hxxps://bonzi[.]link/

Resubmissions

07/03/2025, 01:45

250307-b6lhvssmz6 7

07/03/2025, 01:35

250307-bzy6da1xht 8

07/03/2025, 01:14

250307-bl6y3asjy5 10

25/02/2025, 23:16

250225-287f8atjv5 8

Analysis

max time kernel
330s
max time network
325s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07/03/2025, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bonzi.link/

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2944	MsiExec.exe
2944	MsiExec.exe
2944	MsiExec.exe
2944	MsiExec.exe
2944	MsiExec.exe
2944	MsiExec.exe
1536	MsiExec.exe
2848	MsiExec.exe
3240	MsiExec.exe
5116	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
121	raw.githubusercontent.com
122	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 505e3caca981db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{C0C1AB1E-92C3-4499-B340-DC6E464015CE}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{65822780-FAF6-11EF-BAC9-5AEA9252F6E9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "448077139"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 257617.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1464	NOTEPAD.EXE
1824	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4980	msedge.exe
4980	msedge.exe
1488	msedge.exe
1488	msedge.exe
1948	identity_helper.exe
1948	identity_helper.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
1680	msedge.exe
1680	msedge.exe
2640	msedge.exe
2640	msedge.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4440	OpenWith.exe
4500	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1680	msiexec.exe
Token: SeSecurityPrivilege	3500	msiexec.exe
Token: SeCreateTokenPrivilege	1680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1680	msiexec.exe
Token: SeLockMemoryPrivilege	1680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1680	msiexec.exe
Token: SeMachineAccountPrivilege	1680	msiexec.exe
Token: SeTcbPrivilege	1680	msiexec.exe
Token: SeSecurityPrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeLoadDriverPrivilege	1680	msiexec.exe
Token: SeSystemProfilePrivilege	1680	msiexec.exe
Token: SeSystemtimePrivilege	1680	msiexec.exe
Token: SeProfSingleProcessPrivilege	1680	msiexec.exe
Token: SeIncBasePriorityPrivilege	1680	msiexec.exe
Token: SeCreatePagefilePrivilege	1680	msiexec.exe
Token: SeCreatePermanentPrivilege	1680	msiexec.exe
Token: SeBackupPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeShutdownPrivilege	1680	msiexec.exe
Token: SeDebugPrivilege	1680	msiexec.exe
Token: SeAuditPrivilege	1680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1680	msiexec.exe
Token: SeChangeNotifyPrivilege	1680	msiexec.exe
Token: SeRemoteShutdownPrivilege	1680	msiexec.exe
Token: SeUndockPrivilege	1680	msiexec.exe
Token: SeSyncAgentPrivilege	1680	msiexec.exe
Token: SeEnableDelegationPrivilege	1680	msiexec.exe
Token: SeManageVolumePrivilege	1680	msiexec.exe
Token: SeImpersonatePrivilege	1680	msiexec.exe
Token: SeCreateGlobalPrivilege	1680	msiexec.exe
Token: SeCreateTokenPrivilege	1680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1680	msiexec.exe
Token: SeLockMemoryPrivilege	1680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1680	msiexec.exe
Token: SeMachineAccountPrivilege	1680	msiexec.exe
Token: SeTcbPrivilege	1680	msiexec.exe
Token: SeSecurityPrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeLoadDriverPrivilege	1680	msiexec.exe
Token: SeSystemProfilePrivilege	1680	msiexec.exe
Token: SeSystemtimePrivilege	1680	msiexec.exe
Token: SeProfSingleProcessPrivilege	1680	msiexec.exe
Token: SeIncBasePriorityPrivilege	1680	msiexec.exe
Token: SeCreatePagefilePrivilege	1680	msiexec.exe
Token: SeCreatePermanentPrivilege	1680	msiexec.exe
Token: SeBackupPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeShutdownPrivilege	1680	msiexec.exe
Token: SeDebugPrivilege	1680	msiexec.exe
Token: SeAuditPrivilege	1680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1680	msiexec.exe
Token: SeChangeNotifyPrivilege	1680	msiexec.exe
Token: SeRemoteShutdownPrivilege	1680	msiexec.exe
Token: SeUndockPrivilege	1680	msiexec.exe
Token: SeSyncAgentPrivilege	1680	msiexec.exe
Token: SeEnableDelegationPrivilege	1680	msiexec.exe
Token: SeManageVolumePrivilege	1680	msiexec.exe
Token: SeImpersonatePrivilege	1680	msiexec.exe
Token: SeCreateGlobalPrivilege	1680	msiexec.exe
