbb4299

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
8KB

MD5
0597c54509357fb1c9f0e63e572089b1

SHA1
9eecc151a485e33428c0783521c8cd2fb916d852

SHA256
1c8a9291d6045aa5648677ce4c6795bf6079ae19db97158e3be3d7f6f5f0ac75

SHA512
8b19823ff1beb57b5f02c71c7c2a59f14040c64504e2229add51d26002882a463e422abd93afdd95e94ae4b98fa27ba7c52769bd9c89ead3e1fd499d6158b5c4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
19KB

MD5
7471ecc686f55aa012ebcafa7808d8ac

SHA1
bf8ffd9e2ea00e03981bb4f51dcb4a566eea4083

SHA256
f9e820e777f3e3379d5bb5f601a26af338a6615456427c1a43793c591d9f49c7

SHA512
8fd47c31c0f7234f34a6f2f471a1a6a094db1c516e7eac437aadbe8e3d7fb603e51229f23fb29d2371bb48bce754ddf56766a79ff65e5a535942e492a3cb4520

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
832B

MD5
467745b456367084709a542d9e3107a2

SHA1
3524c55e033375f90702df2d66b526ba56c40d34

SHA256
769b4983fd2787b59236475777d7f65751e60b361b91aaae4d08101b592baf6c

SHA512
8ed82956d44a264e44b85b26cc2647bacb02f23450b705da920396c08ec11815d218400cd4afec12bbf44de10dc227a5a0c8f99b09437432cfe4f9e048777765

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
1KB

MD5
6b5ff90467862b616bbd8f06dedb3c3f

SHA1
881ebd669c5923231ac37b25fe7fb7ee0f5bfb24

SHA256
491d41b9a987f4db23d446ae9e270e20efe2f1da593e64fce4f7e20a155c2c36

SHA512
e12a42f11ba39252d724f98a4fb3a0567e27756cf1dfa72b694ee1d96cfba6cf2a8b786e4df66bc81f67c2cd150c4d8d94291c596f35c6a344f0415b5e773d17

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
1KB

MD5
98b010ba1487bb035b5ea8f671b77f8e

SHA1
6849449327e4ace498347e6b545339ef216b4da3

SHA256
330b630137dbc0ad4603ecb5dbe2ccf3aecd7c94b67815835da5e187aef5f249

SHA512
325b58b85e26e20ada5639f3a464ab011adba0fb86550349fcb30c2773ed9bd55ddd299d4069d18e3886a1c122a0ca96e8cc780cc7bb1a06333718c8c3a95021

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
816B

MD5
ce3c84fb8188c949bae7c7067888b8b9

SHA1
8bd878a9d60177f5ba8e93a54fd5e1024ca82982

SHA256
142f77d6aff5c7f90b1d06746172b79f6e7fa1992120d6a60f5184a9deb53516

SHA512
705d635a83ef465ebb3c0ee7c1484176c55e2fdb9a882df0f04736012ecd938735cde9dcf466df89f3cafbbc56fb3991b2b78ed7f10b762d3a219f50b7eee255

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
2KB

MD5
b373e777d2a8aa2dd471c19a0ebc4a15

SHA1
cad87b24fb3db8e7b8065b145704fd348c6b4c85

SHA256
74f3e755d21d8649b5984c4ab72b078981d6a0afecac57a33d4b9fbd323a9fcf

SHA512
22651fe1ee34ee8b3008c0c37d5362141fa383c34f59d821138c05edffeae5a230f8efa591530c8edd6305fca5ffee676f7c3ba492c7dbf57b68db02e0edaddf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
2KB

MD5
0fd6dd4aa1177c9199824a9b1173c59f

SHA1
c05a9217f9c87b1dbdd97d5c6503eebe82e8c31c

SHA256
7e3fc92549fb67b50f1ea8187ae8207d6b6a138542c6ae8dc1a3f8bef2bc775c

SHA512
2e292af82806da428618b5f7cdd154b6231ddb1d1e116aa7371bb17bfda80ae52f387bf4fc6303aae71970057545e21c42c81694bb8ce04de9666f792c2aec30

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
4KB

MD5
df7e362e53d89dcccbd8f8707790b160

SHA1
71f1728ec64aca5d45a0792491746915b35de9df

SHA256
4a2f764933aa70ff7d81d43e8c961782f6bb50340723c45d7b8aeccba64ce621

SHA512
df80621fe3d9da4af0022df75845ec0c544db7781a2d2a8d47f1d279b7e73a83ec121affd065032602ce6966c0c6b7b79b49e02682d8365ccf3bedb56fccaa2a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
304B

MD5
577bcdaeb96bef69ef9177fa762a99a0

SHA1
a8e1e5871d802c092b409e852fb9c1600e4c5cca

SHA256
46884f603dec9739d89680d4b164f26b7c3ecb70b485afc9c03689adcb83c273

SHA512
b54b88835b8d1b18ea0cd45490d89bdb156517dff3585ff0faf5bc0d05076d1507e82bf7d8f3588a8316dfe99f11a825c0dceaaecb4f270a7f1b4a39c85b637f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
400B

MD5
5dd03d270a5ac79c13f516ebe8715062

SHA1
94c50607b0717419bdef8a249c4340d7e06872d0

SHA256
65f2d9b43d30c3b2dc635beacaefb96d04bdeb939b24ba71aa380db46ebdb062

SHA512
ccf5bbf1238c0a78d918dd9d835d1bf02acf39568c3917aa961164dc7d169bc451cdb23c0f6c7a5c88f52820f9c2f4fccee850d62ce998e6dfac927293ce9ac9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
1008B

MD5
40c0812ebff0d7e422f1dd0a771be46c

SHA1
2bb3cb789a887c70af430255dbb16c30b39a7f96

SHA256
90142a5e507bab529157af847b74c6b798db689e0355978121c3d3aeec171cdc

SHA512
2e573696b41091279b84a4511075eab1ced44a9d45bd28e71be2d57bb8dc4e3e825021d2cf72589a840ee72ac19b7e4b8544e1985b615f03a0fe23448045d1e5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
1KB

MD5
6f4b9b96de0184a2bc4bb181a734df66

SHA1
d8151a3771786fe8eec9db26316819012b29ae34

SHA256
8195eec3fe921042055e11b733a20d2f0bcd77a3bc8957f51c2dd168041e64dd

SHA512
3866594614d696ccddc7de425ee3a5798c2b804bcb9bc641bb2e309268281ac8bfad996784706f8430dad72cc5cdd1e7bfebf3e7b05ea9d95566e4d10f99feb8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
2KB

MD5
0dac4531859ba2431ce0eadaf724ed32

SHA1
26c3691e15b33f517901e9fe363a4ab04158d9d8

SHA256
c610cc66388dc1441fdc61639c030669eff81cabae1663af42df2b0b4afae0a4

SHA512
a7cc6b29384316b88fae2cb32d428f7a3cd8821793397cd1087f37bf8a298ad6fd3b55d6b649bd1d9a22ac3dc4c9d45be4cbc1d742da6f05453f045f28f8eca6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
848B

MD5
c91d8badbbd0534a789bcb3ac59749fc

SHA1
f6889e9b034317025b3fddbc55a3f1db88ed8e38

SHA256
92701e291f7ed8c21f3e4c4fa5163c628dd69d935af3b394cf532624f56e722b

SHA512
5e97e017ab4afba867e670b407de823e96eb3962e199b457b5c01c7f5b09c249d3254e8126f88ab9e53877163422f074dccc247085b51eeb0b81e3b418c2e0dd

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
32KB

MD5
e82b71f5946afdb6c66cd765a4cc95f8

SHA1
3bb9a60be2d8ba926718e36874180a3e8dc4ce41

SHA256
447f08079fdf51dd073c9042e9b605525c18b151bf130ac641d60fc8c26c0832

SHA512
cf9fe9f7597b29aa6beb017442710f02f42a0847e7902da643af774d167d816307eb7fc1acb950910f8155ab86a5af9a904b67b7fc1e7a964fdbf44447d65cf1

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\Other.DATA.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
48B

MD5
b9dc767c10e4ffa918009276484c4fa5

SHA1
814fc5eb082768091b6db7864b16c8567acf9f5a

SHA256
c6bd1b49e8b355f5c447f1a8db9ce7bd294390acb2026e5c46b56b58bd9e9f1d

SHA512
adf9fe2bf3f053366c468981f5cdc409b175dcbbe335c6a00e1ab98de9f9c030104a66719771142b3c10354ec1aee907581e84db1f75707453160a4aec47d7c0

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\identity_proxy\identity_helper.Sparse.Internal.msix.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
55KB

MD5
5e29bd696f815232e4fd8c01a7d7bc7e

SHA1
874edd7c24420364d361ae18f10108284c126d1b

SHA256
ee6f5b0c48183a29e833d6daca1cc9d044b59d2184eb7bfe9d33c3f640e940a5

SHA512
41bd6c37daf014ad48a012b7b3c52c198bad0a155da45ec194255a505ff7b44b5b083349172d0f09a3564c7f7e288d1e03621e5f4d889512cc0d17e2c69fa76d

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\notification_helper.exe.manifest.501F2010D1A633BD2D57E3368EF101F3EA0DCBFD1A6151D9CCA84B51DAED9BCE

Filesize
1KB

MD5
1c3a9a81782165b4b3138a2a8367ba4d

SHA1
11d45afdbec0c50c549b6a43eb47f5aa7e0771cb

SHA256
0800b66d3f7f37f50067cd454461e2c3330e3ab3d84d126aeb5e19d91caeb0ba

SHA512
9ff18c8031a2db0d011db895422a182e67c98244e0ed3defb5842c119d2ff1b781d108c11e379d29d52ac15ee08c06023a6400339c03ca540177829817c71036

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

Filesize
189KB

MD5
1aced41f3d75157c9224b70030f2d79e

SHA1
57bdd758c37fd9ec586340a3bb7635904ce5c069

SHA256
428fd5dcb71ed366fa2aad398b253636e35c47e164f10664fed58d1480aabe0b

SHA512
f71b0e47864b7c117ecc8238bcf814f95d88881eab04fcda76d7238cb9f6278b5679e490ab0cc872a11b59ee3e9771bbe102ba3d90f8a4bf659c5ed4ba6a9659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\71c90062-5081-4144-b522-597cbf6c3baa.tmp

Filesize
11KB

MD5
93037da00a46a3ee16e04c53041b218d

SHA1
d1c1ffa32ac1419a7b1ac6b7bba483344f069a39

SHA256
8bc4f7002d74fa350d6bc7f5a8d6676aac93d755297634b976864009d914e008

SHA512
acfbc8c2c2378c9fbd5582e0bfed7d185059be1a297fe18707bc243ee1c338341483be5e09e18e8aca36fc6fedcb680cee1d4695b4cac645763e0d5efe2fa06f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\26924b18-e962-4bd1-9a3d-8aae010b1362.tmp

Filesize
1KB

MD5
0240bda62fd5ec89b2517972b91b0784

SHA1
8f7e3fbc460c2191773a4be297f0079a4918f958

SHA256
71aec82a5fa81a056c38a2157bc99b4e5300151f64487305fc3a677eb80c2529

SHA512
f26969f04207e94a5e84e488737860ad65bd9ca3d4885ae93c8b80ee2108c3a11900ddfaf69f82b58b888ac51a6203aa3fc7e4e34a22cc3fa94130aefc6c1972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000046

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

Filesize
67KB

MD5
fb2f02c107cee2b4f2286d528d23b94e

SHA1
d76d6b684b7cfbe340e61734a7c197cc672b1af3

SHA256
925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a

SHA512
be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ee308c7cd9b48e57d29dc5b04e345cc2

SHA1
6dacc1709f8e7daafa8ed31ebf0c0f7ab63b97e0

SHA256
124188125f9ee62d9c839212330dcbb63fba8ae4ed756a57d1209acea4ec6e59

SHA512
f670f2576b2f779d466e763a7ff8e602c7d13adfafa5d328635f819138c2f8937339ebdf1deecda897ba276b9d4a3d1cd27c1c2d338d1663b91d0f77192421f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
6ac830387b7364e03303fce17cfe150b

SHA1
6bacc6010be1173a9948513b75344d85bedf6962

SHA256
664283ccef2b532cc7744b176cd10fa72907397eae642fccaa2f3feeb0dc61fb

SHA512
6930c90f54c851c055e5cd21ab4a1b0e6f8e7ec77e63363ef55f5fb6443432d8238c402529eaf353fbe0894f8c80183c8d60da6c76952ac81b9cb3a3e6858c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
7b48139feaecb4a200c5e97034d35e76

