Malware Analysis Report

2025-06-16 05:19

Sample ID 241216-q8x21asqfm
Target 03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5
SHA256 03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5
Tags
stealc stok discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5

Threat Level: Known bad

The file 03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5 was found to be: Known bad.

Malicious Activity Summary

stealc stok discovery evasion persistence ransomware spyware stealer trojan

Stealc

UAC bypass

Stealc family

Modifies visibility of file extensions in Explorer

Renames multiple (89) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Executes dropped EXE

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies registry key

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 13:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 13:56

Reported

2024-12-16 14:14

Platform

win10v2004-20241007-en

Max time kernel

1050s

Max time network

1037s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

Stealc

stealer stealc

Stealc family

stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5.exe N/A

Renames multiple (89) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\WGoEYUUQ\lcsYEkEw.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lcsYEkEw.exe = "C:\\Users\\Admin\\WGoEYUUQ\\lcsYEkEw.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sMcQwoog.exe = "C:\\ProgramData\\kaEosIAE\\sMcQwoog.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sMcQwoog.exe = "C:\\ProgramData\\kaEosIAE\\sMcQwoog.exe" C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lcsYEkEw.exe = "C:\\Users\\Admin\\WGoEYUUQ\\lcsYEkEw.exe" C:\Users\Admin\WGoEYUUQ\lcsYEkEw.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\aEIa.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\YQoO.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\Gwck.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\iskm.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\QMkE.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\yYEy.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\gkMo.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\wEIy.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\wwwS.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\QkQq.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\wMgQ.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\ocIS.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\wwsM.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\sYwo.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\GMsO.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\wQca.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\EMAo.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\wEIy.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\esAQ.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\Skca.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\WYIQ.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\WEAo.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\YQAm.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\cgMQ.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\ucom.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\Iswc.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\Okwg.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\cwoG.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\QEYK.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\OUIU.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\akEW.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\EUwY.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\esgK.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\WUEk.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\kQgI.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\CcUg.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\Mswe.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\oYse.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\ecIw.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\gssS.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\McsK.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\mgME.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\uMku.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\GQsE.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\gwsC.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\MwoA.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\AAgE.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\QYUq.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\wwwS.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\EAoI.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\msMM.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\GUwA.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\sEUA.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\KoMu.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\kQgI.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\AsoK.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\swss.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File created C:\Windows\SysWOW64\YwMk.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\YwMk.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\yIkw.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\aMYW.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\oUUA.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\QkcA.ico C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
File opened for modification C:\Windows\SysWOW64\swss.exe C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\ReceiveUninstall.rar.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\WGoEYUUQ\lcsYEkEw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\PolyRansom (1).zip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kaEosIAE\sMcQwoog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom (1).zip.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom (1).zip.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom (1).zip.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom (1).zip.exe N/A
N/A N/A C:\Users\Admin\Downloads\ReceiveUninstall.rar.exe N/A
N/A N/A C:\Users\Admin\Downloads\ReceiveUninstall.rar.exe N/A
N/A N/A C:\Users\Admin\Downloads\ReceiveUninstall.rar.exe N/A
N/A N/A C:\Users\Admin\Downloads\ReceiveUninstall.rar.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\WGoEYUUQ\lcsYEkEw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 1864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 1864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4872 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5.exe

"C:\Users\Admin\AppData\Local\Temp\03b0ee461554c9ecfcc906404caf95247f39959ad36fff125722870f27efa0b5.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb539646f8,0x7ffb53964708,0x7ffb53964718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6052 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5776 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7052 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,15940614869384333687,17993859786831854706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]

"C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]"

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.exe

"C:\Users\Admin\WGoEYUUQ\lcsYEkEw.exe"

C:\ProgramData\kaEosIAE\sMcQwoog.exe

"C:\ProgramData\kaEosIAE\sMcQwoog.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\Endermanch@PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QckUswEc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]

"C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\Endermanch@PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGMQcIUI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]

"C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\Endermanch@PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqcAUUso.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]

"C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\Endermanch@PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYYYwwMU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\Downloads\PolyRansom (1).zip.exe

"C:\Users\Admin\Downloads\PolyRansom (1).zip.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\PolyRansom (1).zip (1).zip.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\Downloads\ReceiveUninstall.rar.exe

"C:\Users\Admin\Downloads\ReceiveUninstall.rar.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ReceiveUninstall.rar

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ReceiveUninstall.rar"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=046955BE26A1DB48E5513FA75FADF5A5 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=68BEDAF06B8ADB7DF1224A7B3DFBF870 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=68BEDAF06B8ADB7DF1224A7B3DFBF870 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EA2FA1C68F2421864B291A60C65347AD --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=92EA4EAD19F546CAA9BE5D54518BF80B --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=34E673EFBE3416C8FDD1BFB06822135B --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

Network

Country Destination Domain Proto
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 104.86.110.113:443 www.bing.com tcp
US 8.8.8.8:53 113.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 95.100.195.177:443 th.bing.com tcp
US 95.100.195.185:443 r.bing.com tcp
US 95.100.195.185:443 r.bing.com tcp
US 95.100.195.177:443 th.bing.com tcp
US 8.8.8.8:53 177.195.100.95.in-addr.arpa udp
US 8.8.8.8:53 185.195.100.95.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 2.19.252.134:443 aefd.nelreports.net tcp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.133:443 login.microsoftonline.com tcp
US 8.8.8.8:53 134.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.clarity.ms udp
US 13.107.246.64:443 www.clarity.ms tcp
US 8.8.8.8:53 c.clarity.ms udp
IE 13.74.129.1:443 c.clarity.ms tcp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 u.clarity.ms udp
US 204.79.197.237:443 c.bing.com tcp
US 4.227.249.197:443 u.clarity.ms tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 1.129.74.13.in-addr.arpa udp
US 8.8.8.8:53 197.249.227.4.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 2.19.252.134:443 aefd.nelreports.net tcp
US 8.8.8.8:53 u.clarity.ms udp
US 4.227.249.197:443 u.clarity.ms tcp
US 4.227.249.197:443 u.clarity.ms tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 95.100.195.176:443 r.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 176.195.100.95.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 private-user-images.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.22:443 collector.github.com tcp
US 140.82.112.22:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 www.clarity.ms udp
US 13.107.246.64:443 www.clarity.ms tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 22.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 u.clarity.ms udp
US 4.227.249.197:443 u.clarity.ms tcp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
FR 216.58.214.174:80 google.com tcp
FR 216.58.214.174:80 google.com tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 2.19.252.134:443 aefd.nelreports.net udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 4.227.249.197:443 u.clarity.ms tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 204.20.192.23.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
FR 216.58.214.174:80 google.com tcp
FR 216.58.214.174:80 google.com tcp
US 8.8.8.8:53 google.com udp
FR 216.58.214.174:80 google.com tcp
FR 216.58.214.174:80 google.com tcp

Files

memory/4420-0-0x0000000000D10000-0x00000000013B0000-memory.dmp

memory/4420-1-0x0000000077A24000-0x0000000077A26000-memory.dmp

memory/4420-2-0x0000000000D11000-0x0000000000D28000-memory.dmp

memory/4420-3-0x0000000000D10000-0x00000000013B0000-memory.dmp

memory/4420-4-0x0000000000D10000-0x00000000013B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1 010da169e15457c25bd80ef02d76a940c1210301
SHA256 6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512 e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

\??\pipe\LOCAL\crashpad_4872_SKOTOYREDXNIPVNH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 85ba073d7015b6ce7da19235a275f6da
SHA1 a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA256 5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512 eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2ad90c6e033d8d952501bee791dfd422
SHA1 e2a46e227f9b0029e4dbd66e37a40474c33d8455
SHA256 018928907e485a57c8c02df610a9113298fb4a27efbef7150b03e63e03bc40cc
SHA512 0d725fdb4d18874c51cb81be6c2241fb81a28d65bbd3df01dfa631dcc3dee9c17d61204e08826bbdb2bc26bc752e4d2faa792c61930cc8fbddf071122645b547

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a80ca229f684e28e03dd3666856c5d7a
SHA1 1f45667e75992869c88886a9af68620dfe8c9fdb
SHA256 d6fb49df8b379bd56e5aca8c8f2a4a97fc55a30a31eb4096425d52f10c4383f5
SHA512 e0efe021120c247fb09fce161039ed59ba4f9291735a6fe35d664e2659bfc497df6d32122326c463422fa59eaeefc157beb569e994e63331701b09aa9e4da5c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4527945609c80c98461369fd3629abd7
SHA1 9a57af518ea804c5630092925cad014df3b7066e
SHA256 9cb8faaed96db4fe4b444bf13cdca38e7bc5e561c05f62386467c357175a7335
SHA512 473fb1b71f7688da6b8a735e1ce889b9c9d29ba0eebc9f7fcaea41ebcb93705550860ed3317fe485aa2dd0456ff63293e1fff59e6d2b1602ce1d6da6c15fd0fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a5b0e75feceb2f7a91b90de7f68fa600
SHA1 b07ab1f95fbec46843e55bee2d1181141fc119c8
SHA256 a9e29e98bef8d0cf3e9bb65da6e11f4db43a9dd055fdd86a77aa05d884749994
SHA512 48033d43f08b9a1dafa833cfc701cd8e0fc69ee3ba0b179e4535de0944c36e56e6a096f1fe50a2fea8a3da931498894e6a97ec1208ee867235d3e0924df0461e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b473494a2db8d26f13ef58444d2df1e2
SHA1 b0c92d9cd0ff39ddb5e9a8eb5b12f1511f8b44b8
SHA256 43710b5a2fc01c588388df91a4d65d131d4c23e8e5308ceda66f68d55eda4950
SHA512 a117fa6f4e1960a657e5a7169003cba5f5019eecbc679ed6323813f8745431476f766609378f1be55860fbd93b2c6cf6cd59a0b722971d2b8a89d33a2a85dcfe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 56d57bc655526551f217536f19195495
SHA1 28b430886d1220855a805d78dc5d6414aeee6995
SHA256 f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA512 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 2e86a72f4e82614cd4842950d2e0a716
SHA1 d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256 c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA512 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 d6b36c7d4b06f140f860ddc91a4c659c
SHA1 ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA256 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA512 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 807dda2eb77b3df60f0d790fb1e4365e
SHA1 e313de651b857963c9ab70154b0074edb0335ef4
SHA256 75677b9722d58a0a288f7931cec8127fd786512bd49bfba9d7dcc0b8ef2780fc
SHA512 36578c5aedf03f9a622f3ff0fdc296aa1c2d3074aaea215749b04129e9193c4c941c8a07e2dbbf2f64314b59babb7e58dfced2286d157f240253641c018b8eda