Token: SeCreateTokenPrivilege	1680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1680	msiexec.exe
Token: SeLockMemoryPrivilege	1680	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe
2384	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
3928	iexplore.exe
3928	iexplore.exe
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1428	1488	msedge.exe	84
PID 1488 wrote to memory of 1428	1488	msedge.exe	84
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4788	1488	msedge.exe	85
PID 1488 wrote to memory of 4980	1488	msedge.exe	86
PID 1488 wrote to memory of 4980	1488	msedge.exe	86
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87
PID 1488 wrote to memory of 2092	1488	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bonzi.link/
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff7d8546f8,0x7fff7d854708,0x7fff7d854718
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6848 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6924 /prefetch:8
  2⤵
  PID:1608
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\BabylonToolbar.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1464
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\BabylonToolbar.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7744 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7864 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7128 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=7092 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8747682991518677908,12192474959314396954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:3448
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"
  2⤵
  - Enumerates connected drives
  PID:1128
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"
  2⤵
  - Enumerates connected drives
  PID:4260
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"
  2⤵
  - Enumerates connected drives
  PID:5112
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"
  2⤵
  - Enumerates connected drives
  PID:4080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4440
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3928
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3928 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1312
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3928 CREDAT:17414 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:4104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3500
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2B3B3F0335CD8DCFF3A418AB838852D4 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2944
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9255524551CE4B405E881A8DB5E34B4D C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1536
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 01255A97EDBA986FF5B58AFE415138EB C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2848
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DEA2443981426B20A6B3C148D1546030 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3240
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5E2C4AAD1117F804AEB65400EB2A9F7D C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4500
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
  2⤵
  - Modifies Internet Explorer settings
  PID:764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:5012
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  PID:2012
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1768
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CB6E6233A703B88984E01D945E9F9B87 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4672
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=25A0BA52156FEF93BC28CE6CC389473F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=25A0BA52156FEF93BC28CE6CC389473F --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1008
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=05AEF01CFF893DCC9B7FF5760F4A6974 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1944
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2F3AFC719A2DC4F55F46455C692BE493 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3884
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7F3792BE011590AE92B0F4BC15C1C4C5 --mojo-platform-channel-handle=1884 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2016