SHA1
6a053270b3241ebc948aab58f889631b08c9ef08

SHA256
3729d684706200bac8f17b91bed56a753a545975ca60d5d3384c3ffc37b813a8

SHA512
c9f5a9aab63b108568749f6d2f0a3dd25bcef331b6cd5b142997a2d52c79b850a39fad0fc23fed7938396b3434d15fd872c621d9d091b3d46662c67766608f6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
469B

MD5
9c26477b726e10fb4f626051c16cf989

SHA1
4284acc9b7307f0b9de770ff6dced136455857d8

SHA256
33b488de6ce881940d34c4a27efeb3c91d49edc2eb92532e77b4d7bdec69ba7c

SHA512
dbdcb1b98f98785efba627fa8e0e61cb5882f2a853be8662100e5e66e97fadb43d797aa8dae1f40c30312e93861f4ddf83c99ddfb0e960f85c203d4b3681be3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6b74f655a2ec78fd6d25a6fa45932b55

SHA1
cdc909a2f2cb1a7bf19ffea866b3d7b4df022462

SHA256
bff307c6342bbf5335c26ed4eb27fc031e2ad1df7af373ae2b4cf401914b9e0b

SHA512
d20853aee98277286821f48ca1862be0e1000a47e87016dfe30be968918d6b2d610195b3f33b56c6c84543dfe73aca2d864b94b7710ceb539c9d96490b71c243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c8303ded2eb2d5b20cac80b5b9cbd543

SHA1
71eae2780f81ea8680b853895b28db50a685ca16

SHA256
2b342f382490eb3809a7a9c4b963711b306a6978aabc88f51a77e520b170881e

SHA512
b39a655ee17109730236fa554a60eb6a7ae3d1bbd2ce9eed1fb734fae5601d4d05acd4f1acacebce4f85c3b5308e4abaddacc29775b76dc625b9098fb73e278a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a30ee79a55e52ef18bf9cb7f17b7cccc

SHA1
5372a2dd52fe7c49afe4c298fc199563090dc23c

SHA256
a1cc9e04a4c643ffc5db382e6030a49797851e56fdd21785d85bee880e9f03d6

SHA512
0fc58cf38507ee2fc3b3b598490607a0bff9a9c387eea47099636a5bc317d37ef8b3f79d165d320a60ad379d9fc1589ecdfcc22e6bddd577377be57c619c93d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ca77790ea7281792c12e725e8f843347

SHA1
326cd2d29bf094f6c18b78edb83ff7c406be4e78

SHA256
9f59bf2b7f2f4a3cd5a70151b7e96c5a1b6fb8c0a7bf60405932caad967c8724

SHA512
914cd0c90bfb987f79eb539da86780f514c8dcde7e0a33df9b4459282dcc891b9e595f791bf015475242cdf78292103c19001d63134d152ec0a20d1ad12b6202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7d853049bb2643061258ba05e605269

SHA1
193e32dd9cb81bf7bd95c35bbfd83d75ca9401a1

SHA256
96b479ded6421bd2ae98249bd137277a7e2198d08620cb3be741f0fa0494174e

SHA512
b76df05fa337fe31f7523f34715ab13767c7355ff1111f510bc401b0f0133a25c5e8e16dc91084753ee843ba78b134b75f9c3292a350ae83302779a763aae462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ffd34047583b6c2408f26ec13f20b036

SHA1
985c64b1f0abb2abe1406de390cba54a69f73299

SHA256
24c97bbc90c4bf3f666a16a35e5f17a0b30d3a45013cf291fe05382824cabfee

SHA512
abcdc3a4eca0d81d834ea05ff2b348ec9e1b7a2fa3fc9f270031eea190c346b6ba3c503cd556a4c68d3dc1aa15084505479b7f53c4c373c16794571601c69c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8aad98a74e1df76aba5ce84f91353885

SHA1
8d6b89d3c327eba288b3ca02ce3e0ebb5a0dfa7f

SHA256
445d84435f67b42e8119f0f25f05d12965db4486418a2b17e9c8aa7d9d889295

SHA512
d99fb257f295b8d208475e114bb3dde1e724b5b08bebeca87f520dc96a5c91ade03e244caae3035cd1b759c2e6efc2fcafedc1d5335c7d4f9dd229e63e19b5b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9183f55741fc864f27421776c3903d72

SHA1
a1ede327d688f7e665d202009ac947f32da1d1d7

SHA256
1482040a6f64b292767df9116e56a8004d664d071d3e12e432e4e8add58ca669

SHA512
65ea57e65b4260093670616e32e973f9d22ca94d4f1789e3229b4f3a0eb0b99c08ba428eed3688006b940551c3c841e4b4dca9e5af5b83316dcb0386695ffa6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae051e5a5e8bc4f03749e646f3277e29

SHA1
66b61398a01fbb19ce87b1a6ff196f5851b1cc5d

SHA256
bd8c9ecbf551697b5e465f1200eaaf1697f5327ee535ebf4f5013d4a3011a975

SHA512
93729cae3b2d47de48ef2beb9a72198dcd27a610267e66658ad01d5f248e69c82c1a88152d1d0640d873df951974c9f0b53335ff5c297090b835929fc171c81a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f30aaa1efc5a53bfc20ec5ab9b1cc22f

SHA1
b7937217d3aec7bf69e78cf8d8e39935f00d206b

SHA256
52de9f2c7609ef2d7b1a4f1b1220a9ad82dcf9450d751e2c39acaae344410097

SHA512
dd03701b24a3e32aff3cc4b24053d5e16ab04f46eacbafde80f1e8bcf13b1d2ba84e618600a4119d2446da2bbad7b7b08866893e0c6fee6a555e3610dbc82557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
dfd9c7a82caec3625945a726d00f29dc

SHA1
3161c80c6d009b5427d29d9359372fce4c67ed57

SHA256
84dcbf2494584a4974cc530b431af293d5f6b0f570a14f83803719843cfe3a5a

SHA512
cc59e267d6caec9a96e4d2fef720a929c8eddff69dc9bd716f37f381b65359cc0465e19bb6f4ec22007e4f891c3b8007844d4a21805185f5254f229dfd1306b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5822b6.TMP

Filesize
48B

MD5
cc9e7776508adaf0236d5002c8a79bf6

SHA1
ef0175751bf0468bc8d9d38001a9632091a5ee45

SHA256
c3c587fa353133c34d732784d06caa0a9bed1804242ba0eff6b634b042334ac5

SHA512
9ae972b797fc08aa7ba6f0bf8aa6e5fe05a845b30264c549ecfe49e2a611ad562ff5f8f30d8052f64dc61d57bf1edf855740260bbda9a9c5e3524e6b1b54f7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
575f1be1f36166a7eae956c10dd22e34

SHA1
b227ec2f6c958d6e61d7e41d8e323a7ee5083c64

SHA256
65e5d5122f49e6d5e6e20dad43bd30b5ebc99912e8ef32885f97d27dcd81d37e

SHA512
71643c66470af92b3d97c1535b79a0476ee5f6c1bd932f08e1137224eebf81182d8ceb5c0b92ad004a825be159fa530b60174132af0b6dd40437f955c5bf51f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0a0b67a1b79e48ce3ccfa1048dde9bb6

SHA1
a267b6cb8d79428360c1ec751be5e5e2fee15e10

SHA256
c78b94ea632c3410e90eb86b927aac873ed2c687f9439d0d01a3d87b864ebcf7

SHA512
5e9c81e043796968e7a36cc102009afb12539a76f8858e35c7701d0f3274d5fddae3e4f64410a64491effd384cc2243950d4979808959347d3346bee7fce8bb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c917aef53792d781626c1b436702b422

SHA1
422165f067d01f4d6750a45cb8adc8fc572f29ef

SHA256
f79d5ee74da0afb827491972d21c3672d50f19e1ad26b3e7646e9401e8baa100

SHA512
b41f5c80a3bd8d05016662bb73da79a1045dce1cfe7dea15ab9873e8fbad3cbca2dd3a6f356b1c5ce0febc262e9237440489012e6c560c61f26a7568b075f0a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
10a1f2435a3185d9898e14fb3e862a0a

SHA1
b6a1971539d2773ca63d5feb0d60ee2c2edee16c

SHA256
39c939c0e449e7705ea1b5abce37c86b05c24b673190d48f185b313028d32c77

SHA512
b10dc0e6e60284f3c1fd07600da530b2fe3af274e97026ddbbda37aa6e45011a271dec04c095b25d5ab69ddc5d64e7767df8b567e84e8b46807ca23f267fd5c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
77fee862ce297ed5841bda911f1e11f1

SHA1
2e429f0132feac7b8839727dac27b31756f4c4a7

SHA256
b148e4115b205c4bd1ac6d23318a885eb745e19e7995e3f272fd1a74c4655392

SHA512
fb5a35619f316f9b40dfad6b3b02934366b82aa4feb301c7bec910fa081f73ab74a395900f937b93092db6d5d07d4129fd51bea0f4132b714a67050abdf0a773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6b7f40a123227245bb89b405329db48c

SHA1
f16ca570ec53a17d2374ae4b80fb519b98f8e98a

SHA256
0268a2a2126cffd08275f0b4a075385f351dbe99eff3ae5ecb5bcebce64b7729

SHA512
9acf8fc44c39afd585ab34605b700de6adc0552c1d42b3f211dc5e5391be9ca02d5547593084c6e02d8ba2964f81d65529c1b3882241a351581046056308050f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
810597eb122cb30445d539968aed1b2d

SHA1
c8808c5fb93f46a3107f36f2b6b81a805accccc7

SHA256
f61b7647617bde9a1fe80955a1fadd9e6aae3262479cec742267e50d95d9a8ec

SHA512
8ba69652476971c8165f3a2b6814d89487e5a274e77e19ad7a82a9689db810bf7778704b95c803a954b577e62521e0c5d77b5eb1c57ad9c937d3a8e231493428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6b40160857e97a90fa148b69273b1de4

SHA1
d8503f83a710bc56b9aee44857e7e4e3279d5146

SHA256
8719e052180e35745b7dc3ee91b56f78b67f48499966358bba7f573499ed02d5

SHA512
765ca50aba63cb527dd810d9276fd3f799cf4ee2c8df2b7d354d22fa389efe2be3beb2c75c005e7110f7e97909e43af4257f1a4d8fbe81785e0971aad750d553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cbc6a0395a2cffe3535dd6a2dbc33d00

SHA1
f60c0074643bf5900f49d8b1c9cf72863d8df51b

SHA256
b38f594c33f448d7167ba7debffd587f4351e4722967a51f25339956a0b2438b

SHA512
29d715807e402314e6d4855a51219c842c55b0cdacfbcd2cc52072348cd6523228e46c424a3f767719191589f2e70c822f574bd5208b40675dc31d8e6292fb19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b10624a71b2858851e8cc74b25d2e475

SHA1
eadbcb79f18f1a15a08ee14b3901f422b2ec7aca

SHA256
bfdf12a327fc5ff52079def349b4857adfd24da59380a3f3299dbcb37cc6e2f6

SHA512
8848919eeb85c00ff7d6b19d4f7068c8d554740167e60211fdac49ae427de0370aef228152459e376cbba4e841c87ca06e5414b0ef64e6fd12ac98d45d6af62f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586ec2.TMP

Filesize
203B

MD5
b2ae79ed3d38075d0d66797d228a1709

SHA1
aa222a0e7bb0595283c8d5c15c62fed9816fe9d7

SHA256
d4dae7e10c9aafbf46de77074d9b7be526aad3fc11bad09b034ea8ce4cad6db9

SHA512
305b353fd3049605a202e2444539319a02c69b7eb38c3fd83687d2566f5fc3ab781a450352448b897144b80c68f261a507bd1f7a8c102424a48980cff1e95da6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c341ba9f8ae5905113e5baefacdc8f30

SHA1
599d087bda5a06653846a8e6655df6241644d961

SHA256
3a582610707f0fae718e9daea966fac04562200ab77777524487ff99230bd926

SHA512
146890506c0f23045459edf5df1ff2b33cf9017a7736aaca996120166f177d4bc61f42eaf5d4afb5b6af0a46482bc70329f0b2b4d3ced9ba2ad702ec685f7c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d7d14278f69ab90f3a432096a07097b4