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4ce77a391a29a68bc787ab09d7a13841
SHA1 b7e92c1cfd617f1f0c606eef885c53bfa68dbbe4
SHA256 46ceeaf9d43bb35435be74942eba40728943d9afae5fb57b41514bfec6ab42ed
SHA512 42812c6ce14db7aee0139c4bbb31ad242d5b36b299929429223eb55e872c263daaa4f74753750c336d7e26543cf71b615715a2ea504adc9f7c925bba7096efe1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe599215.TMP

MD5 208aa8dd5de88df1848a0088c3613052
SHA1 ff5a1b0df11c9e2e59e448d8e7667bb26ec74893
SHA256 1e8d012455b43fa1dfb1cee373a2934f2c2dde35a40414e5cc4d8ab352a51c74
SHA512 9b11d8445318bb4489c353857edebfc436f454b8944d366e43b95bd7fe888aa0cd11450bd3ec73f42c57bc6b2e613e300363ae00f2eddd0cd7d5ce0f1736e12d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6befe3110fd227ba5c0d0e9209c00c72
SHA1 6a0069e52b6ca58515444fdb76aaeaf1acb0368d
SHA256 c7b1df2341fb7c59613e03bf2d3a2f400562d264dcfa06001b2f1a4c6bafce68
SHA512 425d5652223b104a9791d8c619d1eaccd64181516d0f17ce3139c58f179d5d744ac3895b31f17b464e96f5118fc229994c8173fa52e14bf3e9fc7b46c5270dd9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 69feccaab59951cef880b79ab13201a3
SHA1 089f2f66e58aefadb2576bacf906d7b9f3492c07
SHA256 d16cb27dea4f18b162ab7a36c79a288c1c7c12c6070020a2b39ae71d44e13bd5
SHA512 678cb6d7ef59063c5b43721e139659dcc72d4e4156adebde606fde8f4e930bb6b541fdaded2d4f3696aa2249516255bf098d3bf417e726737fbebe92fd6bf529

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 46c17b6498d64fed6d73004f88553ae9
SHA1 33815147e06f74c2a75d721cdae3070457bd6ba7
SHA256 4961d84f61d7efb3cdbe6190776448ac6ff5e28cec14a89be4a1918286b730f9
SHA512 80710ead24700e9704cb33ecb15885e1c381a91009fe9b924e68253b821e4cc43aa03413811630f42c97bf52036df3062cfaa7a185682a3b59dfd260be2d33e1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2070ed9836ae99c731de3496c2a00b9c
SHA1 117fc55d8fde25352fad8e9b2d445502778a5f2d
SHA256 977124f3db6b0142cf65de287336f491a6553a21d3530f0da6aee7980b0d70ef
SHA512 4f688c86b46f7a43da9f541d05c8dbaf05d90b91dffb9d5e66d04d3aebc8a97d33b9d9061ee2715462ad49db1c024c1ba12db511947015c3f3d4b086ffc2f684

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ca126e832393edf2f6075c55d5911926
SHA1 5ff1be9e6e2e40f2675edbfca26af14695edf914
SHA256 261569c1cc9eefbbfe9896456b010f2e555022add09380188ca26d5ced804f19
SHA512 6f8587cebd224feecff730a0056ca32eeea4bf2d3b3ae011833b6ba03a3f0033bf99c0fe32b5f2872841653644d1b62741996cac5e439ffcaa40d795845b5143

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

MD5 7a5ab2552c085f01a4d3c5f9d7718b99
SHA1 e148ca4cce695c19585b7815936f8e05be22eb77
SHA256 ed8d4bb55444595fabb8172ee24fa2707ab401324f6f4d6b30a3cf04a51212d4
SHA512 33a0fe5830e669d9fafbc6dbe1c8d1bd13730552fba5798530eeb652bb37dcbc614555187e2cfd055f3520e5265fc4b1409de88dccd4ba9fe1e12d3c793ef632

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 34ccc912154ab903a4694615ae8a4d55
SHA1 674e63743ac33aeb17179fc40fa0ee38148a3613
SHA256 4f2a1e1584010b193ad0d31433c1b67401905ba543b72824640402721f88a449
SHA512 f4da307194d33f553078305157c04d58b1728f849880101f52da3bdaaddaa96bca95b24ca21ed5c8009d0c78f48b19cb840c818bda954103b1370c2d59fd1018

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ea38bcd65076472a90e2e3ee27a1d1ff
SHA1 a1bed816dfd845ced6fc354e28b501df434c64b6
SHA256 c28418dca0e6ef5d2731aee2293e992a92ac7b66bcdfeff1844687323ff94a96
SHA512 cff609d183e5869a8d078e15e85e3420d2b60d723f5801201db77d521f14b4a01e634673234834d4068d344a8860962084c713cf3ff8196f984593e0a422ca96

memory/1484-727-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.exe

MD5 6eefb9962ff840a9082a1bf9ebc5bca3
SHA1 a1d8c0fdb5447255ed40685e375538de3cdfeb02
SHA256 bbe0a152154c8f98ecfa15d465d5a67435669842c979addff4257c35b4bfbacd
SHA512 272c2f8727103c4624f04cf4f4ad5f08798a00ea268d3a86154e1ad5aebf16198e0b437bf908a93545b5f315ae099bcff7dc1a53dc24d4a3876610ce1551ca36

memory/2648-735-0x0000000000400000-0x0000000000433000-memory.dmp

C:\ProgramData\kaEosIAE\sMcQwoog.exe

MD5 6caf92516741b57d4830d576924894ea
SHA1 7862429cf79d3763e530cdabe7b2e4064b1dbbb4
SHA256 89693d58fb4a9f7684872e200fe2b1a15e7b47a2d16c6c68fb58850ebfd6845d
SHA512 2b2586cd53ac804fab9e5065b793e8b1c1e485e4b47a0f4664249ff43949dd4866a18078e9a0ec2fa35caf1c2e76819d1c8fef729e31d7e191590fad6242bf15

memory/1920-742-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1484-746-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QckUswEc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0eae6ea8fc769381e991eb881dd01198
SHA1 d47996f6ae91a1ce2007401bfd58b35e3695a45a
SHA256 d34401623af7e3d61c396d91b7e4a469f0cdcc02148db7a165af697324e96c25
SHA512 74ec8e6e2d3624f666b79d974d75c271d6968f110e71009918dc36060275a2bcba4429c2b5322dd1fca819b0a4a343e3dc9e4d4504127e004098b05297940313

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.inf

MD5 c37ecc4fe0f64b3b655ed9ac59cf215b
SHA1 607b847c7545339066847faf437c34c1db12c1b1
SHA256 c2d830870391dbfececd2f6b000c85ca9f7c7462ed09bbea696bc025d567f66c
SHA512 131a41b92a29761ea4791811731b6f9444df642d443ae52549705ed0412319a1a0baa5f5aadbd9a9a89f1ea890fa9d46e8a6d5a125d0c95c316b0c449562035b

C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom (6).zip\Endermanch@PolyRansom

MD5 2fc0e096bf2f094cca883de93802abb6
SHA1 a4b51b3b4c645a8c082440a6abbc641c5d4ec986
SHA256 14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3
SHA512 7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.inf

MD5 2d6d400a4bf4bb356386b2bd03ae3fa6
SHA1 e1b6a0b8223408de2d81c35912731623fde67e9b
SHA256 a8fe9d90267719b61fc506c35bd835777d91b9a2fd3fcc1189ae3b109ad79db8
SHA512 e7726bdb47696b5d98b6ebf623fa8e7075d9078849adadf7f56874cc1d3de2df574545bf35f756347d601312483c5312da7b0d0b66b7a969a133fa4bd6064b19

memory/3332-784-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.inf

MD5 752b71e1a87a39e99eab0446e460f807
SHA1 ef74eeb585de02427359a724e502fac71fded158
SHA256 4e69ad94173bfb582c7820392f8f1d24ec62b355f618c156cfce4644a13adf3d
SHA512 1130a4bef0d7c76a69036a0a623ed124ce45df85edbabc471c195c4018e0098bf5088b612c04e5a78bc453b6adcb366c4d9af1341e5e093544c628f1b1b281a2

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.inf

MD5 8c0708e43f76d609acc50e5cfae2d8c3
SHA1 6c7517ca4442b47092460446c53c88bd2bfee379
SHA256 228ce8d480a4ef503846648573468b73bcf746e961bee7c2334402003e48830a
SHA512 717c0448509c966f9142c07871d56962377b195cbe88d2d8ed435de2eb00a91b2e2be0fb49718f38978cef1c6204497aebc1b17d334c61f3e2346d138b77100f

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.inf

MD5 4ca9aaf6cf805c813cd2874c830628f3
SHA1 c7173397a7ad2bca770c4591f88fc490fddc03cb
SHA256 15f2bea3943f73fb398684179797a663fd5fdd08a5bf631e4b8aaed71835ac94
SHA512 c4a85e745b60e5001a550ffca704e8fde7a39aca131519c641476c178030bf0ba020a80ab5f1b7cf52f6ccb116d8af32cb6c1ab50c127f3489905ecf8f3dea8c

memory/1572-802-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.inf

MD5 39bb93b3a3ac8dd8073d39e0d93d5a8c
SHA1 4ecd02b3bbe942eeae9769740d8bbf5726208c59
SHA256 b2c19f54a81d6495efbd664f2b9c3ea92a4ea65b9f69af096cdc6c14b09bbe03
SHA512 a90c23a4e09e66563a183e7244548866319f92e467b16c2c67b44ef7d214709bf68389cfebccab7cc827f6a5bc2ad38e26e98f70c8bb078489ee7dc1e0586c12

memory/1572-814-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.inf

MD5 4eaf495cf4f89fb4990ead0bebefb703
SHA1 245fcf441b0fe8063e2eb1a9c6b5ccc14e4fcba1
SHA256 df7b3564d29c1cdeff082efff57b5ac64c24c6d0064f2c2ac2c5fa2f77b8297b
SHA512 9be22bb0be3b2d9ec28301e466291bdcb31612c4643e99fcf92deaa2455bc1dbcabb1759484fff474de16b0a8a7c28813e097a054964a99371d962711baf0006