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2384

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
3e1a60ee3911d7db9d0e888d8364648d

SHA1
5114269aa75dfe658e717892b6c5220671c9da3d

SHA256
7f48be87830cf00e11951318ecdcad7d2b76c3efa957f76dbc02b487c724f7b6

SHA512
658fdda93a29abdc71bceb97473aeaa0bb707d440531cf5bad67c050562fe982f6cbce772b897a94e10ac2e51152b3599be10601518a3830b5d741dea82ea510

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_1EBE14305C1CD982CC3D154951EA37D2

Filesize
727B

MD5
dddececaf4dcce724da72d06a6ee85b5

SHA1
a3cf2e0e6c1f81317a9073c518d456a646fa3bdf

SHA256
15bd794a216461f4f1221cdc798302d345922f69487f141d1af3f88bd4b1dded

SHA512
31bc1e1456c1aff548b8fbc69881e1af3d2b3746496a8cc467ae7ddc0c52b01ee74639a96a6a5b6e8ce4cde1a7d58856e7cc06d00696ea41731c5853f54dbf66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
9864170acad2c8eb1c365473a4842b2f

SHA1
04b2ed10bb1236fab447ae37af9d51fa554138cf

SHA256
c2fce6225070376541b4122ed8cc62caf95e58649b6c56af04d0fb637dab7837

SHA512
78ec628533390b4074478208f3723f690c5ba953aef70dc4163ae2fdaf551d68d440d5d3e54910ba2f0a6da5d01da7d9adbb39b7168f114dc1e522569ab555ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
76fffda07392223e95a2a994bc9a4d19

SHA1
e033e5514dcd615bc8714ad14a72256a5c0a411e

SHA256
0caeced0005c7d7a17c26218365f8d7703879352a7c3df75c439a3ec2b7ff772

SHA512
30ffad6f6397c64cd95475596ee6561877ce2c651fb19c826e9379bf25e1bd6adffcec88000067e09fb77a16edc854167d5332b13ea4e5ce89e5899f6b9cf868

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_1EBE14305C1CD982CC3D154951EA37D2

Filesize
404B

MD5
714334d52dcc2f463ffb6656e04962ad

SHA1
1209d76d20b1069bf716e0f38076bfac717e2224

SHA256
33ed3cd09c2c7ebb95928a7671326c93bcb060dfb0dadce735cc914b8bae4a43

SHA512
c95ba4890c73a2191bf1aa1a730b44f3f6caa4d71967d6dbde09cb52cc33823f93671761cf2d7b53391af9a99c9412ae9b6ef37460a2145c47fcc31ea8fd5fb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
651034ee5f388971c0a2ed94ec1c613b

SHA1
971bdbbbadb3f01dbdaa65053ef449101a3a2836

SHA256
99379417405a8c94d9058a00e495fbccececa2db2cf18c691a70bf8a1dcecb1a

SHA512
b3426ef18e9aa0d85ddf103c048705bd06fcc01fad8478bb434b6eb8a489db1ef16b24c524cb57ebc9f7f89b8d7bed19925bf720f83d3edb50486ddb8e53a1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed05621b2a1e4a5665da21bfaf333a47

SHA1
4cd83a338b9bb2940b9cd9c3c8cc6a7638556579

SHA256
bc3f423aae2852f02ecee50bc19e7c78cc61b20e0d3bb04237ec628c3cf63c5a

SHA512
775d9523db85198ce510e082e2932fdcb7ef2ef1ec8d730cada441f795919399ecb3fb72b498c1c20c555aa95728a33bc45387ae43818cef51a19316bd80b2df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
2247f77ffb3a377e9426f2756bc97266

SHA1
6a99937fba840478e4be02eea481abb716034788

SHA256
866498800d012a44133a6e60e903cf0b257b538dd60080fbdf6bee31fce3095b

SHA512
4f00719a2999285c6b727d1daa7a29a44aec15d722937a7608c78f08356bb19394f2b1bb7e1c9a7abc903c3e58279710a547d871318e8bea71b243f5c786991b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9139a0a8e3cd9e7ace5c2c2dd188dfd8

SHA1
8b5c41a0a6c9404a2d775ee0491d7c7f9a9c0c72

SHA256
4c8b3696b99bfdd0d708c3f8369688d9ae3c4d985c4cf8a8b184879eb56251a5

SHA512
f991d9a515083eda46ff6d212bfbfc2bc7065c745e342a042b68a8518c97a0f86b2280c27097e620d3174730a2624e83d7f9ee2ea1aa653e750554babf0113ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
cd7b8c9c0c37b6f34b306e5a4e23b0d6

SHA1
4d2543b09012db3e6351a51634e1650b4cdb3d8e

SHA256
702140b2feb8fc38b2b185c5dfb09cc77997310b55331163b9a3a7efa7b6ad96

SHA512
be33801e0a6e47a26238843ab24329d580aeaa37defcd2929342d741396a379cbb8f59a382585b28f22bd5c61afeb4016446dd84bd1bcb83fced8739356bbe13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
26db25d4fc2d572b55f55549fa160fb0

SHA1
0002ec5ce91c01fca67a649b612b22378f884e38

SHA256
456ac44619b6d09aa4b22f9e30676f183a13ebbac67943d8e9c90efd3e16e62d

SHA512
c28abe9ee51773cf2d8651ad239f195a20e1aa58cd69af64fd70d9b60dce5aa315ac93ca6880dc34b8df19d46d57736f61c38f0cde1df3fe15bf41f1ea008d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
df0f642392bde39140defe9db5fc3ca1