SHA1
bd94d7ca7144785a8b3302f08af172ce055e2667

SHA256
af0363acce975888d4012d25d017e66730c604b3517029f1066054dc3c18a68c

SHA512
5a764e92d0a2326bfa978ef692e13aaa5b5072891a21d00556fdebd46d33dcf1cbccf9719012c854975d328562657c82db20e62d515ef80c433b9e8e3b475eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fa16dfb35d97eb5c43a28a66606eaa2a

SHA1
111e0fc1e2d8c56b02251ec3018ec2da56cbe328

SHA256
1c73738fc759318e4edcc4f796cfe52f40a7a48ad2d135cde7761e53040686f5

SHA512
5a92ba22cf88a024ed83044661f5468a352a7fd77d5c68c3f699479d0b853c498a9b96de8b7f6a2cf615d5905b1c271d22e8ac263420602df4178eabe11d949b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe919ea488a48d2b1c1952beeece0106

SHA1
161df0bc4bb95c069c0200f4bf678a46a923c690

SHA256
c860801513e6fe732be76060c1d071cf8f2b42da6070d3e5e967a776083b7ca5

SHA512
8920181c93bf25e7967533f8a89bb8066732042be85ea1a8390302d328aef08219c388f7fced0a65111aa59aa1705d84eb8e7d21ce41dd289b93c8088ba02f0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
358bcfb0af07f41f30b11aa5f8696032

SHA1
24af6babc0b7178833eb174df78b43bcb2b73dfc

SHA256
476f239c045f7890caea62cae64aff9e1f6a4b180d3136901e4bb622a7a4965a

SHA512
8df368fd8999b8092bd8a8db010b48bdead4678f272cdf6c15074be2bbb687c4ab3707c9cb3e7a4c67c7908083ce7c02c91ee7df15f0543e913a6de8649432fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b526cbf9a5d28c70eb880bb8cea22fc1

SHA1
8ced693e45242689cdafff3b559e0af32b3bf592

SHA256
5bc77a162a03736859f224e21de9f97a3e927cbb09c794a2a0e715271b92e140

SHA512
e257157feb60cc9ae0cb9cd83d19d00f64ae995d23451ca1f30cc1fb5006f9c65fb12f907cca60435d09539d38e17e10c49bc385ddd6d7b66b6e69794a7c713f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
015a406ef59ac1a7ca8cdda3c8ab6918

SHA1
d2e0a0d239092ab39bd63b44de9e91fedbd677ec

SHA256
cf519842d14d03e22dace05f91f74ea1c4bb7516c17be93d92176298277ef324

SHA512
4e330b0927c8b6cffac106639dfa7cc209ea8111e011cd15c8a1d7993c670bbc4c70380c31ca1ccc9b34b58c0975ac2698e30f3eec0a138c8fd52f34d0a2b353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
183KB

MD5
b7db438157e305291bf4fd0c82291525

SHA1
bfab6c7818b6eeaef6c671a19968e5d11f646e9a

SHA256
eaae2fcf02920ec317367d6bf9d5463b0650f38d3e7ce43f57ede3dc99e91f6c

SHA512
f6aa22bcf59509d7909d33413c346bde0ab5e9ffd2139c6fc218a9f6a2848c335ef700c7f441078b6b67258144571bc7bbb1051e4bda28b41a8006d17e6164df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
205KB

MD5
4d839a04356599826765fd6e99cb4094

SHA1
4b92c0d51e81d4ee3f2e5ab0672a85ec1f0021d7

SHA256
195d0b247751445da62cb0936b948873a5a101736c508d2c48df6610a690b35d

SHA512
b60b140b20e75c63f39f14247e79408a5bb54e75706f3d05b9cd340cfbc909c71879bbb2039ee7c4569007bbb4b578af9ea9aace1711596a76872fed7636e9b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
185KB

MD5
b3481ac1bd6ce8cce20a33cb17341294

SHA1
9683af94b0c7c195affe63361acbdb238c8d6d09

SHA256
0cf3a877561dd49c627820af6f7fe4497e701d620492a6ab17642c7545a1985b

SHA512
966672b0768eb9db61bb24cf8afc98b6154c838d81384aad5d1a969fb73aa604175b216fa2adf356487312ba2243021a0a3f9eddaefe0a96889d733d37c72eb8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\e0a7633d-46b0-4deb-a0e7-8311eb35497c.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
9KB

MD5
8d114294f636f67ad5e9c84245ba8d1c

SHA1
65004035c360ab7b600f2ba648ba3aade3873764

SHA256
eba6938457dbdca8bc5ba4f3d8f658a7ffa838af53949cd949ac43f53dc68a60

SHA512
5a48de8e357b5fa72873ea548ccf2a9af84f65a8631cf4e54b4c7896203e388508e8c3254bd2df8ed520624adc531d020da4810ca48a31b8f28a474e364a9969

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsAosEAk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier

Filesize
241B

MD5
0a94106dade76dae718215a96c28376d

SHA1
5b5bfc14581bdd0092008d89aa03479982a2d04f

SHA256
ad5a54785202391f03273b5dbdc3efcbd43a06c98c69937f59e26e48eddcbd78

SHA512
75408906ee1b223d2dda79841cd26b73a224d45b470129083692f572de3dfcca539f3177f5ef304220d69750ae043b33011a83d158b4dab33f298b29b7dbf871

Download Submit
C:\Users\Admin\Downloads\AsUg.exe

Filesize
244KB

MD5
2db316422520a9b11d6711995b2d8493

SHA1
4e67f851265f77d94976b0d570d6c81441939ab5

SHA256
3d0b54b0fd3435be1b0119e8210cbb93a34addfa2dc41e06e48af88ecc5ba01e

SHA512
4eb7e905c8f9597c8f8c17d32aaf7d73e7aace98b1c826a71d5a7991f4795426095321d9cccd4a24cd169505fe05e8e4000a54225129f2b3bc1fe92fa0e91064

Download Submit
C:\Users\Admin\Downloads\AsteroidXevoV1Api.rar

Filesize
2.2MB

MD5
8e573295ee416d2315894a41cf65fbdd

SHA1
1b939a83d7bd0b8012eaf1e8b218d4fc8ea34c93

SHA256
8fe1ce362f2eec2436a8d05610c01b3e77ec2c72faaa307e1677426dc53ec0c3

SHA512
2bbc39dc2cac436317ebd2015101cb4b13c3a341c3df558233f965d851556765fc2bbce38a215ac43016a21deec37d97b859336d48bb7ee75fb34326cde2e9d1

Download Submit
C:\Users\Admin\Downloads\AsteroidXevoV1Api.rar:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
C:\Users\Admin\Downloads\BUUE.exe

Filesize
617KB

MD5
3c1f2a09dbea856235a369030b88954b

SHA1
8f44546d23c51138415a3bfa9930513cd8f27654

SHA256
1c13d7f163f7b1b98eaa22d8f3d36868eb6e2e1396024a13b434b92eea9c21c4

SHA512
c02963535db376596b23c9532a5202b7d38bf6fb3117bcd81f0ea3153d55d3aa355f1df833edc761545e27c1017b0c231f87112ca48a43269bafc65e2397340b

Download Submit
C:\Users\Admin\Downloads\CUIg.exe

Filesize
240KB

MD5
5e64cc863e48c8cc2ee28fc9850977ac

SHA1
36957f5739d3ea80df03b38402c798b9ea041142

SHA256
cd37b3ebfce087d43f7a434d26534e965176d8496a21a63ca6022b53e23ac39c

SHA512
315d8bb344215d6d5dabe07943ec8cc5efc0012322c7addddf63c628c53c026ee7d7bd173ad605c0ef5f91a35dd699b61c8975a305a2a4a6867294412b1fa1d0

Download Submit
C:\Users\Admin\Downloads\Ckcc.exe

Filesize
208KB

MD5
3c55b308ffb5697518d7e4e997d0c6a8

SHA1
e4181af0adf2a58a72537e268869293f31cc3798

SHA256
4e303b1c4763b404d480a9b94470e5697c08b49f40df7675a65de5fd7993ceb0

SHA512
777639f3e71af2a6cf1bab0be452932f3ac82e21bee82f4053e05d59c07707554dae6adf9eee428c46c8fffc8acb68def7cc38138a5bb22007466bf819483495

Download Submit
C:\Users\Admin\Downloads\CoUQ.exe

Filesize
202KB

MD5
b70ce3ac79d3a2fe37b86452dcd92cf6

SHA1
18a2d4393ddab4baeeadb89b28278b1913d6654c

SHA256
ded60af17d787a3c6be736a1e52a8d0edea6ef9d451b3e046934bd5d38e2dacb

SHA512
cd9e89b77b148ab21bcce8f8c98941b410a9ca4fd7296653351413dbae8a4c609cda6111c20e44ce2b8fd8b192d683532a38ccd878f441144568441e7d21b993

Download Submit
C:\Users\Admin\Downloads\DYgo.exe

Filesize
192KB

MD5
099a6e81757e0de60d0b3012cd8451dd

SHA1
cffa0b3f948b5e6fe8ec31e0f51d04bd6a6063e7

SHA256
2ed65a1e40224013fc8f6ce3931d0d5bc7c75c6f1c81aed4cd8b977f6ac919b6

SHA512
0c3bf97965701f04827b5fd5840875ee46bde7073929d9adb3ea305e93cc481ecc0613e3c65a85d4c690c9c8280b023ffc7a110cc1e6255cfb83092ad8f9ede9

Download Submit
C:\Users\Admin\Downloads\Dscg.exe

Filesize
195KB

MD5
8e59fe55a2705e8bdde5780c5fd9b22b

SHA1
732cb461188900797a249832535f510d24396227

SHA256
2895f3dff3098ef92ba91890a0bac3edcd02c7c8d5dbbc4dd2e1bcd58414dcaf

SHA512
27791619c3bc90d5830c65ba2eac18272e3b250d624830c3acad3a8e330fda94a63293e3dd9fd60032f00569625894e72cd819120aa68f4e19c9de2b27066cca

Download Submit
C:\Users\Admin\Downloads\EAMU.exe

Filesize
215KB

MD5
afb67482a78212bcba7c6efebcf712ca

SHA1
07d1e70745719eccbabcabf620f5eb7d4cd4e743

SHA256
a0be3d835741045090f2863ddb418adbf509a8b180d7f44016a1db3ec2b5afd6

SHA512
bb5e5e39663960c3b9fd148cdb2757b2bf188c8498e25635ff8ab9c3059d9c9076b9a944425e3f5fdf301837d52d611069ed3494a3227ad27c7dfd9444a5f6d3

Download Submit
C:\Users\Admin\Downloads\EIsU.exe

Filesize
204KB

MD5
7f5046e739604828db0a3b781ace716d

SHA1
650884886eb49cbac68694d751c608c2e496ef7f

SHA256
6785bfba35401208af7f8758be5e1dd14242395d1f85bffefe0c3f5046c17392

SHA512
a7eef5a7896cc978b5a82b917b688361176fbc1b932ecaa5231fc3448da0979c1ab928c51e919c79b0d9139022f1c7a553c6097e500403273b43bd8af91c98d4

Download Submit
C:\Users\Admin\Downloads\EMga.exe

Filesize
793KB

MD5
848ce170033b0d2a5c479a8a6e9f89e8

SHA1
9c01ffb59eb050256056399308712ca8f17bdf64

SHA256
8c87bc6dc6441d73cbc62d80f11f49c2349341a32925eff19b399b31bae2bf7d

SHA512
4a40c71f6885b79ce75dd56dd3631d3e812a93e61302a29374ad538cf9979e5aa51879f81859b1f98a9193a707ba37c0aa09593e70e993e0c79f3c31c5e4e60b

Download Submit
C:\Users\Admin\Downloads\EoQY.exe

Filesize
192KB

MD5
ecd95d6e61b220bb492e32ecb3991f40

SHA1
d6c7dcd132313908ff90230486469080a503bd17

SHA256
3861a3128c63bcde085ff91493318f38c9ae396155880f1c89ba51ae702d68c1

SHA512
518c6d52c46f0c7f9b2136229c4ccf47b7bfdd12a270e0b66e8ed0133a264e3fc0c3918e049f8fa4985896d08284da7dc7320430ae6dbc3af7489f74114e1654