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.inf

MD5 144debd7987072ac7875b0ca860f8159
SHA1 591922ee3e3087783f5a3de4cb66b0a007da70c1
SHA256 9e720441529d2383298fd1ed99599df3c9c53cbd3a7a0a5958775746ff76b451
SHA512 cf672a4f1bda49f62e6c00de3275491c7852dc52296f5ca60b218660ec01732b81dac66ff77c845df713ed9b6b527573c9e772a16c14acd9841ed3475604f306

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.inf

MD5 85431306a2f16f3b5853cf86b0c0b612
SHA1 81760919976161ef74598ad5f289f65ca2d67039
SHA256 81a82076c46f39ae3bf6bf1052535bff4fe7b0047b75f0ef104256217dfbb470
SHA512 5287b87a04a8225eb1f9e3ab7a376c05830b047cae90121e97d11c4e411a23d1e3239672869983186b4f9cd246d0265a01d28b7bd1a64bfa6207cb395f157806

C:\Users\Admin\WGoEYUUQ\lcsYEkEw.inf

MD5 416ef9df70461c5eba0bc9c9b396f0df
SHA1 f47dbd640082e0cd9d4afc2c126e42e5d5389efc
SHA256 c7adf465df4bef7e9cf26880f1e9863589edad318ba25cf54ff37312bf7f753d
SHA512 a1bcc80b47d4bbac0c03738cd7f9fb765109e064e528b502bab9cbf1baa3fa32e14e9174a7765c2b1053b3a3481e16e3988c19366bf88fc8db81ac9815e5b2b2

memory/1104-846-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\kQgI.exe

MD5 d5aaaaf47493fc0b3c26751eff6201a0
SHA1 9ddafa413b064199df7a1d54ee999e2a107e5f88
SHA256 e5dc9b92313b7e5343e99b4dee1753fa641060cf8acc5c1d319b6579a4a87d5f
SHA512 9d5f951a5e8084ad9a35226a4d5d2dca0783a580b1eb2cf9aae43b2a4d0a8f372ea9994072699b1ac1e16f0c78b475b1e6e643ab3d17f98d643ed4708fc7be1a

C:\Windows\SysWOW64\UscC.exe

MD5 f921d51d104fa7ed39b12266bcf2b556
SHA1 416c031e35ea8c26ce310f09e41991563f0e1fae
SHA256 3c8df2bb1b6d71c5bb60df37d1bd0f5112befa8dd3b35e252827a4fd912181b3
SHA512 9adc8d20ef11b2dff73ddb0271d86121623aece889757585b5b6e419591ed66b4fe9ccfeb5fcb4d83e83575a51b9128ab02a2e4d523d842a528cb13713f31f78

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 402ce70503a4f49c2184b3069b206388
SHA1 7524dc688374f0715be414ec106f8869c337a9b5
SHA256 12287209bae38e46b0895d1c2dc7d8b36631fa2d2c51107fff1c8a4f2c7da3e9
SHA512 9f3507edc8fd52c3e18322b0674b9e882fcdbeebc90b39bf8b738b1c66b2c9806e36d526e003f70436a88f6486bf904c347047064110be7e5d47ee6ca359a73c

C:\Windows\SysWOW64\OAYs.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 004a7b45cb23496ca41332c5cb827399
SHA1 f6b97befe1310704998ca17a24b7448ca4d84f6b
SHA256 9a2a17c46e1c6a5ab0771051bd1b301f8b0f1e1bd48dcdc3d2a37b53d48ed518
SHA512 896abeb1ca190c6b827563b6f740fdd74b58d1d7577b2685b6d700f33c34920867a0696e81e4a920780148078844f53e512c4b52be69679ba61da9b06b16ba8f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 e606a2f2012d6e1982ced3ee228f8f95
SHA1 9c2572ee4cae9ba4a1d04bf92b4c941eb466722a
SHA256 616cf17e216f20996d4897d38c5782ce116fcaeb6fe9dd7506e202fa5f444d13
SHA512 72bf8767c1e547f866d2a90267ff125cb40b6592b9e5bbdcb1d66cfc9b9a944ce5cfad8e9e46058effbbf22882821f945d020d5a36fae1455dda0894ba8405f4

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 a9fd2b86233607900100c72152125cf8
SHA1 6d629ea5071013bb1e9a0817cf32b18fd5445374
SHA256 7f734008c8c9733cdbd11043e15dab287baeb1140fa43cd210493a87ea0bb5f8
SHA512 d2b26082eb95279f34b1d2b959749b7ff994346ae598df2e018cc1076591b45eed39fcc585e945146b017c948ece5c430f5ea692731c90deb02e44a1b2877409

C:\Windows\SysWOW64\SkQm.exe

MD5 fef1d605c28f9e6755c9a60c298aac53
SHA1 61b6ef92a8ed59f2b6d5ab36d6816593f3afc27e
SHA256 04fe97275bd1ce9960044196512d0a3a4801a07ac2d0bc4e764d53a7a392180a
SHA512 16ae025fbc3d9fc9dcc7e2ffc9db026e3087026d48baf23a498d1cd99b20170fdd3676aaed424d95f8580df0c2f9182d7c7e269b0f6d5695b03fc4310dbd2678

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 0e6a42587890abf21f74fd758b22e6ab
SHA1 3412eb4a3049680f5e1fd0682fd2cc7a92761551
SHA256 ea29f210c107670bcbd368814fdf163b6b3d435838918b39082be7c225482297
SHA512 c86eb15ddb68e9e46b5d9f5a7d6cfba9ee0446efc093961d275091a5a389f59bf7e4e152f78b45781ed9d560679f2c406427babbae65aed96cc016a13c1c6586

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 ff508cd4a3665469c6655222698d71cc
SHA1 2b66ce54364704a4733f5d56865601c7cd0d2282
SHA256 a5d903e42f5c2680daeeeb3abcf0ede185848a0392f70b7e461767057f19dfd9
SHA512 24e6e26dacdd54ba4842c267b388e6d69bdfc5016a04a168ea8da5ea279d59878b20622fb595acba3f9bbd2938f294064905692f0b2dde1f8b75034d0e63b621

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 8338fda6195cdd008b217b513bb5f852
SHA1 99162e0f1d3724a134f0eefd8ae27e878eaa718b
SHA256 91b5bd740275000ea56edc538d1dd304c9563594e41988ca6c77015fa12456ec
SHA512 eec963b79ff771cb949c818c4cd2d52414c87342ac7824e3f7d5f1f874b022a01d221a03cec7bcfd8597382226d0ffcb1f253d4e24088084f73c0382fcce13e1

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 4498ae62753f70cdd156171d40b68c41
SHA1 d897bbcbe58a6286246f2a6eba001cdd7fb92f31
SHA256 49db729a15a6778c540b2fa4d3cd8bf040a817799e29f84e844bd08d9f752be6
SHA512 02493bcca5f1cf5be81b877a42ed5eeb64592deb2494c2ec6e3735360c90a3aec56c0788a46cea55b99e0f0e7602269ebe40a789cca856780e2f3531877b4a01

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 14a4e52de7a0c6c882320d2880d17ea7
SHA1 d356535d4ccf83d4fd8bbf5bfe8a751b02838066
SHA256 9fc86bc986490fdd0fecd9cea1e1e1d4ebd1f399cdf118cab6b4d9bdc3def5ce
SHA512 ed41ecce710f0e917b011ec279c78eee47db97276cfaf9621485d91cf9e3353c0ef01198e4ba6fdf9339c859fa850ea53fea66b1c0f3251b9886a05864b9ea99

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 992dd46ca936f858e0872f51f353c432
SHA1 aaa51de6a3ae40fc99d1e88b5c409f992b73f920
SHA256 3fd9794f79c9b66d9dbbd7d802f08e4329cc46e02694824467925b8356d75651
SHA512 6f3f0b16a6bf89685886fca221eb8da3eff2494fab99343ea0d0369efc77a6fbb761adc2bedf0b3a096b22601b25ddb1a73b2f20e3702d839b66d257986a9b89

C:\Windows\SysWOW64\isYg.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 74d63fc210324d80acba3eead3c4bd15
SHA1 8b4ef207985dd3d7d0d7580b31f7c0657c0b8024
SHA256 e9b4050397da146d3fb05548ec3d0208e8264b3d65769a38344f1aa09406035a
SHA512 10ac2a59cca310d31c940ec59f9dbb4dd5dac8a446b1e30c936f2979ed800b2a09850b8459f18322df6b20e1b2f6f6ed9c22fc395a73195dfbd71c224f69c715

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 41d94f72fd0c7c82994ef8892dc409b3
SHA1 3512b99bb12d5b34740746d22e469a6c9abc0850
SHA256 4b44d76d41304ff931d5d7704fe67acf75361d5f053cd9f3722960729ba20385
SHA512 82ea4ac365becf23147bc5f382516f6fe721c0b6908f5fe22953e6a0750ab9f5621e97c27bbd9ca85196e1472d90c25d01ae9fdbecd65a9c35a0bf617b16941f

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 52cbd13a5767d487a2229881ee996435
SHA1 fe38a6715a92408c02b4326eaa52a38c978527c1
SHA256 e54e6485991ae201a38320b67e1746830f34f3de29442f30b3586678f937738a
SHA512 c5003fdb77183276bdb983602b1f8af8911d7daa38f11e583ca0f9e49df6de76d61e9b83fef7ff0be0cbbf08e20fdf162cecda437b9402d3b64b19945a46b256

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 1e0f257dd75bb55348f1ae3b38a1f654
SHA1 29b4d972c3231d2485d6b7b4b6325a040b8467e7
SHA256 173a23e59fcb4043da786a997d747dd8f9879155a8d5f040c4a550f90315bee3
SHA512 7934ac0cb6e6ef398e6fc2c7902b686d23ce3743610ce3507675682f30d83d3de4da2826aeaa583553efe7e66efb2984c2d2ef3fa99cfc364303366a2bc6d730

C:\Windows\SysWOW64\GMsO.exe

MD5 a53d50bc767422635d9dcd5485792d14
SHA1 69a01d5bb976a32b0c6315593b7044146b333848
SHA256 4b7e954f9a896a7e7da9adeec2b7af6ee41c99d3afb7fdc617af18b13bfdb4c1
SHA512 aea4ad6069396cae7ee5bdcfb7bc506fa7340d0f7efd6b4b03ec78afc24420cbca337499d640c667d9411f3b1065e57da7684822a11bf6e689e27c8cef6266e6