SHA1
eadea5d10551f2bffdd5d0ce02707666ee909cf6

SHA256
1e2bee7740c1e1af2f14328a86e05623e9e18898f54615a85af719b194e587e0

SHA512
d3effd2228e3a0711b82209879adaf89126ee576d3c5882544c85ba96c37329e5f8fa994d20716ec3e4feab70c8aeb63c09ceb0aa3a56965dfa3f3cf30519c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c0d64ffb7e08ab6a9aa9f92ac3e60b1c

SHA1
fb088b268414a451c0e487238b7e36edd9f1e0ba

SHA256
91232ab9f0137d4cf18125efd3f24f99638e075cffe8d4e53d18b8eb4344c465

SHA512
44c17180cd9af886c1e34e7e4a847fd61ac9276ed64a66478ec8129e63baff6acd3777f455873bf5b1b8a4d74087ef8648d6f2028e7b3c15feed8ce93b712270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e50691ab00e1bc8fc12dc0889b9fe542

SHA1
1b2eeeec5f43c1a2260a2c5ca68e8971eb39285c

SHA256
eeafcef89fdc880cc52c1575afaab6b350308845e6fc9dfc202d0c1d2169bae0

SHA512
9dfa7389851faf8f5dbca5ad3c118f56cde91684a2249a6b78c000b65eb469b60428c9071a60f4e59db934242d963944a311ff3fc3e16a7e2bd50b00f121a654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b2690e45b8431b6bf89f310ccc139ee6

SHA1
4bc60d7bb4bf75feb7efe7e5dc980477b9ffbab1

SHA256
534380a2a2a2e47ce8e659ff62b2e9c239be317ebe680cea8dd204bc1c80d966

SHA512
147c4b4b4bc8c098dcd495bfa3c6fa32ff2ac7a33adb54e79d4537d473a63a55ef0455cf928a1acd282ca3e4cc21ab03807bf15afe0e9d6fc7f732b549fa81f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a12da56e4f06174270880a08a08ade00

SHA1
9711027df258b970562bfb839e13c1005b5403bb

SHA256
4281258d1e65b1575b610c8d4ac6ced6cfc2f9eceb4cb1cf2592a9aeb4290347

SHA512
f305b43f01c1760e17b1dff3564dd3ec98a959a73d8fbe2244ed1b4ed002a416b6922d93ddaa583fc5bdb42198625916c60f0fb368c77983f09bebd315e26f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d627abe0a90c14b6f548b79859caa61

SHA1
782f69e9beb3485317209b7cd1201ad710d855b9

SHA256
6b339789b24a93b9eb935df5cc2eb12f4eb8bc3898b07f7ca602865a7b7acc33

SHA512
00033d8f93b8e7652d828e070469a9fb20e7b39e1166b9ce990f039de459b19a877d9410cd3600b1fae5c2e32d8dfc3f7f6bf9d615a6b4c5896281ddca3ebedd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d0904fc2e9e4618de78092fe2dd860a1

SHA1
560e21454521b29103de70298f02f88009bf8d8a

SHA256
175a3d14ac10a39fe7750ab88cd1fddaec59977207e059aceb4b4ded38eb08bd

SHA512
3fa97f6dcfab6599f0e1ef40f4a181530e1d5d7567b1f97a0fe5a6d6735ff531a95146f462a11731c90534feeeaf70015d7df4a7b220cdc1ca3459085b81082e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37317dcd4a64f225072e157ff1ba07a9

SHA1
d5d6d7bff92ebe5a754e09daa90e77dd0a4f0963

SHA256
737a3816ac1283b673764881b6e386b33fe56371041758c6100554099a98ab05

SHA512
d4a70a503857628430a5239031d730d65643f0326b249e0990fe3f522eb2dd70e94393a0badd22bc3d0e91f62394ceb3d2103efd09c9b9ed4aa9a1174e777dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e06e0eabe13da96c0555c9f41f27680f