Download Submit
C:\Users\Admin\Downloads\EogC.exe

Filesize
202KB

MD5
abb76e7d0d6b6115120742135d20b7fa

SHA1
7544f87d35bae1b6fa8d39fac1c7829c629eb825

SHA256
ffc1ea91f0c1d606d58499ada6efc252728829c6b34b7a1532dc4b9c53b707be

SHA512
c630efcabb49de03e305390660477351edcf082dd00ae07ae17123f35fb29cbfdfca79bfa43ba9b5b6acf16ae17791e9b57d00a11bbd075a25c7bd5b873aa471

Download Submit
C:\Users\Admin\Downloads\FYYM.exe

Filesize
202KB

MD5
cfee2f1a2e9912a7b21b9ded8c1c9a92

SHA1
9d5d5722fab0bae12c7f4152d2f1d5c86f682d1f

SHA256
c60b1273d84cbb4e51ba3af7d586912e3016ebc17cc3b060faa8ab76760a16de

SHA512
7daadd3594aa0410dcd57bf8a0338ec085ac0cd217ca1f3eaed328e3c660f9939651a77f9c40d768f5be0073c16c6f25fcd0d85078802a5d058dc88dbe27e263

Download Submit
C:\Users\Admin\Downloads\FgwM.exe

Filesize
203KB

MD5
5e01918c134b859dc83143ca2f6a053f

SHA1
6e7d1b1bce489167dd6c6b5733f7e07bb8c612fb

SHA256
576c13b49686e4c30a09122e9af72c94685d2b9b18ce736b6f09632bd686e597

SHA512
8ee3ad9f5a69f6f65c9711981c02ec6b6426890d1ca871c4d4830d5441d60bf5e29dc3b3542a5c4ea0b57fff2aff317f7c6526afa1a6665a763d3eaa772cebde

Download Submit
C:\Users\Admin\Downloads\Fsgy.exe

Filesize
205KB

MD5
ff5a29575246eacd99a849f0e9f65b46

SHA1
7106275d83366cb006434fac602a65f46c28d33d

SHA256
a1f29aedb76f79eb9bbdf76951e8c2cbe81c860c2da8801a1ea89a1479168f03

SHA512
9b0742c8589a49f461c844d8e6eef91c1513ebe649cf19de7cf8f2081795a85380a752794705c96e0df188dfeb48ec52b3ed29fd3b342e50f774a8d090318615

Download Submit
C:\Users\Admin\Downloads\GUYe.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\HEYO.exe

Filesize
644KB

MD5
756e22968e55c99c91deaaa6c5e8d285

SHA1
42ca9d3e8666f6802380e5be1b71e47d56ca8c7f

SHA256
3947735d17efd356e87362a01803bafebb93299a08b9fcda32e34fd0c84cda4f

SHA512
c114f36a8f0dd8312f2ab56bfdceeb2d17a2a1bbb9c9af11fd65f1716a0f233f629c15bd07cc22f533b17645e0cef5c65a4c8acf7a2b1ec97688cd6583fb02b6

Download Submit
C:\Users\Admin\Downloads\HIIK.exe

Filesize
194KB

MD5
001f3f52536d18fe8fa517ffbd4bd4eb

SHA1
38d2323f8281090a37d480179af5f338f81b010e

SHA256
cae13e219d414b5ae6a533d5bb421c21a1c00a59db5c1b2808bed3889a5396fd

SHA512
dee331892a67dd4e548371020fbd00aeee74200119b4e36af1871734648fa20e3817514147afa586edca0404ca92ac828731f281701e5fbcc37fc8d680016f02

Download Submit
C:\Users\Admin\Downloads\HccG.exe

Filesize
201KB

MD5
ea0d68fcd5f8b80eacb916fef7c8793d

SHA1
b5ade8338141c95cc3fac810fab019fe3e07b14d

SHA256
3ffa297f2241970461ab054d071c444384fe04d4c81e6e924d26a28dc41ce43d

SHA512
58d6e5dfbfacad3e7c50994707ca9cdf46b627436ef5f80a725464a48dd2643fcd2b011c02a564938326cbb982af95591827547d93bf69959ca15f46b6069808

Download Submit
C:\Users\Admin\Downloads\HwAi.exe

Filesize
325KB

MD5
14e5c39643f07b9ebb26a8d25a023f9e

SHA1
b814c311043f73ca5cadbd88498fb1d860fb9974

SHA256
45ad3aab0ed5948d3d18297a4519f0cd0c8bfd08981d46790b42a25e92a57131

SHA512
b33569e17c731f9af8148f8ad7fc189e91a7b70bdec3cd10d25b215ac0d51358d2d9492f6af00fe7b51f3b6e59842e7bb6214a68c72d2dbe11d6198d024676a8

Download Submit
C:\Users\Admin\Downloads\IAky.exe

Filesize
187KB

MD5
779226707e8aa533161de82414f218b8

SHA1
3d3d0a856e44350597cc5cb706915f26eefdc2c6

SHA256
95dc7d22b3a7282b829b09577276e66bba0bd6e8a6819b1cf24b4363c52697bb

SHA512
2b0468cd271f9109b1eb3e9e0b13cb0b74ee824d51cd19a8ed8c3b7fac02275697d6eea8577d00ec9a09c38d6ea67f7672bc2b1df7eaca9d6a761fb4e3e8d0f8

Download Submit
C:\Users\Admin\Downloads\IoYA.exe

Filesize
218KB

MD5
3f35ee975186639f7ee4b456c46eb445

SHA1
603ca60d476ceca3fb1b97db908927429f73205c

SHA256
d26e18aa9cabfd0673d998a47992a2075b5e423a5c34bd6d8479b1d3a2a830d4

SHA512
081f500bfc313193e799a41d93a73d1ece8a944b621b22ecfca26e095f33a8e043a6acea1eba2158f23cadd3538b55c656adec7b4f2ff8e359df3d6779e9e89c

Download Submit
C:\Users\Admin\Downloads\JMko.exe

Filesize
1.8MB

MD5
03844a07b7ee79f9bb92e925b25da9f6

SHA1
e71a21c588ee7859bad93506abeeb5801624ba25

SHA256
17c56d90baa4bfc478023962eb4444f6a68be20847466c720901e789c1d10c35

SHA512
b40cb7c22b0bb4b945a0ee5c98e8f2d8e27074c21109440630c80d9d0d2e69b26ef8113e35c50bb3a666ace5600199b75f3a75b7e09be77fa6fc84f9998feecf

Download Submit
C:\Users\Admin\Downloads\Jwkw.exe

Filesize
803KB

MD5
77162dd316cf4da7e3b65db43cedd8b4

SHA1
003e079feb292fbdee146cfb9c40a914a428b54d

SHA256
5a446d38433b69ffec81cad01110b24aa98522fb37323866f6749ab73f61e405

SHA512
dc801289a3ffe5d72411b4e0518023297abfdc72a451144e593a9d0b5fe3d59bc37dbcaf895f455f190b348f98275253ab4d9902bb191b3eff75b88028b95958

Download Submit
C:\Users\Admin\Downloads\KMAa.exe

Filesize
198KB

MD5
8a482f03db31f595efa512db6b548284

SHA1
562533aaf9d8f4648d3cb9bd21127de610a1e460

SHA256
562ee7b16f89c7956fd90cf40be6032e1616ef48a6210903b1aa5d95e996a372

SHA512
600465193fd7311044bf2f5832a6487daea4a88ecb6dbae870dfc37bb9819b746d00ec428ce4e9e8c3fc57af01270c2a38ee5947c97b2ce466d8ba345d61e8b0

Download Submit
C:\Users\Admin\Downloads\KksQ.exe

Filesize
3.8MB

MD5
72a180ed774db536ebaa776d32c3f151

SHA1
efe7580675aaab3172357b6c6c5b86b030180f37

SHA256
335ad2452d358f411ed07b1879e12b0697c9cc33febac0cb84444d5e99005bdd

SHA512
fcf64ced2f476b767fad313383f60c0af8fc9a57380129b9477ed0b1dac8752644bffc6922b2247aa2aff7b81db151ae4483587cec0d98c79022d353a14b010e

Download Submit
C:\Users\Admin\Downloads\KsYK.exe

Filesize
325KB

MD5
404300db2392b5cdd7e9c3ced5f9e695

SHA1
7fbb50dd3a9194df166bf7c58a36a406da93b0c8

SHA256
b7489e6c4c5b72292f48a8aa36404f36ee91a81ac28dd452fefa3701cc150db1

SHA512
d09f0268fa1decc1c2915bf856f85da7ebaf2308bf870b99a5c884fad0a5224f7cedd7b7cdcba9ad137bb00a377811bcd33297bf16858768f1b2d108a8912273

Download Submit
C:\Users\Admin\Downloads\Kwkm.ico

Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\Lkgm.exe

Filesize
204KB

MD5
3bebe7cbca7179b9e5f6715ba4b87318

SHA1
ab2791ea306b429636796da93683a7c22b46acc8

SHA256
34b59e25d99e33322ffaa7ab5601ee30e389ee12e8513ebf9b8a0b594bdda942

SHA512
58ae62a5708e07d0c298bc1f4960759a16ef8463c91dd5bce630a20ba6ba1f089fda2084d89b9a0b68cc1757f0f8fe815991497a212a27dce0731aea389ab56c

Download Submit
C:\Users\Admin\Downloads\LsUy.exe

Filesize
630KB

MD5
ef8b1646f78cff06d3c063a46fc78e05

SHA1
4053927759445181516c47719339b0e386ad0b19

SHA256
030a3a4c079d3580113b558ac3a761cc9be3b6875b489a68f9ca6a5dfd9198ea

SHA512
48f0a613da3b665ee04d67b6da4f2c28cc7110ba01f5e5ae2a2b66d550a9d97d1d21a832936e64812b91a017c6c27adf8210e4182f6e7d4dacb874e7af859e34

Download Submit
C:\Users\Admin\Downloads\Lscm.exe

Filesize
197KB

MD5
adfb0aa1456bcf05a1a01eb414da0ebe

SHA1
e54bd5428db2b664f5e148e609c75a03d83c1fdc

SHA256
9c88530ec680f1c56966aef09832c4f1c191f60a173a5eee21429238a63bc3d8

SHA512
98eb60efa46011602f917cafee745cc56e4e79389ab3b667850420dda6f76cedb0af2b255632c86ad1d66bc05c5afe1dcc8337deac338be1dd86b131cc1385e1

Download Submit
C:\Users\Admin\Downloads\MEAq.exe

Filesize
180KB

MD5
92fd13fc6a8569b5aeadd8b09ad13cbf

SHA1
d543aab5a794661008adea03d7f0ff0f6fe68562

SHA256
2c6964a8d66364cf1eb94d65eba8b8c60a5513b86756307962f2bfcf2e65da00

SHA512
2ba4f6292633aa86d4f4cb780fe7c2bd5f7c51fff25e7d74d7cdf55d7513bd48b3c0fed03a6a7cc5605bd0e5ea39b1e458de29512a9ccd02246199e8021e13d2

Download Submit
C:\Users\Admin\Downloads\MEwo.exe

Filesize
201KB

MD5
5034892c5afcac99c469c2a2164eadfb

SHA1
3be8388deff1337760c36eac65c8c6aac8acb52a

SHA256
7abce67636f1bb14bf6b9b1aee3a6057afb51ee6a1df106b4dd1f4284e161ceb

SHA512
e861d41fcd1db99060a1b968c57dac3dadc556bb4e3c79041685568f50142085f6d486a2dcb0afa076a830d194038e46037afbc0655719189677a0b084fba087

Download Submit
C:\Users\Admin\Downloads\Mggs.exe

Filesize
202KB

MD5
a9bc18600580619c54456189927f8a8c

SHA1
4e3e38305a4c41b8a6bdd5d2fd26fd041774c99a

SHA256
e868058c669f9cbce6316396cc6995796d820fd45db1482a174777cc10bdaac9

SHA512
2224962263e26e6bacc5b2fbe0616ba4b38bc8be57a8a054fece3a72f4fcdd10d215c09befb0715f40f790c7756d688a919ae0a3ce871fd98967275d0c268f06

Download Submit
C:\Users\Admin\Downloads\MkMC.exe

Filesize
183KB

MD5
ff920beb2b8d7c65cc1b42bd6d9ca699

SHA1
1e952668d1042dfb98e9dd35c72171c896e26db4

SHA256
735ba97ff85cf7f2555dcf7c6eefc3e92e6a694bf26ffca642318dcf50afdfc1

SHA512
5f999693534e01d31ef977b2000468489c5c07f7284833d58d8dbba0e09afb53ca0e03f4fa75054ed45a48dd467e98d3e7bf2eec8c14154908fddd57f507a4d2