C:\Windows\SysWOW64\cgsS.exe

MD5 e4d7c89df144b336fbad83c795becbd6
SHA1 a0f0804701706e4f1403c4ea6f236dbeecbc48b3
SHA256 43d57ce273b76949bc2925439c006c9b6b34b9fcbd5292fe89de0ec0b108646e
SHA512 ed0ea78e600c27258f0d3e4d3db2f97d165c803f7cabb5cee71dcbc4361cad221572985efe9c474fb66b9db14c884daf3038c5337cd7c8b8027a6e3819f74ef5

C:\Windows\SysWOW64\EsUM.exe

MD5 49b8bcdf8532595a9524fd82058711ff
SHA1 706ea8eb331d16fcc70be7fc58de58e44f8b3a99
SHA256 a063a1bca4337ada855b79d748d8a8843ecb8bdb8266dda098dd20b4916f40ba
SHA512 002be4dbb692a911e29f34d86815b8f543e45c4e31080b07066c5919a04505f5e43cc63bcd7d75175a9747ee7ef8ccfbbafb219d45917b653e780d541f2fc847

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 05dd849ca357f403d00ec26a06ae5ce5
SHA1 0e6d66b09fd9fa2c1e8d657d8991d9868c115fbd
SHA256 b6d70218dfbad6af3de56f9b275e2b80bb7c6bb49a6c5fcbddb3ad0e163888cc
SHA512 af15f3008f9513989a82e6997d41db06ef55239331868c0d8078e04b5cb038e5b218e5566ea4eaaf71a5cfb07bea15c5b14781f2573f664d46eb0658a0141bcb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9bc8a044b2ab04154199d4c78a1e8939
SHA1 367063d360daca4f0968159c51965c8667368821
SHA256 b90eb3af0904ecae7990c7115215d59789006e81ccd7e2f33e98ad13c2ef1e3f
SHA512 6471a922b08c39e5c4730f79182d53cdde48180d8ade20485e9e0e4de9568929a1b26405d57d9493864499136e3f6fefe0be70fe2766b25a530079b34255e906

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 7b38a32bc42aec6fda821da043dde4eb
SHA1 7f425b48ae371ac5c4148d876d5aa4de2421ac92
SHA256 374025d67973b587bb1d30df401454b0e928a3aeccd60499961ea1aeabbbfdad
SHA512 0c4c6145cdf7174d083b55bf0f4ae54fc09f5fa78252bda8c789fe4e942d94fc6dc1cc0522f81a9d90e0ab34c3f18aa79b0d67af55004da4c8ca2dadf0dea78c

C:\Windows\SysWOW64\WYIQ.exe

MD5 f5a206ec32584e6b90408706553837b1
SHA1 cd68d566c3541c4a11cc23061f199433bf79630d
SHA256 eb6eacef5d8ed45cdd95e483eb9c954427d0d2acbcb339dd7b8ae1cf0fcf91f2
SHA512 ccf8ea687337d4e48eb42607324452b96b3d477ebbcf31e5b6dc86cd131548fafd02a96ad908ad52084d7a619f5b812f0dc8d02ae0bcaf06c3b967f6e051618a

C:\Windows\SysWOW64\uMku.exe

MD5 c2ef1112e923a3205a57c685c7644cba
SHA1 e8827e7f3335ed1b38dcff720e4958e6e2090a20
SHA256 fce8884139b88cd77bae172a2b231588f5cd959c0b0caf5c7b5a36c935830288
SHA512 fca6acb49694c055504f80709e7c0a218560e1f90574079e62f80b7442b143ec4ed83f446407aea31cc03178f3fd321b275714cd5bf022fd1e0c42592f32d43c

C:\Windows\SysWOW64\QMkE.exe

MD5 b826eb5219edbf332a1a96584e4af0f2
SHA1 469d87559d664699405de1fac85eb1a051a2b0c8
SHA256 dbb6c360d6ce85d32df88836538f1a4604ade031605057528949f06d231c43b5
SHA512 d29368619d9d814b14a7495e0521abd1c4e8f2914a6064262b0c222013937c732dd8af1fdb594edbf80922d5a540a013d2358b098981be75d61645613b12c941

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

MD5 985e501b30bc269f96190ffd5866236d
SHA1 1e1a7531ede8434901726bb76e5edd5f40caf54b
SHA256 eadb11e0e21a11cc4c95c759cbd4f5b62f785c62b1f217bbbacb7ae1cf48ad40
SHA512 f3958aac6898c4c62b1575f1ebf5a422257cea5ec6d7f913e9fdd8cb6509b00dfeec1c17a99961338ea791950d95c749beee6af4328e3f0d22d7cd0193d2d9e1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 1e96fe19dd91e145b4d0231aa7ab4684
SHA1 c8a7f253e603161923aa82181285bcc3bd00c80a
SHA256 1c347ed0c93015003629cb37d1ff108670169c5f14749dbc970ec1d7e9b0e278
SHA512 3d17c1eb1bc5566778616870db8f9fe389aa75d7d8b2a01c86ba5df1677c83b8286e210340b85a87296ff75e4bab3f02b8d03f0e9d5153824c0fbe29a4288b38

C:\Windows\SysWOW64\awIA.exe

MD5 4b039bf2a36c0aa2680a4ef36138797f
SHA1 86b129bb934e36f3aa5a9d7482f149e67704dfe6
SHA256 160ea7e30bd275321787e128142d50956e390488186f6d430449a0678f9179f8
SHA512 cddd1360e027023214e27d2aa6e361be08409150e8551d694396f033797e8f98a9ac8d2e18050bd27b7873d0e1f3fa78eaffcfe033a7725fb5aef6c89b010309

C:\Windows\SysWOW64\EMgs.exe

MD5 3bff9f83802447e8ebc5eb0fe442024f
SHA1 bbd1fd0e1a06b6b257f055a8492a51454f85f071
SHA256 75d99f42e84fa4cc660f09f8a442cd7e600fab40ede9be0300ff33b693699498
SHA512 7bb10d916708a8b59e030474f5e50b6686c6bc96cba5af52adf33ada806e2e5e30b103ed5472d2a446278ba05c7836820d5992394b10e156e6a1497b0efcbd8b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 eb48c41a8ea8ad6de937596f1476256f
SHA1 1a2386b4082abf155adb8c47a104c5e9dd65685f
SHA256 18e7766052fcc6045cabbe45f4e44f97c21306c96a8a794b399fd1e33e844b49
SHA512 9cc34f385b835261488c0189232b9f197e48b21d7c7db21d89a161f561b5745f40ff17d1e2a1cc20a3c87c70d135b38d7e43a15b2b410e8219e7e52c96c66d92

C:\Windows\SysWOW64\GQsE.exe

MD5 04e68c1479d6945544bc5b31a340e584
SHA1 1f18909d3907a7f74eb43fb6f81b4cf51676a8b2
SHA256 f28b2ddb8b9955b5052a6cdd62d10f200c7827eb45d9901bd0160f22a63aa02d
SHA512 9c18f6a4151625bcd687b2f124329a37c55676c4e4d9869278060a770914d576d5a623f09ca262efd7f25a807fdbe4fa23a17d6002468a6a380012cf4bc00b66

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

MD5 792bbd28c4608dbf96ebee935aad0ab7
SHA1 67f681b162ff8106e020ff2e297f9bb8aec0588c
SHA256 83c05549b3bb96fe06f676bdfc88b0fcc80f009ca34b9ac91b8393d8336d4d8f
SHA512 c71a7521a55c8c01e6a28d73b8119af8b6777adefeee9c1de262c2f2e44f41fa85b668ce444775fb3eed2cf6e14973f56639624af0bfefa53c97e8d39a44766c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

MD5 b2db4b38bbca83b3a516140d372b1a3b
SHA1 6d7e3b76b2643bfe8225168a8917c20012cc4456
SHA256 8d2061dfba393581510482f228af6bed49f1cc3dfd15755509ff025f672ee0f1
SHA512 5d8997aeae49d8fc275deaed858f0dc5305cea892cebf54cecad4ad6da9a0b3c019e438b29c704936f40059189af5af3a1dd4936f68ea65903d723c694ddc768

C:\Windows\SysWOW64\osQs.exe

MD5 bc06da3b179c7e5b5b82aa9fda1e0ac0
SHA1 9e5960d56b065d7c2c4af6c4191554a2a3fd82c3
SHA256 b0ab9bc705215b036cdc3585e6e38c201e5d084679591dc6228773219d9a4ab0
SHA512 6a9c94901027fced24d8f81aa0e59d505afeec4e32af0c4df67990b72fa0a9c1577af7c647882a1915641f72a2ae9c38dabc1ad8198c8ac691941fc393cf9a82

C:\Windows\SysWOW64\wQca.exe

MD5 461e7b4e12e3fc49f252a532730286a7
SHA1 6e0280e173cadc5e0b1cc8716b48209c280aac4f
SHA256 4a029f4456af3dc90d47a4f26089540f04574ad0f33e4dc6fad09d0a273cda70
SHA512 30787494f06ff238f8e866efb5b181d4b2f75fbff3be71d7f3fb4ded5093e87d20ee73ad5596e2785144f249e5c459ade3f689827f7fb96c08ce93eb56a53b7a

C:\Windows\SysWOW64\CocM.exe

MD5 36a54ce5a2ed5ccebc6cdd546de3155b
SHA1 c9a54f64d32f1ea94ffbe80472bb9d992d0fd3d0
SHA256 1682b4b0d29779ecdd60435399a6500b3da443c8f511b35df90ddf03e0844ced
SHA512 177b63f8375de54456b57a065758f1436f47929b39999a07aa6093530255639ce52a512a774315cb974bc22e039de0966e6c9fc64fbfd1360a4c73737c9c6085

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 65070e2c36a2869ad9dbea0fbfb6d016
SHA1 f3a12ea98429de05fcaec3578727a6ea124967f4
SHA256 ed5773a68bb4f59580f6ce1342348a56db4f5d9e03647f837e1671b76fe40238
SHA512 bc68c8649c3d0af0a4417cabb0617f1d6cbad2df410b83ce0b0e392ee582bf6bc0f600d016a7ad596cff5b8799f2a3a1f0b1cdd37a41b036480b75d1014e6dd7