Download Submit
C:\Users\Admin\Downloads\NIMq.exe

Filesize
193KB

MD5
12ec91c5c19d0e76593371aee970d91a

SHA1
eebdb4a676d14353b7cdad9de7e879b4b302c1af

SHA256
f5f7e54db45e951d603674149f2282a0eb927c3fab9488d604bdfd7573e8dfb7

SHA512
197679d448bbd0f18c12ac9ace90f07003e6d67f1671e416b6955374491a8c2229aa4a25afe38db73b9905d7bec50fb6d683020cd9053431dcd1b9bfe4a5eea8

Download Submit
C:\Users\Admin\Downloads\OMEw.exe

Filesize
233KB

MD5
703be57e4ad595a6d7f2832a9d675586

SHA1
295f83fe25a6495d211ea8afb90552088499ca8d

SHA256
713399ee2f3909f3f5fdc903193d43a83da9ef8cf7b6c055a9c1fe1e32da0400

SHA512
ab26846eee29b85674edcbeaf0710100b97156b920257ae8aeb5e54c55d318d40b722cebea397a4c6294d679b85df28fa08b799b686d7399946c4d2cf4c11d48

Download Submit
C:\Users\Admin\Downloads\OUEK.exe

Filesize
656KB

MD5
80668877e58e92e1af9596cf9cd33c02

SHA1
69df83635279c3cb8c6795ed5da8331628788d56

SHA256
7fca7ce4b6a5e907626d19146608c4e37a3b93436fbbe39e18f71c74d3d61b35

SHA512
04612bb52308e50884e70c73ae51121178b1ef2d9687087a28539c0cb82825293682c67fab739c11f10aa0ec3d803675f66b7149624c53370e4e4787d161a93e

Download Submit
C:\Users\Admin\Downloads\OcQK.exe

Filesize
199KB

MD5
24965b57e4b9379daf9cfb3a8c9fd79e

SHA1
ba5de3eb24df494359fc4461ef69a5aeff225081

SHA256
dd02ddfdb785457d88e6a0933f7f5ed11e3bee44e0c98601943924dac05b921b

SHA512
152cd901a3d4a05365e87ceb2712fd83df4fcdf76402bdfe47b97387192927a75db9b3557dfebbdd22eeb33ec38e2c8c0d8c84b8abc15695d755ae9827a11d8d

Download Submit
C:\Users\Admin\Downloads\PIIe.exe

Filesize
197KB

MD5
b23990a74dac26a4c9ef11477bf2e6cf

SHA1
f90b4e3370266bb13658102bf00c4fa51b642864

SHA256
569ce045e92b93a1ae594ee620661700632d80dce1a082e4c4597d5d540f7c6f

SHA512
e03ad3fe41055aa84e96050713162f96e01db027feb198f64af4bb5273f1f78bf4ee1716817e0d73d7ed233f8072317ba4ddf029ecfec7220e4f794388422ea8

Download Submit
C:\Users\Admin\Downloads\PetrWrap

Filesize
473KB

MD5
17c25c8a7c141195ee887de905f33d7b

SHA1
7fa8079e8dca773574d01839efc623d3cd8e6a47

SHA256
e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660

SHA512
de95f18101b99d159fe459c5e5651e0db2b1c76e02c9c2741bfd920decc970abc6dc0b41651be0471b4c7c3deb8b5e9a6e956c6515f268f9dfee7b76087a1e2b

Download Submit
C:\Users\Admin\Downloads\PetrWrap:Zone.Identifier

Filesize
223B

MD5
b52f4476978e09845d046aa76f1614da

SHA1
39e15ae8388a5125a8ecc2d19537b2c9c7df94cc

SHA256
274a34317ff3e84ab154f96994a40ac29c2087eb1c11eeadd72c2a1d781d5a00

SHA512
6de7baa251aad18ca66d8c10a1649a05433fa29b695579568103aabf7f1923c12414b5c703a7a8ff8f1abec189208150f024faabfd31db8dd47f1cb2503632f6

Download Submit
C:\Users\Admin\Downloads\PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier

Filesize
235B

MD5
7bf2530c49903fc6ed9ec3fc47a6ad1f

SHA1
76ec0d02a523ef865163f8431910f58cd1014955

SHA256
62653441032237675ca6e91e559a71e4e4d9a4f8ea1d03e4f3754e009f0b8bdc

SHA512
10a75d02a9d8dd90c489dc8ad4655598ed6a9f90ad4d85b3c39261554c31ebf3af38bc4dc8d7841fca880057c398d1b80d4f7645b9ada13b7b6c408f91e10150

Download Submit
C:\Users\Admin\Downloads\QsEa.exe

Filesize
193KB

MD5
43ddba58042d51d906216577acc4f9ce

SHA1
a6123607247d4670bd7da760db1df91a68fdb56a

SHA256
79500e0002981bc60b7206a35064d7eb5295bd8e90c814379199bfbbfc91db40

SHA512
4af499b7cd8c92b665814741d50fbf3bbe82f3dec93794fc5616e41ec8712a8f99affd9a367d4cc4bb599d0e6b584ca332ec075a8a64472ea1e85ed4804622a4

Download Submit
C:\Users\Admin\Downloads\Qskw.exe

Filesize
871KB

MD5
511e33aed1b5b7aa3bdeda024070b361

SHA1
a4cdf2f64dc7393c9db3d8f750f6852980cf8f04

SHA256
536462c068f1fed25830582d69420e88fd3a195d666f22fe31498a6710c74d42

SHA512
3deafebcfe471002723fca0740953c630943ddf0d08faab3f79567404e3a8890b0496247ca9ccf073ad699f3b8347c2767eec1cbbd056905050035d70c557e4e

Download Submit
C:\Users\Admin\Downloads\SIks.exe

Filesize
327KB

MD5
c200375c8a07bf61c59e622c613f5dbe

SHA1
eacb3bff4e64cabc25ac8802499b7f61f8e5c106

SHA256
09a7b55d203bb1c9a9aa8f265f05e58b5bf2533ce967f862050ada285ab1c1ab

SHA512
016a993ab2e280a97d56f13995c2c72835aea5aaff6df4e420fd752f2c1b97cd6cc910e769659a359dd22cde1508a9a49090b6473760a359dfdb16f3335be0e3

Download Submit
C:\Users\Admin\Downloads\SQEy.exe

Filesize
313KB

MD5
d94cd91e01acb12f4b5294c34ca41911

SHA1
41209c6578aad346c5b1b43a9933b37637c0d374

SHA256
2c16046771130386425641e4e254d815a435e5cc6b51f79ae0c144fd21a27a48

SHA512
305657f994c7a334925b3991e08381726f89d986d48b226f26e2437b9d005d9440cfe805944d33c742706be5baca7cc504622bc6df284d9fe8eba92e0773131e

Download Submit
C:\Users\Admin\Downloads\SkEo.exe

Filesize
202KB

MD5
db5ec62f9d37e378d436faa177b4de76

SHA1
301fe44f8982ba425e54353788e0107dcbcf0f59

SHA256
232a6d8a6cd632cbd4cbcd625b50e4db93431b93cea9ead280838c9f6e206f75

SHA512
12a08271e62b5b31b62ee5b686fdc6c06c98b7ad7873a14dd33048433945f3fce6a4c0252da6a5e5b581c036109aaf48625cb2ffa8a6cd847817323e0fe5fe04

Download Submit
C:\Users\Admin\Downloads\TQQO.exe

Filesize
207KB

MD5
6ae8a7cfec4d80f9b603eb2ed3119378

SHA1
739c290d9ad10ee056f450089fd531170c0d8e82

SHA256
c7bdac410c4c9d88189228860285aa18cac4ee973f9d9ac7648337a3b946d992

SHA512
a9fd49de6fcb6273efaad69b81964db27240cd03f52ac559a00ccb0be97bde500bdfba49ccbb25a3e62de0bef84ab222174c1290e97647d143fe4b86ca905696

Download Submit
C:\Users\Admin\Downloads\TwkK.exe

Filesize
202KB

MD5
a47315599c4cd9f370995d51462aca0f

SHA1
5cac1fe51a7eec3b7d1ea3272a6a69009bec474b

SHA256
aa5a73875c06f705146b68150c11f3ceaa8393070e2190851bef78a30b4f3ef6

SHA512
89ca1e6a23f17e9cc0bce6457a009c4686fd06657e1c6fac6d2456ca1aa0dc4ac31022fbfd18dce47e93ea30fa31d1b6c8c8a63c47e59def47435b68f44757ae

Download Submit
C:\Users\Admin\Downloads\UAoi.exe

Filesize
215KB

MD5
88e54772aaa439f1af3bf774428e86e3

SHA1
c113684ccf9ab062feb96770c88bf0807521a44e

SHA256
cf496d7a1ab9a30d6097d8879a002189f2db846632e0fdee5efab48ab50bcc4a

SHA512
d0a40d0b17d770351d378a7539966ec95b0a9179b906922aa34f9ebe4ce0357c0d98fa901716727ad404187be07c07e309656c4b88962b00123a65ad76e76b00

Download Submit
C:\Users\Admin\Downloads\UYAi.exe

Filesize
184KB

MD5
b76172b54f94e783b7193fea57270ecd

SHA1
8fd56718f9266bd04e4cad394e95c7fd3fe265de

SHA256
f81f39049266bdce10d14d3f1a22d223e00b0b311c773f9ee9d37efb000456dd

SHA512
cb68207ff6ab15c30da4a8ad7ef4ae46c3db9af0b6f1ec550c2dbeb0620c3ea8d0794e9c0d1332dce9d1a6d62ee3127f3d83bc6b66eb6ffb927c982abff41cb5

Download Submit
C:\Users\Admin\Downloads\UgYA.exe

Filesize
627KB

MD5
ef8b1b830a7b5f7a3e9f48d9d23bd4bf

SHA1
afccf693c1df36b647513b91012ade189360fc9a

SHA256
e4b0ba0ed324745c2aff80a3a605373aba4814ff85b8c10f662f9864d3739d31

SHA512
30767641c55c09765b77a43f043f7fa0d54cdf16ca3bb2b73ec591fe3d9a22aa46185958a1a7251f20ab3314d5676fd3100cde5bcc72236450459d2e26379655

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 200278.crdownload

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 418554.crdownload

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 469935.crdownload

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 469935.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 483167.crdownload

Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 77260.crdownload

Filesize
48KB

MD5
86a3a3ce16360e01933d71d0bf1f2c37

SHA1
af54089e3601c742d523b507b3a0793c2b6e60be

SHA256
2ebe23ba9897d9c127b9c0a737ba63af8d0bcd76ec866610cc0b5de2f62b87bd

SHA512
65a3571cf5b057d2c3ce101346947679f162018fa5eadf79c5a6af6c0a3bc9b12731ff13f27629b14983ef8bc73fa9782cc0a9e6c44b0ffc2627da754c324d6e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 78249.crdownload

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\Downloads\VAgS.exe

Filesize
192KB

MD5
17f30b11da0c7df6629ee0b639daa493

SHA1
808f48f4b111a07f729c6bf46544c202bcfb4348

SHA256
9e3ee2093adfab47fe2d7544af33ed0ab7364b407714e90ecb37e7f324a527b1

SHA512
0c977c46569eecb567dff55bd951ff170b477f332ed540bc4c90e63778edd8957e1c5b71ab04efa7f06c4c2217560bb9fdeb744eb67ea3bd594c2f1a728faa0a

Download Submit
C:\Users\Admin\Downloads\WIYi.exe

Filesize
198KB

MD5
8a86da1dfa8dd6285a1f9b624429881d

SHA1
d5e310b1711e29ffe93ce14fd46d23f510d063e9

SHA256
3609050a37daad18f730bd2bef7ada15a7fe36c237061994581188fda9e897a5

SHA512
91e9429a004af12f916995bb4753f7fad98e00ee68e10d2b845e7c421ca5fc5613bc3e3dbfa5965d9a5184c0d2a091aef3f1629b8b9e5ecfbbeb67c081cb23fe

Download Submit
C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier

Filesize
225B

MD5
d029fe7d77c9aec3eec6e492c2d98234

SHA1
0e7c31ea8eb0d83f58c2e5c4d719ac590af5461f

SHA256
ca53ed58ecfb4413867214ace3c58d22ccd43ae254c3ff8bb99afbc989c139c4

SHA512
ad3bc83d249434a4fcf189ecc956a79d0dd6bd987b150b5ebc3982a45927fcd1e812f06b618eb6a4c67e61e6c22857c89a147be6c28167f5d6975bdf4451972c

Download Submit
C:\Users\Admin\Downloads\XMkk.exe

Filesize
228KB

MD5
0c121ed72fff7a08096f7316d49c27b8

SHA1
46239b8626bb68962ae73ca94bafebda04600136

SHA256
ec43fb65f7a6998cdeac4842334a40236ada51d264a881b058dd01a12a0e5ebd

SHA512
42efd57da03741b1641f57e3e5b5d1e052432ff12ea92d1de51bb96f03f080bb45596ddb6ab6f94801a42ac65daf3d29b3e6f829792153b73847c7a509e824b2

Download Submit
C:\Users\Admin\Downloads\Ygws.exe

Filesize
821KB

MD5
fadbfeb05df71d4858a7095c91579f3e

SHA1
123ab46ee9f4c797fdbc11768a67fdfa3ddd6114

SHA256
0295d231678f95bc78acbef57e361ae28c701bb1a3ed8b8731988c21abcb90df

SHA512
e07f48e34a9582842d3c0487a1088f512fcfa5bebfadd8db9051f3d6f0eaa287f09ee00720bdd0f6f13d3477bbfead56b6e18c3ea792b53aaccc87d34a40aa23

Download Submit
C:\Users\Admin\Downloads\Zgww.exe

Filesize
215KB

MD5
6eb9b13574b2b0a8242b3faa9ebf234b

SHA1
5ede7fc98825d36c1435e4ceaadfed57482bfd07

SHA256
95e3c8b268ce3c37c357312f5eb90b97c8cb5259fbcaed743d92143c83e44424

SHA512
f7b854155c8480328ad1354fc48a1b3fd758ada178cfc9085f074c9c6d5c2cbafe99abc1b488ad3bdcc608d7e1e6c2bb362177d68332155cceb833a6d2bbd678

Download Submit
C:\Users\Admin\Downloads\ZsYk.exe

Filesize
191KB

MD5
30175943556cd7053d9bdb7287c9d646

SHA1
cf39e5adc5b5996923c6c9d37c30f6286ac32ff5

SHA256
068d54085b4471c9154ac6f61e0daa7b4cc9315f6eb31da079bb73bcc7cf1447

SHA512
e1e3009cf653d7c5489f8c81bb6a567cd2527b48a547c4c36adc0f484137e38da24d3ea8fc200831a274c9448aee4580809a602f5e24aef3d2251f1cd91f8411

Download Submit
C:\Users\Admin\Downloads\aEMS.exe

Filesize
333KB

MD5
f12eadf496ddcc74e9f4381cb7b103da

SHA1
74c7ca5e18d0d2c56c564fccda19789f3cf53649

SHA256
1ed2f3eb46534be12a5543c4bc75b87390549bc16e5552b74a5f785db4198df4

SHA512
c0878bf2b780d14b177671c102e913f0eb450979cecd211e5836d7ba24e5df68c01205ded474820bf447dec56dacb3e752f93a49d1dcaf36d68f210236756be9

Download Submit
C:\Users\Admin\Downloads\asMC.exe

Filesize
633KB

MD5
d9170a4d9dc92b0e09bd232a8d4d417a

SHA1
778754f2d056f3cfa477fbcfb539f3eca54d2d6e

SHA256
f0341a6e5316210169b15f279107dd9d96128e18750e6f8b36d1b11774d2133b

SHA512
2cab8c2b8f0dd9af2bbb69a6de12e4488b7c6b6247c03265f911f4ce749f71b063c7ce1b09e830399db8f1df70d6cd77b440865fd40686d23c8ee856f6260ca0

Download Submit
C:\Users\Admin\Downloads\bMko.exe

Filesize
389KB

MD5
3c7d3fda4cd373b6e1265a447bee645b

SHA1
af316bba022544a3f8ea37b62882e5e3a85e7b66

SHA256
93472765c724ae48eba0e1f435bb05efcef196aafc4e44afb82f54348f164b26

SHA512
6b7705efee69b70c70b7b470262b1d33dc3f17e3a78ecfc1ad9ba61a205dac1e1c2320190bb7fc5e86c20415fb4ae194d71d3e988074ce73f2b7ce8ffb72fad3

Download Submit
C:\Users\Admin\Downloads\bYwu.exe

Filesize
191KB

MD5
33cc603b667c5912c0f19921cd791fd8

SHA1
066d02b20926648d6bd47558e9aa66a5d2ed54e8

SHA256
a4c6c6737852a4bb5a46b6234301b2be060e25585f9285a0c7609728194d0b17

SHA512
ee2dcf01acd9bd8f7075c70b8baa309b61fbc637ed180e4db49087c97f92bc16efe7701906e3201a3518741bb37dc866c6994b5a0df3d94574438196b533b33e

Download Submit
C:\Users\Admin\Downloads\dQQu.exe

Filesize
795KB

MD5
0aaadf3ed1dfdc8ed0b9a4cb1b870eca

SHA1
7fc2072064e679dce99bb1c1af52863a6d1b632b

SHA256
47f1dda451453d29eeee41e2d4636bd71bcfc79461e4d56a773809c3d67fcafe

SHA512
88419dd66e71abe3b18a173f0d273024a3d94a21be344d882bfc019c7010296eb9432cac77eab7c6494fe50e9852322ce159e9422cabda77165ab51b3abd8608

Download Submit
C:\Users\Admin\Downloads\eYEW.exe

Filesize
649KB

MD5
0a027b1e7da5a66c11b7afa0fbca551a

SHA1
798edbdefd235e6bece5394bac3c44ba14f772a0

SHA256
31fed129cdcd91000de90fd92ee8cb2af072bad00ebec8529bf1a995e636bd00

SHA512
f6fda355c5bdab57457d419adb50e9b4c8c9974aa1e2d6af8a7dac433c4b44d9b3c7271bb37627146b0c611fe8c731047d37b31a8b05105788b38370476bb1ac

Download Submit
C:\Users\Admin\Downloads\ecsK.exe

Filesize
208KB

MD5
493646e3973f74ebf57da6441264c147

SHA1
52fd9aa0a335e7624cd95b9f3c15d190fee0dab9

SHA256
1a65f529893242a9d7f46425f4446eab6e07fbf1f72c15c0ee4ea1c4fb21346c

SHA512
2c2ecec7bc257137e055324e7c08ccc70c0b00a09dff394016d695fa67b23081dd12b5d181a20e60f4acbea0075d13390fc3feefc29c41c0730b6d7d7b9052a4

Download Submit
C:\Users\Admin\Downloads\ewUU.exe

Filesize
439KB

MD5
3b22f4cb8d6fb2f807e05db380be2254

SHA1
0e3739819506938e1d09bbea14fc7adaa844a147

SHA256
0f5341fe3fa0ecb424f50a029b51fce2aa945e47d05c0455c51ef71091faf590

SHA512
b8e213222cc081f064d8b49fc7267b5a12dc2ccd73595b457a896e4926a7127b4333785907862767f46d9d8d2b4cd5c07a1c50bf11da27e4342798ddaeaab771

Download Submit
C:\Users\Admin\Downloads\ewkO.exe

Filesize
209KB

MD5
d65cc9115e3cd22866886259998b24ec

SHA1
4f0beecbb6d49e3b23e5202747c5429daaf3b548

SHA256
789bd8c88e70606d24173e21fbef99e8b0454cf88ba9a88c274c0d7a5be0787c

SHA512
ce9f5f278faaa2160fbd25f301a733e3010ed31575b0da3acd99a56cb58533c577e78f2423b21c0f9c1680e63a634830a7f9d55a761fffd7e6b91effeb5fdfd5

Download Submit
C:\Users\Admin\Downloads\fIYQ.exe

Filesize
571KB

MD5
4cfa227dfb4d8be900880afd063023b9

SHA1
9a33c6e58f2bc19c50d5eed3835befdfa8c35834

SHA256
59edc0ac871447f4009caaa55a733283d76fd40b57a7603a06434ce8e98cd326

SHA512
82621190cfe289ab9870939c33740063f82c8be47611c54c7dc533c91e2174ab70eff44fd8759f0a9f351b629b9f82ad487748da25fb9a64dbea122d252792a5

Download Submit
C:\Users\Admin\Downloads\fMMo.exe

Filesize
522KB

MD5
59d5e6c4eaf33d53d5ec0b2af1a88a4d

SHA1
685a73fad72973695f305f0da05f91968a8ee099

SHA256
b0b6942d5a63be0e5226df7f2ff5f6152f366102a132138a9ebab37826ef2357

SHA512
1fa3514f14dbbee7582ec462ab92d2a557a5025fab1740cbb043bbf85f6f9c85f69a291995ca8da2521ca8e7a5b4cf6c1cbf843cf32589245d1a576f43bb500d

Download Submit
C:\Users\Admin\Downloads\fMkO.exe

Filesize
463KB

MD5
0e6353a7cd98fdff22cf31477a71f6e1

SHA1
e8ec865b8055b46847a53fb5ffa9e23db1922f1d

SHA256
e7c7b57d9858bc8f4e0eeed138c270402fc5973cca805f8d35b8fe05e0755499

SHA512
dc129e9ff219bb40660e3b134933f9951367e07c91fc3efb97ebcc004b014393e9e3560a34944397148ddeede509e8d482f928aaa32fad9e876d04a13b329fcb

Download Submit
C:\Users\Admin\Downloads\hEgu.exe

Filesize
812KB

MD5
e92cd0825b7dd911b4f26219cb211e73

SHA1
71e7a172737ba2924a22fe8c1a30309033ca7363

SHA256
05aef9170d71d46d027205e94a49f9fa860d01286e9e88b905fcb76f73b307f6

SHA512
ab44c37fd716b9610bf39a00302253de0e9bd794140524bf7737c3eae75f4e054d46147b7871d221bceed9f105ab1c25dafb74ffd9e189c690663d453a0bb2d3

Download Submit
C:\Users\Admin\Downloads\hYIs.exe

Filesize
648KB

MD5
aa4d6ded5fb47af8e4ab3e6efbbf8da4

SHA1
822779466e0e8d0ece7eabd2f1550fe027080dc7

SHA256
340c2655b431cf7a6b5408a380fc7c46ee8f1e1f3c84a4742d220588aff3f89b

SHA512
bc5392d8c8d6345f0a85d5e0d43c42a8d7b8296ad054afec36b08d6a75b75057822c492a053a287580bed5202de07bda2e567cc6a11b595de3adc02d83a27da7

Download Submit
C:\Users\Admin\Downloads\hkgO.exe

Filesize
215KB

MD5
44d54acd854e672f00dffc7ce9d39d60

SHA1
06a551dc1f770edfd0dd2fc6d6237d1a8ec0c8e2

SHA256
3b95dd2d947020d67d7c31cdbdee9fac30b4d6ddcb42c23d954dcea079a99871

SHA512
1f8820aad4b89df9fcd2dfade6a1b219f43829d20252999d9439bde5d786ff1dddef3457a90677e30d99f7b382608d9982b602b9f191ae02af396d8b93b8d3fa

Download Submit
C:\Users\Admin\Downloads\hwsG.exe

Filesize
646KB

MD5
8beea5e6460efddd9c1114ee10ce2e51

SHA1
4dce622af6cb8ef12eebdace0bdb041c60dc20ad

SHA256
1ba4482ed80fb270decad1e450e1df23046debe1dcec5691b4a7bc9f5b00916f

SHA512
6d986154bf4642a2475f6eb3ca1e37188892d7e615e910209e14a3b2750c50fd5507f969e53f74e1ff06be1cfb71576b9c3e34d29997ecb61e40f16435b6ae22

Download Submit
C:\Users\Admin\Downloads\iIow.exe

Filesize
786KB

MD5
27ab83fc32b8f85ad8d127921dba4cbe

SHA1
79ca1e09c68642552b4fafe1220f5c6d8110058e

SHA256
e6d0fbe3f540fd9c64d6bcfb89a65a783facd9e6d4501e01a11e2e8aca42603f

SHA512
43bca18764319bb2db3a257c76f89b7a7b710541d0012eaf4437e2333c95500fe39c2d210c123aeb26ea8e5adae98be3e080eacb26d006d8679bdac688724d79