C:\Windows\SysWOW64\oAgo.exe

MD5 e82dc68d143690e7ea2c3be9b37dd4c3
SHA1 2c63b8245aeae553a283da161cb1623dc713d9a7
SHA256 56f527795d6a18e561b3d3150e67d751c47af2978b6921282014a6afc7f0c00b
SHA512 cc0fe98440eab84e9dcc03fe0392110414f0af765aa45b237b606d75549a1431ab990cd639ba42b9e346f440405cfc6b71563eff20c6386fe837bc75a2e66ec5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 8458ecaea693ac3f073bddc584a23177
SHA1 ddb296d032af59423a1d9dc8a05b5e0193a68e37
SHA256 a3534ce1280247023535db8d87d23273d903bd648ced1fc7a6cd40a8fbb53f0a
SHA512 c1e1233fcaae1ea5070feccc2e0993f1cfb46af93a7f07628c22a82bb6c26e6bcdb854e34bbbace878a3e9f002e6934d25838cd0d0654c99a15576c0cf00c4b1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

MD5 2c44dad1b3f17237efd8729dbf1fe095
SHA1 030b7d3e51c116943f41ce88b47f41742341a99f
SHA256 253fcabdd867a52072734bab98a94037e0b4add9f85f15219c945a99e10df330
SHA512 11c905f6a77050cda1b883b358b7ffbc517da89bc6acc8576b3308bb70f714338a63580741e28815c047c3ddda054722eaad24d8a73e7d56e557e94c1f5d5264

C:\Windows\SysWOW64\ycIW.exe

MD5 da96327675b8a46401c236f539e2632c
SHA1 54c275a2c01187e1583113a8add8910ae9aea248
SHA256 7b096b8369c04619324c7c8bc984a29f667f3b62c73f7397f5a658cdd5932920
SHA512 143b4d8f4a5eaf86458571222bbfce794db7bb8dda9d1a392bd016eba3433a9a23a1fd1a773f4fd3e7c24b48d63eb217ea6e4b5a2a72340cc35c0e7846bae11e

C:\Windows\SysWOW64\qAUY.exe

MD5 ca510a2827075fc7d5be327db1bb9d52
SHA1 c4cfa08632939fe57f5950c732b92a8e073bd06f
SHA256 8ff4cb30349fbd03f4dce58a6dd6dee932a9ef7191c42a4555fc9c9277208331
SHA512 23c1b9b55d725ab37c3424464ca45aa7776f271c074a8e4933be19514294eb5c1742bdcdfdeeb78b05459f4a04eb1889906dbf493070fc69d1339811ecdf4c77

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 28e898668550c00b370c07de1de6d647
SHA1 461c5e3af8700b5221351f3007d565492f45938f
SHA256 afee8f6771c359d86c8b736c6f48ba498697fe44e23baaef5e9c8f1865c9c78c
SHA512 771ae36c5102b448d950738900b5e852965c176711898456a1e5486c0b0bf89f543555d3cd687df9de018ad41cd8553b8fc28a6c371c70cdacdf1c301ae1b79a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 65e48da55d93ea1e9bfdeb334cf66796
SHA1 a072ee5ecb483a819beab9940e95ba129db04bcd
SHA256 ff218f0e848fe7556159e68b74a79852b07d92f72a5d0ff66cc799ef6ce3fb29
SHA512 fe504efcb76906826ad0c07fd6ea9f9124cb98207dc8678544456a62cf403c02ee93135d81bf2e6f65b7d284a4571f16dc3fb415b4fdd87d31a813fc166b5d74

C:\Windows\SysWOW64\UIwG.exe

MD5 24c9306b23d988f3cd9ac3c7f3bb721c
SHA1 8686a61cdb844e003a0daffd1371121adca7f1d2
SHA256 eef22f48e29eb43b2fddd927fb350fd9c22c0375a82149e8da9a8b2bb467e4e1
SHA512 84e01fefabf7920126fbd52a821b98b6323d3b41476337ae9c21465bb22c50873960426a991693434ac29599ba8adce05a0430ef2ce8d19293d1c6df46c4abc1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

MD5 41068ec6d90e13e47550044bdf702f74
SHA1 f07c67b8f78db630bba7be2f2415a422af0a8a13
SHA256 cca23d9a5b8c4d7a8290a8b8df257badf08a72f9505cd29c367b4f9ae73df4ef
SHA512 5bc2fd90aaf328d68f5375555cc23684ea3ca76cebe08e8c9375ed6fc58d8483527631312250b7987743fa826a6b6508e41dfb16de47c2f5b098d408cbd9cd97

C:\Windows\SysWOW64\swss.exe

MD5 97c7132544b9df22e313fa15f76c3ca7
SHA1 6b5e6ddb32835484cdd68b5840ce05aa695fbaf6
SHA256 d33d17f86c9bf9198462e5b462d9641acf36a53eadc1ebb8e6292a1bd41f2ee2
SHA512 b8eaa6a18e05e2c4b0fe04caaa5feb875703e90f0dcb79a32d10d314e44c67a17ef1d0ab13efc3b268a5cc9f9e54465409fa06ae7f74fed3d5de0865e481fb1b

C:\Windows\SysWOW64\aEQq.exe

MD5 92a16417420a4528f52448960f87c4d8
SHA1 035bd67abda014241159bf5e9c074f311867f227
SHA256 fc2c7bd2655c8f6ef137e016036bae7a1544297d91028bc988b9bf773215a35c
SHA512 ed7362a8ada5cac8d3d00d8a02bd7b98d05ad01538ce27f4c0cb5d136bae1ec0f819f1935b539eabb883e40fd93ecc112a3566cad3c1fe5e728bbf8aee43333c

C:\Windows\SysWOW64\owUG.exe

MD5 49578e306f4e74f14b9980c239acae7b
SHA1 fafa899cf9b42cb1c46ef47ce0ac21a0c64754ad
SHA256 b43209414dc809886bad0440c123565ac0fb8d33f346856d98c25ade086c1ee7
SHA512 7628fc26920b87fc6248566b21af179144553ef6d0bf357afa5e08d5e31178e7d1982ee8fddeba282dfde99aac95d4701cb6fafe59d711641b552d7f7352fda9

C:\Windows\SysWOW64\oYse.exe

MD5 00eed018a06c47c5ebd44e4b3dd9e5a0
SHA1 bffab6ebfd0df12a636afb834ac05add9e8ca5a2
SHA256 71d9c141c8f7b3ff75461b57e382815ce6506dcc6338d38fc7c3f95dec8afae5
SHA512 86d9c08f645f8445ed349a0750935c1a2994ae99355ba9441a45a1d0ec9bfd7511ea60bba40f3d3d8d8dab4bd237c80c39c4eb7907449384fb690e501c94ba57

C:\Windows\SysWOW64\yYoI.exe

MD5 e63d4c04cb8c267b3cf061ae66b12187
SHA1 ff7c6230dd9af8775a5712fad89e1eb1df3bfbe6
SHA256 207c6ed1c54fb76f33765f4b8517efd0f316a5927ffbf352761e5d246683b6cb
SHA512 64bac9cdcc6b9f13ab50d2a4c21f7ba93d6be349c2d2f0a212dfc179de39a70bc4aeabeff5c9e221b3e751a18d62e677733b36e7f2bef6ea82d4c44c1e1f8898

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 f3292e4612755b47b86a69df7b7e343e
SHA1 4ad87b0b908ad2238700bc6290f17c9968f01fda
SHA256 c6d39d5e5fd62cc1019ed6074bda300dca79f37c41d2d274f27ee9e07a233e83
SHA512 b5bcfd5bb78bb09c36a8eea9b95a15612d0161caae57e506f690586c579dccacdfc28dbd5a2fd2111a8eafad4cfae2842ba7f02733d47a94ea2d29a4b0cd92b1

C:\Windows\SysWOW64\sEUA.exe

MD5 95ecae8ced17b92f145b2234e64dab81
SHA1 345e497ea6046497be64e8137a2896a707200913
SHA256 af6e156605b7e6b5a6c9620e4c908b2566dbb0d93913de8b6300f6555ed646cc
SHA512 dfc6326269253c6733f5bdd382e242adbf84f456ddbe531f35917ceecfa7c6645ee1f7819a5fe5ef3cfdd827fa0f146162a42a1137a7ed4b760d672ebed17b08

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 34a4a9418e8908355b348af943a8ddf1
SHA1 68d62b9f6076c034d0c0cc97a4b14e58c9c5a77b
SHA256 885d1a2c79a29f90529b1c45834d4f743aed60ac11a4b5f04e30a0b0864d6799
SHA512 63cd818b70eef83e514e66f2ee4833e1ecfb23595b33eaef0f5d35bae3ec6c42f705c2d5bc81ff3984d9f086126b27174e73b7cfb543b94a659854b889996c32

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 6cd1a7fa97252ec41a3e5bccc671e0ac
SHA1 d69884936fa2e2961a4d23b896fa0e0fdc5a6d76
SHA256 7611ddc9049deea0fc7fb89a6ce8acebb38a97816791266962dedd995b2c7426
SHA512 efe5a6ac1127e76637e10c7a68613e64c559fe39e203733d539243673adf8b7422d23a21746ab7bd8d11bc42b9505f1fb61439c814d5b5dee9a0e519e47eb14e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 1ddf1ae763f2a7eecc2331fa4cabd216
SHA1 88f8d920d7dcde96d7a140b80bb7cff0b6e60d9a
SHA256 ef1792a9e685cf2d8a62c97e00dd1fcf815f4858bfc63177c8f9b027ed828ec2
SHA512 08b4ccd114f1f51a553e7d1568e4e22fa6ae116c96c4a44449b369b7ea435f634d28be1038458f65b56336a92e2f2c5e344facf2a7e861456dbe85ba07f7d65a

C:\Windows\SysWOW64\kkYi.exe

MD5 b463404b491184ba286437403c8a1817
SHA1 49e706b8d2abc5888fdab1c5c737f0a40e5d752f
SHA256 9e83a36ee5a5b99eb9de2484921a4148d3ad035506ce4bfaf1f55661c73cb8ca
SHA512 3fcaa9d7c7ce76143e0d74e5cec08e5255ab5bc6139a56ec8eff6a0611a0df7611160a988498a7d49209e1c1cd58251c6102d8ee87d3ed294c25e9c16bd9417d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 0433dd3e6c765ba8e12c3849214e1b51
SHA1 cb5b3d6f2010e3dcec86a54530ae7c43a480497f
SHA256 9ec2afc1e78445a65de53398f4d6276ef026a862b102e042b518a9a811afc606
SHA512 57abb3a133fb02164dafb573a6a045314ff18ce63f61bae17afa203f38b7fe43a2c8deef4eff5f324e64621be4722d8f7541a3d000b754911a6aa7e321c0da61