Download Submit
C:\Users\Admin\Downloads\iUQS.exe

Filesize
201KB

MD5
97c2971045ea39760935baf114e38284

SHA1
e9e881a18796fa0ddbba9248a04b90b5805a20ee

SHA256
a844d9f4fc743fe6ee42062706e87f7261efa04126b4ad403129fd671e615524

SHA512
1cecc592399d7ad1a3f0862d2220d875edad22f383a5a761089acdd5cb116296780878890b08f98d204104614b7b76aa2f8be84178f1a5c4bd0364ed95d7d9f1

Download Submit
C:\Users\Admin\Downloads\ioUy.exe

Filesize
201KB

MD5
7882687dcbc1603a291fc0f18713f1db

SHA1
752e584f03f4616b9891ca38ee89f8d18b063d0b

SHA256
fd185ded2f19a3de3ede4ab89a372dceaa1c6558cc9dbcd615a66db7016b0802

SHA512
a9e15055e41d5fd76f8d06a3011f46df40e535a5ed4f3119fb5290ca853748721667316cfb354c2b5e9751aad7b06d7bd22dfe09cfe17cdccc254e4ae92ff999

Download Submit
C:\Users\Admin\Downloads\jEEo.exe

Filesize
229KB

MD5
6211e69fd866689be4491444f173fd92

SHA1
9b81e655ec8e1a415c87fa8fab45f818419926d3

SHA256
d0b48545b95db63c0e89f23ec45bd03bd38df26198c9080655a883fc15476e85

SHA512
9e495a87d4a0fe8deced219fe4c2041bad86359ae6ee73eba04e4cfac2bf6174199ed80f8f7b58c651c330023ccf78ff628cfd0525aa1591667a6c4c81211e2c

Download Submit
C:\Users\Admin\Downloads\kwoI.exe

Filesize
229KB

MD5
e71073793ed5f254fbbea6c419a38a38

SHA1
7f0ba356e81b051d872d8350ab06793a58aae52c

SHA256
49a138531ace799fff9a37eee28d4e68069d91ce9a6e123912e15dcaaad92dac

SHA512
dcf476afd53763ddf3968314b2210897bc2c86fe919d796f2cb5f4b01367cb5707b4beee5bbb8b5c9bbb2047a0f611492ab356b5b047b75fc5ef48a32473a056

Download Submit
C:\Users\Admin\Downloads\mQsu.exe

Filesize
423KB

MD5
1e3ed0dd6dcda0be8a204cab42095ab3

SHA1
ce6ddff560686751a79a4599c1214afc42f6f4d9

SHA256
23f099f3f74b85c94ec21627f0aa2c53d7174948154451c94eb9151721a23f91

SHA512
a9d7a0b09c3c6261df9aba36083c0fe258d4a897644c0de0d6e9ea1a7caddd3d553ef0950e3ee715f0065f55517c43999d8bf111623d8f1dbe31ea1139c7be8f

Download Submit
C:\Users\Admin\Downloads\mgMO.exe

Filesize
6.2MB

MD5
34c6adac69318e12ec967d6844fa1bbe

SHA1
06c5bd5ad026d91f2d0b67a86c2d7d4b6230949f

SHA256
e1023ec5e4dfc36ce668b3fe49afa3f8bfa09dce48888060da9833fefb9e4a19

SHA512
caccd6e028698febb06d6ffbbbd66b5f864551a6f9d000dd9e535b98e236c92805f4e1ea62049b8c8c851fcd890fd3a26ff1730b79aecc7af20c9cb67bc65cc1

Download Submit
C:\Users\Admin\Downloads\nUMe.exe

Filesize
186KB

MD5
5d68a760aa4b24cebc318bbaf3bc7363

SHA1
e8bb0b36c5d00ec5e2a5927ab3438f0830d214ad

SHA256
1dafd81ce94145eadf7e50ef89df40d4e8d00b1cacac36e691830c5bef996eb5

SHA512
50b1601c02057b8b6d528e60c44bc8bb06ff1f6530d49c251add07616d697ba5df4604df590a601321d2da05702a2f491221804e6218235b9c47bd76308c6cbe

Download Submit
C:\Users\Admin\Downloads\nUUC.exe

Filesize
202KB

MD5
44404f81c6583a455e44b344efda2178

SHA1
8c8ffda7a0917aa2e64959abb1a571cee1a30929

SHA256
44fe8fdffd036231524604646801f6c6f5dca84d395a8141f8ba81a7d833bf7e

SHA512
398989e5d3a0bd620a2658ca40543186232b658f8e23d4807eb01961f024e9b47bfc9db08b4454ea1ac0772677d49900b1acc0840f5945c7a41771a72f775d02

Download Submit
C:\Users\Admin\Downloads\nggU.exe

Filesize
650KB

MD5
69cae3096832da1773ceddd5904f81d8

SHA1
0130b56667e02c96c48151060119155ce3cfe077

SHA256
9bd4997616bf026047c61cb9473d9e6d4616e0f1d3eae5e1257485b0d0aff262

SHA512
f04c59d9364c98adc48eb82b4c6a468922031c2f48849d6d4ed7751df0ac80039f2571ce27ed9feb8245ab45d09a2f19348258d425025226af7ce6645ebee9da

Download Submit
C:\Users\Admin\Downloads\noEA.exe

Filesize
201KB

MD5
d1c4e7fe0d504b3d0ab2bdfe8a6c6c19

SHA1
7af63a9bc645f0b9c3b49ba8bb2989b89787244f

SHA256
e40c4dd6cd0df34aef9c7e7baf78ae5ff5655bf79812bb7227496a6b7509bb06

SHA512
1b567a5db21e86825d24d518bc404fd86c076f84044aee33234ef3cc1c9d1303117daddaa024867ad78b6997e67567d56e8e022561621e9427ed87dfb204a8f4

Download Submit
C:\Users\Admin\Downloads\okQS.exe

Filesize
359KB

MD5
074d3dbf5947d5fd2041df10ecf57443

SHA1
39c22f9722f59237ff8fc5e4ee627241e41eeb50

SHA256
a7e720b248b9d183e2bbd9ee60ce642d52a84569254dab07549a4ea96c82674d

SHA512
e378086e18000b082a05809477ccef8f9af339f226ed0e6eeedfff83967b9b90d3a7f6438a0fe7cf886a3f49e87b1425fe6733ecc08a42e46f4851a1b39b83d7

Download Submit
C:\Users\Admin\Downloads\pQMk.ico

Filesize
4KB

MD5
2d56d721c93caea6bd3552e7e6269d16

SHA1
a7f0d3d95a19f61d30b9e68b0dcee7c569249727

SHA256
f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3

SHA512
c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

Download Submit
C:\Users\Admin\Downloads\pQco.exe

Filesize
198KB

MD5
90821f3c1b72ffca1ff9fee003a1baff

SHA1
4d6abf4739aa3a528efea1f01ea9dd8ca2e95e5c

SHA256
5efb1afc26e8dc2999514c6711963c80b02ae64ad9c8e9371262993ff0061e4f

SHA512
d72cfb3b65b9ba1bdcdef5ab5f7c00d50375044ad3a8609caf693344eada083c60787de5d1e4c8ffe91bd8e53f7303f56d55be2936be065a3709ee5fc46ebcde

Download Submit
C:\Users\Admin\Downloads\pUAg.exe

Filesize
198KB

MD5
9b8eadd432c1f182b165fc77181834eb

SHA1
114b1bde2ea36ce49f3346c0925ace6e7afc06a4

SHA256
dbbc3ebebacd334282da5f381aef26483e07c1bbe05729cc3fc57c21725839d4

SHA512
ad4f522d400c67cfe3901588bd6270f6476c20f900b7f4676c1340e9460c317f1468e09bd6d54641b8d7474c23a4702f509c9e3f96afafc186a6b391644790bc

Download Submit
C:\Users\Admin\Downloads\pUwK.exe

Filesize
348KB

MD5
4cbc879492f9f49982c42fef58887089

SHA1
886578eaa12eb113c99f9d503a9eee72de674923

SHA256
f07b4d7aee4058f805c0558a14925ffbea6e6c9631ecf45614ca7aa6fe1bcf4f

SHA512
e9931a886312a674c327b5c11f8e01f48ad7097a55090c0b2e8d22f1ca6402d8257cf3d0024b1df26872939556af93534c1ec1354672c0a2378414d6fc80b72b

Download Submit
C:\Users\Admin\Downloads\pgQa.exe

Filesize
204KB

MD5
6973f16613f9ebec4ed7b737086a9ebb

SHA1
41b367e090975172c3830b552077cf5126341900

SHA256
352e1f31d793d95ad44faa617977f7b28101c95b021be29d621fccf63b4cd547

SHA512
9fb333e080c3a19194920e752efd21694e2c3a881c4a0d77d242e57f36059285ec01bfb07c8a2ef567a9287a817f4b2e615c4fcb7ffbdf614c57f7ed900fda79

Download Submit
C:\Users\Admin\Downloads\pkcW.exe

Filesize
200KB

MD5
c7c1dde96124f1dffd467934b1b4137c

SHA1
90fbfbea35f06377ea9a9c18933e9d8fb12642bf

SHA256
80fd897bebbd78e151e50e844577c5fbc3960f1c47b23a961aacea97fd3b9669

SHA512
b26d21f8094ae831eb28b382ef1a61ec6e7bf3c5d3c5b2d68d70e20e5760d28190ec98fbdc5b0dacd8e5a09fcbd9843f814c899d7c043e6321e3663eb7d95988

Download Submit
C:\Users\Admin\Downloads\qYwK.exe

Filesize
186KB

MD5
06d236993ce9e68f35430586e49d5362

SHA1
56b28615102de22aafe0ddd231c28bc26b6461ea

SHA256
74695f09ffbfe4bc736ca08cb4c3da8bbaad1b4155234cadc775357bc7c68132

SHA512
61d7488349dcfcc0d87ae1e7c250999628632bd83cd277780b9644a1b145695e82beb0b0398dbed2c52c73dd00accba0bb4779afa317433381320137867f89c9

Download Submit
C:\Users\Admin\Downloads\qkQE.exe

Filesize
828KB

MD5
a1d371f195e884aa4a4523644157aa3a

SHA1
b53ee23af2c3cf4e9a7a53edd3cf0567cd6fa83e

SHA256
1d27dc8e99c636e6a7df17b6059ec489e8d67114a6d094bec0057e4bb8c8e6bc

SHA512
fd17e6bd5e07ec94f92756707b535c059253ef5108859ab5a4cae292f72439e7ea664c43433b83a90d4ee5d03fd16b81096062635556b62e42c911b3953b5afb

Download Submit
C:\Users\Admin\Downloads\rEoy.exe

Filesize
199KB

MD5
bbb16aaa491586f19f863db25e5c6821

SHA1
5bbb0947a90d6fbb999cb2b9e6d64a14309e8686

SHA256
e0301f1a56045a8b16c64156286cdedac14c682780156a0a0bdcb940bd46da41

SHA512
ade1532fb96d2be826abf0732863da8afe4844eb940086ebf12cf727798541f90c658b23071185faa703d6c0eacb29ae96f9dbdb625b8674680908645b301270

Download Submit
C:\Users\Admin\Downloads\rkIe.exe

Filesize
198KB

MD5
9389c5f2569107e092b71722e52b21fb

SHA1
fb8dbd315e045906e732eef2758210359a184a46

SHA256
decd0d20dcd1cc69de510bc33b215ca0a3dd75a7171d1ff7bbf0946499bdc4a4

SHA512
d8b53083af6bd10cbb6c3ce2090fd687d6981d621fcdc7597d80f220df6e3d35dee62439a518ddd1039b8fba5ab1587ae506973940b04eb7a04a1be575e6518d

Download Submit
C:\Users\Admin\Downloads\sIso.exe

Filesize
736KB

MD5
308d276c34943884f81eaf146a03f394

SHA1
9b09f45ae1523ee33ab4e4588072e48161c0678c

SHA256
084f142894c37debca176e20d7493ddc3405a45159471e72777c50d6f60f8cec

SHA512
dbe9f0946746a695f886104a92c97043128fbb8a54dd6afa0228f9b73dca77f8327d0bad01917b6f7703d97e877f0507ef6c2bbd5fbfd8512c4570ba71e464fd

Download Submit
C:\Users\Admin\Downloads\soQw.exe

Filesize
186KB

MD5
f5a158883f2732deb73c7522437741a0

SHA1
419598500ca7694854c084376eb2aaf8e7a7870b

SHA256
3863ee7b2b66f86f512f3983f90807e670b6e1843e4ef705ab15d068b82dafb3

SHA512
c4c81162e102db99e6534ec761992acee9aa2b20cad1cb5f9bb7f974fb3c7e9b9c9f22c12f4a91bb78160fa560dd3863b2bd6a1edb9a9622f3694dd36ed18aa7

Download Submit
C:\Users\Admin\Downloads\tsAO.exe

Filesize
202KB

MD5
d94da45bc8614b2806e4927039e190db

SHA1
4106230191453d887bcd2e311f628ebfa4ba0763

SHA256
f2da96fbbbbe1e82724d4ca6dbeb04c601ec2e5070ca69ede46c6a5fbfc432f5

SHA512
f093fc0f5572ea8c7ed9c730242ec4a3c2bf6a2654d08614cd57699b98e724a4dc85662d599f81527ccb4d883e67804ed6057ce24f22ab033982443c8424e577

Download Submit
C:\Users\Admin\Downloads\uUQs.exe

Filesize
341KB

MD5
486a2b98d3c80eb801bcc81f514c9e36

SHA1
867b527d3c6c6bff84fb258c3b16a4749eedf4be

SHA256
c04ed4fa6270536f0af3d0a23756262ea0f2d700b110eee6f5787e4ec4bd041f

SHA512
386d5834b0ecbd9a29579beec1719bd9867c5d4e9761c1d27ee2a723390b58e66f82f4f3922521fd86c20793f760f705696164c96e1321aae50800e15fa816a6

Download Submit
C:\Users\Admin\Downloads\uUgk.exe

Filesize
192KB

MD5
7cc288367696efc1539c88ec2f2c3d1c

SHA1
18050891032384446ba05d01a7eb6466166d8c6b

SHA256
705ae8bbf076e0981467d5063cec45c4f7217df352abe88e793bc76f63578ed9

SHA512
0975ce6963e606c4fbaa58ee8d4ae2a513732ae6baee1b205fa8fec0f5ce2312c3c07c86e022b2f4f7653cdaea37cff5d74da60f8a9c499064be686cc1ec9561

Download Submit
C:\Users\Admin\Downloads\uYsM.exe

Filesize
871KB

MD5
26127bd2cee93f74923294eb891d2446

SHA1
62dadeb2f206d3b577a07c8698aa2318a8a2d112

SHA256
e308e010480a710d01211ea083231a4bcd7a278fd92fa8caff4841dd41e54c65

SHA512
c6ea4aaa72e521904b4a4bb2357f34dd65c27f3992a9025f183e2a8942f05fd96dbd1d4a173a4317ae209f22b84958fb6679b551aee05cace6edb5fcbcea5423

Download Submit
C:\Users\Admin\Downloads\uskI.exe

Filesize
775KB

MD5
805e8b4bfa02a35935ee1e733e1175ed

SHA1
a89220098b00236ddbd1c24f7888d4c75cbdc967

SHA256
079f6f2869e5b75dd1a174618fb09076055427d0b859169736f1d22ae39a1583

SHA512
119e859f7c48588725641b8e613f7ceccd42f12b0b639bb7562519fb3f828b7fd8585e0bca45cf6435fef08881fec9443cd29d6fe43ed411b96d2492ff8e0199

Download Submit
C:\Users\Admin\Downloads\vEIo.exe

Filesize
570KB

MD5
8102a75108ee5d358a3e72ba4d31cb20

SHA1
c9b0459c73b781fbc7de3e38813c66603ed807fb

SHA256
bb2fc38b013dba91c7a3d0287ab5618021c94e5e6414ce36307c0cf6b895a889

SHA512
30f95ec15753c7016ec38a7c6ffbb091f17b0e0bdd799a4f63282641a0d11faf3e66befab0515f2c50b55ceb9b00c1adb09c828bbe12b3709ea7228e26021e70

Download Submit
C:\Users\Admin\Downloads\wQUk.exe

Filesize
215KB

MD5
791077950f46adbc489f41d2200b639e

SHA1
1fc8adffe4443efb79fe5665b5561ef1e84d114a

SHA256
82753f34916016caddafe33ead9e975ae879dc6e3c94997ba450b4b2512d1b2e

SHA512
28834ff11555d7b9c313eb130f5385e7003a5b1268987b09495d7437e37c485649237a9863038d29562151f4c55ed8a76172326f869763f03696dd3876cd367b

Download Submit
C:\Users\Admin\Downloads\winrar-x64-710b1.exe

Filesize
3.7MB

MD5
35ce5ca947118e7b856097303d616096

SHA1
f8b308533b60734a0eb9773d10b35c449c86a484

SHA256
0b00566c605869fe70b0dc364a8bda9c44faa2f5df2f9adff822b4be6ed32db1

SHA512
d71c663b3475c75824c064cd03bb799ff159c885c7d173b2bf86c1f3aaee6135f762b0d2779113aab75cd6bbc7695726b8ec7cfa75ca15759e195e5da4185ad9

Download Submit
C:\Users\Admin\Downloads\winrar-x64-710b1.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\wskQ.exe

Filesize
403KB

MD5
0c747cf6bf4a9970e501dd62de8d718a

SHA1
60ab6ff2cc460edd7ce51d5ce48220feba35d4f0

SHA256
d392c685764598fdf742fc055f798b3e756874b77df53333c6105c7c82ebb7b9

SHA512
8ba2c952b4946f91d2ef406d3f86b0e1a6c055c72ae685e5a3ef3a0741d0f2f28496ac70660174f93d627e468bf7c4addcd51d5a71bd8694f8dfed9f48b0459b

Download Submit
C:\Users\Admin\Downloads\xMcy.exe

Filesize
268KB

MD5
56eb8db474262e9745616ed826d75754

SHA1
3f4d45b400ca11ad3a2e30db13b91e583f75dcf7

SHA256
cb0f04a8c5e598a9434a36ae9eb8758823963694f786004f0e8b6a8ec5dfc3fb

SHA512
4aca023960592524c476acd404bc1fccefbefe7a22653aa7ba782890ef9099110a8c39ac6084b60ba7e87e4ef030376892cfac584f87b1950622d4b2bef0b168

Download Submit
C:\Users\Admin\Downloads\xsQw.exe

Filesize
6.2MB

MD5
4a854eeca481e6029d3350b5600519a6

SHA1
0a43f2fdc0b987c9bc0966afbad598f17ed851f5

SHA256
a18ad4b6b3c24968f0132a2a11a3cca065eeb2c8817898babc1f6863bc8d68e4

SHA512
ba2d3a38b2c428054dd5ebc1527058de7e0d0ce54e7ff717424be6b12120cba9be4d5fe14ac8017eb383243ca0a4c84ca66465a2f43ee8b7b5708a366f868929

Download Submit
C:\Users\Admin\Downloads\xsYe.exe

Filesize
187KB

MD5
b4445589c55b5b7cbab3dbb98d72bec6

SHA1
95d1945b8027f82e7925518156b651f13e296bad

SHA256
8a8a46969eb2ede49c4359ed85e30acf72fe439c4401592c3f358bc3b1fb9821

SHA512
b68f5f47ac8d6c18303134e74c150bbb599dea5e2ed1f5ad3e5eed8652b3602ad9d20f546743d08f35a7b7473f8d083ccf810cd3b700fde9f64a8595b15ab9d5

Download Submit
C:\Users\Admin\Downloads\xsce.exe

Filesize
415KB

MD5
441511b8dd6cd35390e5c52f3cc3f1b9

SHA1
99c364343b4b97d33d0775efac58d2cd0de6457d

SHA256
50425e721c1414647b9bc1fb2ca6e679711967f20dab24d7493a6b4b221e38f3

SHA512
5e99a93946d7b3576359ed3cc4f03194e01ce65372139cc0ab94f736e3bf37d9885b3a763a1ca1b11a59b8527b278cedac9c9ef439021da60bc928fa47f241c1

Download Submit
C:\Users\Admin\Downloads\yEYm.exe

Filesize
192KB

MD5
43f3f2cfbc456763381761ecba174316

SHA1
cbd5da2d3bce58b01f86a0a86505a58c8d411eb3

SHA256
5d7de53c7d343fa066aa85b64667b03323aee7c36631f74ddcfe40a23c5b5f0f

SHA512
7eac53c955496d5286f7d72f35b8fd4f68cf9b1d25d713d8dc81aa31a06d51907e4a0ad400edc88c959b84dc036968880a055af87f04c79c0aff10b29cb21d31

Download Submit
C:\Users\Admin\Downloads\ysUU.exe

Filesize
184KB

MD5
45d973a60f32916d3ef94283b281a7ae

SHA1
314cd89b9adcd023db6f073697057566836da356

SHA256
102bb840d194bf066bbc0feeb4420016d5bd3acfdaa35778698a99faa14def86

SHA512
702334041123504034d13956c34c57872e064c196af7a5d59df3c4c50af6e8acf3bb71bbd62ff2909adb9bbb385c5e308b069889f5b1b3098e79ee6b3ef189ad

Download Submit
C:\Users\Admin\Downloads\zEIE.exe

Filesize
205KB

MD5
9231c3192e5ac0f79d5abe108cee0ae0

SHA1
67729c3efd8422f683e161dd5d01e3002c6cdc55

SHA256
56704e062ceea87ff41256f5eb05ee2da8458b2f7270ebada3d7f86d08dffdb2

SHA512
f908074213efbcc9a524dd5d7555fc120a89400ab3296979ba480f977921df2ce01a38c0b8a537b766a4e4e322efa940763202ef2a233af5d88fcfb4bd19da30

Download Submit
C:\Users\Admin\UqscQgIQ\sGQEQQEI.exe

Filesize
190KB

MD5
4148bc542ae22a9e1bb5837d49ed5c8d

SHA1
b0e73190ff30d9eb9e8cf1525ae0bc9023561f00

SHA256
4362db23250f189ca52d9f5b9ceee0d3472c7519ed7044df5ab3578fdec8b2bf

SHA512
3be8b980b2da33c1ce9e703ab74d28cf007cf1e0e82b17f43ff50d18966922fa69f95232b5081bb79bf73cb8f01d4f6321a5353160127e0d229fa18909bc3a70

Download Submit
memory/384-1491-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/384-1472-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/536-1477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/536-1466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1008-1308-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1112-1428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1588-1454-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1780-1254-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1780-1274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1960-1385-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2172-1024-0x00007FFD7F750000-0x00007FFD80800000-memory.dmp

Filesize
16.7MB

Download
memory/2172-1025-0x00007FFD83850000-0x00007FFD8395E000-memory.dmp

Filesize
1.1MB

Download
memory/2172-1023-0x00007FFD80A10000-0x00007FFD80CC6000-memory.dmp

Filesize
2.7MB

Download
memory/2172-1021-0x00007FF7A5460000-0x00007FF7A5558000-memory.dmp

Filesize
992KB

Download
memory/2172-1022-0x00007FFD9B0F0000-0x00007FFD9B124000-memory.dmp

Filesize
208KB

Download
memory/2208-1300-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2432-1402-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2644-1236-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2644-1216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2688-1553-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2812-1445-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2860-1231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-6266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-1420-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3364-1255-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3468-1289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3688-1316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3928-1352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3940-1361-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3940-1353-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4180-1370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4544-1436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4544-1465-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4572-1342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4576-1508-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4588-1104-0x0000000000290000-0x00000000002FE000-memory.dmp

Filesize
440KB

Download
memory/4588-1107-0x0000000004DB0000-0x0000000004DBA000-memory.dmp

Filesize
40KB

Download
memory/4588-1106-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/4588-1105-0x0000000005310000-0x00000000058B6000-memory.dmp

Filesize
5.6MB

Download
memory/4596-7223-0x00000000013C0000-0x0000000001426000-memory.dmp

Filesize
408KB

Download
memory/4596-1464-0x0000000004D80000-0x0000000004DD6000-memory.dmp

Filesize
344KB

Download
memory/4596-1455-0x00000000001E0000-0x000000000021C000-memory.dmp

Filesize
240KB

Download
memory/4596-1456-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

Filesize
624KB

Download
memory/4688-1410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4804-1334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4872-1282-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5000-6216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5000-1226-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5088-1325-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5092-1246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5092-1235-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download