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 744daca64814bd5814128cd340126617
SHA1 daccb6e0fb77b5e4876a938cb8932c9fb3d99ccd
SHA256 1a8417bca13b3fe63fdfce67e833925f2713ee676f487d442db56d4e836a3b49
SHA512 bdc82f76025f1a3af01957084c413cad439380d3d0e53226f6e360a58a3b01ce0ca8cf3186b8d82b97bfb107ec7c3f312c405e503af8ae711f75a26c1d917625

C:\Windows\SysWOW64\IMYc.exe

MD5 d4788c88969a24f2c745227d64e5ca25
SHA1 7e2d6cd72ba681b675bb37b485ce32a072528ef5
SHA256 ebf5240691ccb7501490d8144a74361bce84623d2680f9a8dc400655aa23d950
SHA512 edba7e5f67fc91ec918f799f499dde271e722bf64a2abb14e805bdba767c1a388b9a4cb25baeac360d27baea38139548e5ee908ebe9b162457baf153f300e48d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 a84e67bcca4ffa74db2a7b23b3d06989
SHA1 3a59f86ecdde094cf8cbdbfdeb03d4828263079f
SHA256 a5aa9b21da6681276896edd79df07dfec97fb78ec41d1a7bf736a2c60af6f468
SHA512 bf25051b5d952d5f19e68aebc7e64d66e0d29d62208a1dc926be1cc4907bdd7c76b2b22e6ac7406c7dcae5c9d87306a6cf18259c9bbe244148c03bd24d0d6c2d

C:\Windows\SysWOW64\CMEQ.exe

MD5 7799989b94c536132fd866c00201f84a
SHA1 ff0638981362eee87965a04c7217a5287c956219
SHA256 3063625bee7af2fddbdd14ea75f8198e2f3777ef615a776cb7b93d1a38ed32a7
SHA512 ba643024c86796b0fe7a390dbd5c4bc7765404221501544d203ccadda2e7c19fa2ee1dd9ccdbdfd37484282d05684802e1104a459a25fe012b58addd1976b382

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 c97ab87663fcd05066952d11abd5e94d
SHA1 d8092fe8d0a896eb4013d57ac9a4232d99d11dab
SHA256 84c0746b0925165ab29948adbfe0b3cac628b113a25b9b3f736b870275d610ca
SHA512 2a03fe1bbebef836d4f47bb7424833e8976515d7d1937c3e561f234f3a402580ff2bfc3a74c795355c9e0abbac8cd53e34ac26b9fd1446cfa8c91776c0ff3ad3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 45d8f3dcfcea6e92520b1d9424ac1ee7
SHA1 c8cc33b22d909abc93b2a1d426abefe162b27448
SHA256 e8fd35024697c8414cde1a7f410431accfa39985f30c5044e0102dee003d56ce
SHA512 ef32e7e0a168a64921f1976ac2e7eddbf5e3382150b4d5829ea43a91267b4ddda6274affcd92b5ccaf05b47f142ff21b51c25cfc2d55a1e2a25b3686d0914ab5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 706f850a8ee716938e4a6e2868576142
SHA1 df36a146a427faa539d1b7e02ab1216b20ca81fa
SHA256 97fe0fdc8b0528fcfef8105399cc8c4871d0e5c58acc4bcd9ccbba10f54ec579
SHA512 6d4ea3ea6f9c7c7e069b2d50017cafddcfb96072cb7ccc54f342933ec27fd31e614050d7433c2e1e7b93c62c83a07fda1ccee4421faad6afcdb901a21ae78ecf

C:\Windows\SysWOW64\ocIS.exe

MD5 a0b421757d38cc1a31529337f9c4967a
SHA1 511e5ad0c3d6a127171e85607b2c321347db717a
SHA256 d13d9280c3b3ea2798a3d0beb0584c8c97fb0f0c8a53c2ac10818e37eaa0bcf5
SHA512 12542d5b2f409af51f485425c67bd2690749b4342d2762967a94a85d9a6d7f3361c00c179074858099ac6d99af450c1772c1d2efb844ac2578ffa0a08e06dcac

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 10eec06012ab0f2594a5626101da86f1
SHA1 624bcbc0c66e6989ac77c313f83817fa0d45459b
SHA256 30430d3b211a8736b1750f2dedf1a099297eec0989687e2b633027da23a78bcb
SHA512 ca47cf3cdf10a390d5369b3f65cb6caa8f3c3b47cc212310d37c754ca49bae3f3337bee94d837578c11bc0ae5f57f7a950a25f96986a530293e0c5eb0cbdeaa7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 876263a5b9477b81cb46928d21dc905f
SHA1 563f6ffeb5554583f9235db29c905a215bfef314
SHA256 fe999d67c1b34877fef88374ed6f92ee3698b70ba6f3f116406ab9db05b24dd2
SHA512 6e1d92b47d80922dd390fea20aa16a0f2b881a322888993d5aae257ceb6ba4b2440cea38bcdbbe680d276b1c01252f9d953beff3b48cf11d34ae2f9d086dbe80

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 82ba3e089fa13f104ad9c59f9bc8fcca
SHA1 212d1c97328317d368354be6ae49c3f87b19c482
SHA256 ad967f5d58b4df919aea5bed641cc0d289d39f866b7b56ea8307263a92332434
SHA512 faba3cdced2dcff73956439877fa9fda1a0e29e50609f11a78884eb56aa1dbb79f46b89ef3915e44b1ee4c94ec7386a50acac00fe915605cef72f2b43f0bf50c

C:\Windows\SysWOW64\WkkO.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 26611dcd3a85cd4504baa8bad27e9eb3
SHA1 8d3e65d8a2bd9f5fd31b22be4e1f225b770d652b
SHA256 01fc0e69f3e4e7ac3515cb4d97e2ed8480aa63f97320dc9671a6048fe6b8e743
SHA512 313d79c5f5c97317387db9266bb416c4a333c3c37c1b899d7144aa81468909bbc8b084e3b6005eee5c40a1dd524edd0f61d15d3117d951e0a740863afe8b8ff2

C:\Windows\SysWOW64\qwIK.exe

MD5 2b08d12e277898ee1ad9f955fdde06ae
SHA1 195fd7e0ccd4449c8c462077f7215286bd795efc
SHA256 363d7450d7bbd95cc53982228cb0a0637459c764e411822be7531fb6b63b40ac
SHA512 777768c0fbade167201491362397672c2fdf6f058d547d57d9719036ef1b6ebdf13ed72eebc23afb4c7d60315522d6ed765ff94d55edeb0ed371084d21943414

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 b42792844cb30211c45ef93689cc7119
SHA1 84e4b1da7c2c1765d1a606e868149438d6f71cfb
SHA256 308a53a71df09e439ef9af71504b8383dcff478ea40a75035ba0225d617e6082
SHA512 500d34ed7301379279ac8e11dc973ff60db8a19279d18d4b35fd8ab95da79f6ebc742611bb2c7647a9c6194be307c00afea48b7266ac8930aeee6a7aba6bc4fc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 9460c798eeb9193fd4eef4f8fe65cdec
SHA1 4bd3198f0a37508242535c9b04eeac99c43fc9d8
SHA256 f664589e9adcbb25ca6d25ebc68ce3d5622eade769b5237941f42bdecd1abfce
SHA512 0be36c7c5a7c0f28ccc8d9c39f1ec29ca38e836c432799f7d144aa67703d73570e4ab738fbe59685f327bb8c9b4f828f06a2ea66f58cb25ae53105e44f2c9bf7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 6ae55e0932f2dc0b32741857a924e0b7
SHA1 0b93bcf14244b805571904a629de52cb8638d7ff
SHA256 7bb20f54b007497add239b37768c2e8ebf4cd167fe4e58ce3d823ac796cd86b7
SHA512 cafc7a483fdc58c44596d381afc8a96acdddee1b03116957742fbba25807268ce90d670f217a514ca4ccda45234f9105c458e0101431641848be04039c5fb148

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 3d52fdbc63edf1d2c22a481e6512505c
SHA1 a50c1c96bec9f0be84ccc0a1da7be60833ae0991
SHA256 4c7efeef22b8b1a2a0ff72dc7cac27c7cc67fb3868b78a570ae41a1932213451
SHA512 2d6c15722ef692dd60a1edde7421d5b8fb16a6e85752699fec7ce7e797ef77fd1f8bdd9d36fc823eb61282cd078f9eb4798f2056cc465ac6b6b49dca60d47a66

C:\Windows\SysWOW64\ecIw.exe

MD5 e8e6fd84bf690fb81998a654efaacc82
SHA1 687da16a27bf32ba2ef7643fe5273d88793c78b3
SHA256 18a9137a599a49bc713ee482115ca80dbf5b2f3352e0f8cb48fc9fa4c077d379
SHA512 8b1d9aa66f2168e6fc6412fcd3063003b4fcbbb8a1f6850771a0e34cc680f971e224376318d873940ddf3ce645692c1a937abf783caf97cfd3672a10021d684c

C:\Windows\SysWOW64\MwoA.exe

MD5 175e04159600834b873262e3f3d1e7aa
SHA1 631d2d489652576d9152d08aed6f8d840e0d844c
SHA256 02b430184c638325fc1811b04fb5507020d6c10284aaff1789d586ab9b54e42c
SHA512 9536cce845055ac41bffa80d903f39251586529d4a8c26acf050c7b80d5c01d6443054859090df1332469821c162eaeeb91d513f74150e16c9de77763f08af9f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 d48009405038efe2a61362ed90a05613
SHA1 fa201cbbdee0973d5daaf11c8799bd8c2c9f0e2d
SHA256 04a0dbf0217402aeaabc0c8673ec102ffbc254e194637afaa4564711e895e5a9
SHA512 e4b8ed8115f1f782beece3d94ac9425a9b38ebba7d6374e8604813a3f7cf42b6b9ed16e51fb78e2990c3329fa644ca36242ea9a85c555dc66aa8b5849b465647

C:\Windows\SysWOW64\uYYS.exe

MD5 9bba2c2f31d7c8787f63c074465eae01
SHA1 63e36048f5370c1b92f53083fd961221736cb357
SHA256 47260026d83a107fffa7627fff3b3feb3b51738d804a5f356513f7c5c0d67dde
SHA512 b9fe5ccf0ae7d0058a6a465818186731e7dc4014fffe383d3f4dd5d93f19238897101674a0fbb769990ef8b6ac8263b0e20a611291414683fe81d1d3eea17f3f

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 c155b1bfe63238a071cfd43a18e20ded
SHA1 69fb424c731a5736689b5ddc31aed72ae07c8a03
SHA256 e74d1eeee52660abc7eb656b4d6458df10cbdeb73e0fa4f6cb255dacd316204a
SHA512 ffe4ab9e06d88e873130469f0db58df080f835b60cad3d28a66846bc06ddc96af215be65dedd62c1bc5cea943e52761e92d4a8ab90d62f8ffc36b86e815d5c52

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 f84edbb651232b4fe0c0252eb5240e78
SHA1 52ad3ca9b13aea1379b016067d40fbc3dae9af40
SHA256 7f2dff2186b246383f4fce35266fb4ab4980d7ea9c60e6349f6d233d056c81c9
SHA512 a1c61754cbf97934b681d11251a31479414e4606a3f72229a4f8d70afea54736db4072e2da60d0b69ff6ac2f8ea72d0d35b1529fb47780c1cf5497a37ea172cd

C:\Windows\SysWOW64\yIkw.exe

MD5 a44efbaca4cb7e191ec389eb9b7605a5
SHA1 f3f6c2fb231c794c695dbcf282a80023cd002128
SHA256 71917c25db403c8b793bf634484d0044870799940784b17aafd6593c88e8c0f8
SHA512 67049267f36a858a73676d0b52d030acf113d9bdd87d13441e16d79589d903ec2b55e83343e793bf45995b9a826a38e3b889ff5cc13d357a37779998b67a292f

C:\Windows\SysWOW64\wEIy.exe

MD5 2000ae78bf598a0e75f322745131b050
SHA1 e5e8943a7a9d09ed0f74b1a444b950ca367ef684
SHA256 e54b5d993ab2b7b03c23b47073102290a975a6afdf8265643aa9ed27489bab89
SHA512 26cb3884383c2b33826f832b4d9b9c8ad3930121d25e1a027de8b5f0264d6b63bd5467c6f0537789671f1bf5e647bf44ac1fef4d5c20bc933dab680cb85d93f1

C:\Users\Admin\AppData\Roaming\ConvertUse.zip.exe

MD5 65e2835cf8b47b868a832e39fb85c2ea
SHA1 323e40c748b8f9f3a690e843c1f7bfed3b082514
SHA256 39f35c27e4fccce1f5459a6959d664c0231f8172ad37f6a6c50dabba3c63344a
SHA512 c199cdf050a9ce092e31da0f8ead1616254eea773cb52fe477fe56cc19db18c0966702d5bbcb29dd2ef61a44ee72a974db7f8e0ede8daf34621d3656618df067

C:\Users\Admin\AppData\Roaming\DisableReceive.mpg.exe

MD5 9bd4e29347e47fcb69bcb197f5f9251f
SHA1 ab0f0dc0cc7075fd651833fe5de58dbafa31704b
SHA256 5495d9fe3b4fbb2712b8f27a87ff4acf450435cb7c4aaa4bde65fbfa09fa28d7
SHA512 7201c6c4659aa72d3bbb8fabc2dcf7d6cc6da65d16aa4e403f8a98579700a5fccd4c854e065f1a71bb68890bf7e4cb93adec551b515432c9fac23c65d68e0d71

C:\Windows\SysWOW64\AAgE.exe

MD5 fbd80aebe4615b748ed49697ab695f37
SHA1 4799471a18999e1313b08c46e575957db7188fb2
SHA256 57d956d75042b5c3322f16e3de11b75cea2a58b481df815bd1cd297aed87b73c
SHA512 dc3c051a4fb8b6269ca85f98acae30df31fd5906af58e98e1dc6577fe1b6bb2b98073041ad6892f94b5b331595dd585943fbbce7882461e85f455463231b735f

C:\Users\Admin\AppData\Roaming\SaveStart.ppt.exe

MD5 5a0302c3ab54d8bbf803b4c978b1ae31
SHA1 10f49731ddfa130e86433ab35587fad3fab0aaba
SHA256 58f597cb743fa83b103f8d89e1f6975c52e4a683aae9945de86753640bfaae6f
SHA512 e3a1fe942390332efcdd028644dd3ca2abc33473dbb6b737a776822299a72d5bb29041566da3e1fa5c8284d6e6db49c36ebafe68a57957f967c0118d64ed7a04

C:\Windows\SysWOW64\cQAi.ico

MD5 a35ccd5e8ca502cf8197c1a4d25fdce0
SHA1 a5d177f7dbffbfb75187637ae65d83e201b61b2d
SHA256 135efe6cdc9df0beb185988bd2d639db8a293dd89dcb7fc900e5ac839629c715
SHA512 b877f896dbb40a4c972c81170d8807a8a0c1af597301f5f84c47a430eceebaa9426c882e854cc33a26b06f7a4ce7d86edf0bcfbc3682b4f4aa6ea8e4691f3636

C:\Users\Admin\AppData\Roaming\SwitchClear.zip.exe

MD5 4fed89f72aa0006676c453a67bf1bbf6
SHA1 7f0ca259cbb8477bf22737f1665fe0982cd792de
SHA256 e529753e0f5fe96de974713ebac1745612b262236af3b619d49238aafc7d07d3
SHA512 73a318601da28a51f5654b5ce37ae63350959258a606de65028b9514b88c9ac2d6be554a9ded2f03c01c1035aa399fa03fa0506da417eaecc0f34d36dd11c471

C:\Windows\SysWOW64\IQcq.exe

MD5 e416371369b5a5927a2a1e65a4b2f4cc
SHA1 55a595cc102d4d377fb1b99e5aeeb0e91d1b486a
SHA256 403935debb9689a5f65a2e2d524d535400f2972131d1fe008c40e74e3f4d6052
SHA512 bae9dfefa3eb6429ca83856d77a2ba2e4fb6b3a6e538cb81a70796a2b0e1cc7b1293cf45bd324ef1cc101ee1a103d2df23d07d2a0aafcf44357b8e76d17d9b3b

C:\Windows\SysWOW64\YwMk.exe

MD5 b4b795a72203bfd4846a66aafecaba7a
SHA1 cd0d7dec039d8e12b317003106d863a7ed5a5be9
SHA256 0fc17a5e1e90fbbf64b5d1601eb7c4cb0e3369c776e8749ecc452d56cd1b33b5
SHA512 745583ed43ca1f21dda803aaad0a758e843ea92b7b798d25af1e721bbee251d97553de36decdb4aebf4a8ef3e8324a9f2a51f5c83a83f9f6d76b8f8af96fb79a

C:\Windows\SysWOW64\uAos.exe

MD5 f481db1319c13bb8eb12b431705a42c5
SHA1 308cbdbb3bf29567ea7ae273cb12ba3f8fc8b6f2
SHA256 6690a609b9720c6902b716f63c2e2e1fef82e07d4cd486e56c0b0738b1271a91
SHA512 33175a93b884898dc62e09a579bb19f04cc757c8ec07ff91123dc29b1e6951793b97f2ed629bdfbbac2bf80874a4b736b95928e58011260308286c0fd2798348

C:\Users\Admin\Downloads\DenyPing.zip.exe

MD5 e120f7f0f4e83b0201ffc52e84792133
SHA1 b5b8bd31bc7e870c3f37d970c948503e47f97fec
SHA256 f00d1d922f220b2820c37782b77e4b701fc3dd03281229c5acc31fa36cea9e38
SHA512 5f7da52f9940775833c08b6d8b7dd834194ca7b2bd23d95d50cd9b4bef554033184eb22f6bb1aee015e3ff59a48de860de1311eb44cfd68765b392f8dad18e8d

C:\Users\Admin\Downloads\LockGet.bmp.exe

MD5 8f8be4a42b8893eeca606941237b142b
SHA1 eff37130574e03002f4207029ceb084dd3e600ae
SHA256 d00e37cd9da22e9601998145a13907a65d9e1b5822d421e449ba980da68fb317
SHA512 d57e58cc32a2a6d4c0c0c6b9a8e505fb2d73e55550ca0d2badc7590ec912fe9fc65a69b8f0fd4c3f68bdaf21d0637259c4e3efa4dea5b9b4ac491301f9ba993a

C:\Windows\SysWOW64\OUsa.exe

MD5 f97a4ecd11903ed6ca4c092ac3c8d002
SHA1 cfca0394beba61573cd81944e32d76dca855efe9
SHA256 a931661e8faf091aede203b4124feebfa063bc4d596b5a501c2bfa6826b43a98
SHA512 840a3df7719d5b0075f9013f9692b32f0a3dd04e7ae75e476ce626fd85fa20b10e187a85e47b002317abcdbe9c31cc844efba6d34294d02179191503e3135791

C:\Users\Admin\Downloads\PolyRansom (2).zip.exe

MD5 3005a318547f6d8e2a7b7e1f533d145d
SHA1 7485a22717939ba9c79c516cdeb8e0b9c08c8ed0
SHA256 9a5df21af2a9f076f5612f16eb21b6b0d0690ea8452e6d5a0388fb5caf68ace3
SHA512 14dcf6f1ad8ba37c3d1853af1faf516bab3aeff9d865d2a07af740c842f5bce28a8c98fe2085cd0e168aa97fe3e64d4eb4ce83fb7e97a2456c1862a2cb8b4789

C:\Users\Admin\Downloads\PolyRansom (3).zip.exe

MD5 1af1dec14ee45ab7e48399d7ca82273f
SHA1 08587823b42343ccc85a55185232bd0e090b7cd4
SHA256 90bca591104d2dad5867c8ce4a8345cfcdbf275466d41531e574a605bc73bc73
SHA512 5463193526c169b84074d8df88bceb9607cfdb735fa6c404259831fb40e3d4f10e95d0fdcd810eec7719fe7da667aa8083fc382fd996bb1361c0aabcf9441c5b

C:\Windows\SysWOW64\eIgy.exe

MD5 389d0ccecd3df71fb08c9faa0068c860
SHA1 39b9e99094437fe21f30e79d0eaa54ebca24bc16
SHA256 7b4f81b7f0575ac465e8077c24c8fac4d5bce95dab8e3e3f5d5cfd175aadd67b
SHA512 777b4eda90382b9d9b3393a9cc8b95556ad87d25d786876f7df2510c458be32d32e390f9bcd7e39ed17ec19440513266d2dde93ac94d48e835f0642b1a4ec886

C:\Windows\SysWOW64\McsK.exe

MD5 5ccbd3b94c4cf5bff166c33cb24c561e
SHA1 ec333ec3fb57f7797fe7141133d4c7d7086cea89
SHA256 52d7c112f3ed3b3032f54caa6011955de89dd0e047fd41acee3fe92b7bb6cc0a
SHA512 549fcf099819d8053341df783dff2c80fbb50716ba93d4f62d4975653d6b994a8158ee4a959d0a20c95633548e8f7f1f088386e927f9021bd9f96baddb7b6a52

C:\Users\Admin\Downloads\PolyRansom (6).zip.exe

MD5 230725b5653d7b96d1f1e1127b010e2a
SHA1 5851e22cd5c8ff63f05ffa9cbfc55621e4423262
SHA256 7e3f940658b1936781032ec054254d3ba3ae0a2a6fb22f9b16288a616c727ffa
SHA512 f153b9dfcb663a277d17d3bd48288d29772bdace9c65aa48824ab7ecb71638ae9b5290d136b2701c61ccf0dc7e1c481e35e65420ebd14446669242f74c8668ed

C:\Windows\SysWOW64\yUci.exe

MD5 d1ebb23f596ffd80964037b46df6a475
SHA1 cc6de759d6ada7cd5b29ff8a386ece27745987d7
SHA256 930e78cdfb1c1c4112699d668ed5f2226b928747c9d0c8afe598e63ace182006
SHA512 4f73dd859a45231860c1ba1a71abcaca6b80c2757719c5c30db710e6e884a84bd294f2071c5a517a898e090127421a0ec5e8ed5dc0269bc707e78853013ef193

C:\Windows\SysWOW64\Cssm.exe

MD5 4d5a3338ca8a981ca125945be6c5f124
SHA1 0ea17e05df79915cf48d05da95f1a8ab956ac00e
SHA256 08e68a8e72433b459d1762c15dbae78dd7f2810a10ff1d3106c68b11a4c6bd23
SHA512 4786d03cc3e22939a07219cf8e887503c61edfe56b2532e93275e078e2c30f76a323527917793ee879a0da431491f8052af1f185f6ecda7a3aeb111e1925486b

C:\Windows\SysWOW64\Iswc.exe

MD5 cc77c0525be0d9a482b8c916bdfdcfec
SHA1 9058d0bf092f746dfb6f546e6709c751a8b39422
SHA256 1f4845bdd0d1e2efe805627689b9bf2afb05ff69ac579960160f8b51e61d7308
SHA512 460ca55659f694b52b0a71fdbef444ed1de8dc2ec4c12322616b683b4b0ae632893d067d3eaa50a31687daac2c4412f65ec3777d0f5fa7e693b0abb547c36afe

C:\Windows\SysWOW64\ecYc.exe

MD5 84d233ef0e22bea141dda67ac2983bcc
SHA1 a792474c2049ccd4fac7d90c87aa2c570533c59c
SHA256 ecd78b265c0381ee189cfa35fe024179f1dae2e49018553781d2f7ae6c4a05f3
SHA512 9376d268de331f11f712d9f1dc4141f1f2a9df785e692ab4b780b2026a578ff79438e59e17a1f8d68c1bfac52906fe7a01dee06bcf797d267264ff92203d7f2f

C:\Windows\SysWOW64\qEgA.exe

MD5 28230f9848bef4a9d0354dd7acca522e
SHA1 2c7cb254c81541d4c4efd5b9764850dc16efa709
SHA256 99bc8f513912f4b304fb3a4d823bab09728f5acb49b735d7dcdbc9c8f1530d07
SHA512 772d7076c4cb1a3b6bc844ed871ea380bc31c41975693681b39a292f247c242b8c806e073435065073bebe3607ef7984f24e0079e08e6c3927c33c4d74054d60

C:\Users\Admin\Music\ResumeTest.gif.exe

MD5 41a550281f551a8e208f784c6eeec538
SHA1 05988c98c51d885187bef64f334b354212f3a19c
SHA256 5a82444d45f2c36689128d02d169cf10d8c6e139a766722aa0894a716c9fb55a
SHA512 69f76b2a5f0011a81bf6561812f6bf644b46f6674592a93f3ceb763fbf34c70febbbcd028ee0d96b3c0e8c154a1e80ebe06caa9cf7a09d7af7c65b1facdfe0ab

C:\Windows\SysWOW64\qEkg.exe

MD5 9f3a8071e9db7f00a6df0c8ab2235a44
SHA1 45266b1626140cd73cbda6f8e63283e55e33e11d
SHA256 797cb93b2c07fd4a37fa7ae6d48f4d792fea702d7e261dfe970a4e9a0c5a828d
SHA512 0bf055030475b5ed5a077438bac58235ac316b3d662c02c380b194c1c0cd053bc763a40d51ddba8a0250f282c0cc826c020c2e92bbbd7a79f9c688d9d13eec3e

C:\Windows\SysWOW64\IkUy.exe

MD5 9b2fdb552bad7b8f1427e2c3bb0888d9
SHA1 94fea0fd4235c09b0a3b551764e3fe0ef22edec3
SHA256 4024e58f84d857d9f08b3e5b109acfa7a2cd27a6300457157cad034bedacd2f8
SHA512 7e4679cd33cf2372da501f038ab6dae54f214ef3bc76ced05db317be85357248d4cf7c9cc259b98943a27911b253829d0768aa325d71e5e288fcd2f95848b7e0

C:\Windows\SysWOW64\akAy.exe

MD5 85707856211ac3ffacaaff7c42f71b84
SHA1 b85945f6ffc59577a43fe5a55b856b8b08d39456
SHA256 778beebc321f699475086c7b5e950209daf79c6010ee22064678351a02a31582
SHA512 6a0a3267c32d5787dcba033155b43848677576530ef94ae19e485dbbf199822be0a86139d5f24a03864153205a9d91d4c203bf4b873313107b51647b182fffee

C:\Windows\SysWOW64\wkgk.exe

MD5 75c0e2cb0451b24c0908aacdeda27983
SHA1 7a8de6eaca504b10e59c380763e58096ec9756f8
SHA256 f50367f302fad3d34e51dfe0c32ebf3c06be9cad5e2d88ee30c736d197e6ffb1
SHA512 5415b222191eb8233c25de96790b72beb47a2c848510d2cae67482d132c0eda36dde1fc29e308998c20d794ed14c51abf7afef8c5d7d1d8e5415b5d389118117

C:\Windows\SysWOW64\GowO.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\Pictures\UseWrite.bmp.exe

MD5 5ea078d95876584a4bcc5b6b786c4ca0
SHA1 74747107be0d43e33de9e96f8eed7e3266cede56
SHA256 139c4e4f79845ab74200eb0aaaa35f0b61e51a206cbcb667a503104150c53577
SHA512 8a29ad5725ecef5c2116a126e83ced11d9b8b017ad9ccdb70ba82393c7b7e4393a54453250591f82ee21095c56becda2c562108f94e8d7561fb8b9bd785e0912

C:\Windows\SysWOW64\Skca.exe

MD5 3fb65a1daabc8538cba8a14f318b7d71
SHA1 56032823644453f230e72da14451f4f70ea761ce
SHA256 2f339f578743e4953f35edb3c78eca2c854b0f634efbb171a8a0eb7850384741
SHA512 fcf448f1755e2cac28f3ec57741bb2c30d70c58f1565bbf2f455b63f26f13344f4aa47b13a48a948b6c16c1a6ad7f43452a36e2d9c68f13b5e390cd749ae386e

memory/3448-2513-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\KoMu.exe

MD5 c57488def45e6efb06eed2f14d2e4375
SHA1 32b9b1172a07567273a8f8fe2ec10ff982f0875f
SHA256 bde7a19ae50a41d36b37e0d51fa763efd74129d7690c3331e786dfbde8353990
SHA512 fdc47ff15053b3c20032feb243b783e7ab72baa4df6c7ab62bc8e969868b761995f67488e9127d449ad95b73a5a4215bf3c2eff67141992c9162ecd800dae387

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 444f070f51806821c05c57de52b95942
SHA1 16e04de4142e787adb3945097cb4f836d14eda94
SHA256 5abc3a99e53699afc6bbb7982c03bd238fb73215ef9a8f50cc65de537bdaeb55
SHA512 cfd151e90f1c80e71204f7c978b4cdd4666741f64cfc5e83c4676ce61d5145c67ae7eeac154e1660ebd3de863bf42542d6d67bb50ca2a0a859ee9a38921e4cb7

C:\Windows\SysWOW64\OEYO.exe

MD5 c7267967bb51c7938e74a3cdf550a3e5
SHA1 007922696a2db002a4532d1f84ba8fba88ac6f2e
SHA256 a41e282b2b29a366c08d5bbc0aa7342b69dad18c4661f73a544e6983ca66f98e
SHA512 86bd743adbdf32c1b820bf2594af629c90b0d425a34e97f07fb4ed1904bc28d06b08b2d16ab57c0f46957121c0c3a6765f72e1bdfe997b42b0e66bedb957cfb2

memory/3448-2568-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\iUQe.exe

MD5 6b79bd6ab110c7a4971af96473eccf29
SHA1 3f077da59646da36fd6216a9c07103c288d9c502
SHA256 caedfb1185273ca0be4e472a3e05c9569c6f11b8499ae93006ff1af4155237d5
SHA512 d44f3aa5ed07d982062145027a7778371ec3c9ea1e9f83b05f837b64b35c55a9125306eb56682cecbd3a952ae715688d89724000b73d20e973f6146abfce88d5

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 b914a03368d41e8788fedb07c8c13f71
SHA1 b30ad054ccfd4e9f24d0e99162fee61b025d454f
SHA256 0ec4da22d0985f1a4a471529b0385a5ee0ceb2be81eae587a75f8f32cb025701
SHA512 0fd1ce0e803a24bacfd32d330e53a5866667b729d35aa8c8d9f047e6fe1afd5af3a51d8abddd6a57d86430afd5ccdd073fe2d2a02d807cc1adf5d8bde789e7cb

memory/372-2654-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/372-2660-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 0d55fd146c61aa546c921ad269fd1e6a
SHA1 38765f8597ca3aa1e56211d85ece7fdea1a500c0
SHA256 2bf13cd7d48065412583f0559f930aa3206c51ae45a88d210d18a169c3e77ffa
SHA512 276f0559f1622de1c6a680699bfff53c65c0171a323dc4e0155102402689fad28aab58fde7b84c5eefb8b6073df446a078ad5fadda290a309cc823ad124b486d

memory/4920-2843-0x0000000009AA0000-0x0000000009D4B000-memory.dmp

memory/2648-2858-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1920-2861-0x0000000000400000-0x0000000000433000-memory.dmp