SHA1
aeb0ff83a4000fc3425afae51862c468d640d773

SHA256
41cdd39dd72d2e3b06cb3894fb08435c66cab64a4b5e6f7c42744886e60a6368

SHA512
6fdc73101ec2eb9d36a7614e6e824b90af33ffc9a2249f08060f0d26bf0776d07bb65eb4f11fa2a9c07e248e7f5396d8fb5271a48b9927e2603edcf332a527aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
febfe5785236ec098f6c6bb02b981fec

SHA1
d854a66d886c6969f5c427400adab27d697c511a

SHA256
9bcfa8e3383ceaab3bcda28608a7aed2b1336cb7171850635fb3805f1e0cc03d

SHA512
e080d5c7b2231855987a1dda4f91ab74e9eb79dd3ff5b8fa166642670d8a30043ba878784e1d1b44b04664c99fd4a6ae155fa34b22ff4daf79bfab4baa4b06cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
10662d16bd81da43dd5c973e487eee83

SHA1
ee71e7852777f922c2c74c23d0c1aaed9c4ccbe4

SHA256
2aea5d38baf75ef07317d17ca21ba499b7fd4cd08f1ced0e11028ba4a3b35948

SHA512
bad2816cfabe710e74f70ad3926834789db491c2c787f87fbbdf7a796d26fbdb1fe3e7efbcb3dffb2a9dd73aba6d5f79555de072ea703b018821dd07688ebaac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3e08f562ece2e4c5725a61d9180bdf90

SHA1
bb78cbc0911df773341aecae72bfac5122e11461

SHA256
0e7d1dac23210a08ba45cb8499d4d6d2761ec1cbe560383d2e9f26c1d3a9f008

SHA512
59935aae8152530e49cb6a8dd0302fe68f1be756c372aafb9c09c4d7c7b153fa097482ff565bc52e6e1d51630c050c1843922589e847bf89e990499d05a4b46f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
190603b8846d80d1925307fdb69cdb97

SHA1
7f1f0f002b6c5e65b688a6a19688812095ee10f5

SHA256
56b095be638a35a4576b211c412b1172ba020130aa9fc39364ab2d339d9981cd

SHA512
2f238650ace59be8c885f29adc2d97d1904078925423bb7ae4dd7188bf76fb37a37a3f77826ebae7ceb5a1a924ade93171a843a6db9c284958705f1fa7cb8ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
311da3e9bf9c92d7055e97cd406d6e0f

SHA1
fefebc167a152bcaad912d58955e23f77491b7e2

SHA256
bdb7817530e364ecf5e23f62789739025987b54ac1d9b1d1a03ce90091d1c702

SHA512
3cb9f989381fca2cd03f4f34bb55979e064bbb9e0f23ffbce66de198c85d54f076c754d128d3eb464efad7476dadfbade054dbdc9e207ddf085ba2ef8d02cf4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580d1a.TMP

Filesize
204B

MD5
e862458242abf436940dd471350b858f

SHA1
75ee3b4279b3928167adf7c8b52abb9654e40144

SHA256
64af4942f0d11cbc187e65dc2f10a0409e46606486554fadb236cdf75400d621

SHA512
2372009be3f50e03e9b84dc769d4e5535d471039165003c341dee1040bf07cb0eaeba80aaf8436a68b54dcf35e2eaa25b366f8fa964aabbf43f9eeb60b14de32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9f965dfe48560f03035880e4f7c534d6

SHA1
f161d910e9316927be71c7401c331084f9fa4438

SHA256
8b29bcf16ccf94ef6e174e2349656d500507b0e4c09b6dd9e6c8030e095e82c1

SHA512
309219533d28b678c1cf5990687ba288797c437831511faf848b7e8eccb6096fc452701576db159ccc838547ce2be1ebf9382480976c1fc0353bb1405d1a2a6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
852757c3dbb5c6733c4196fb807c9f11

SHA1
db9541eb5a5bcfa95b5dc317dcf7841daa408acc

SHA256
3eb4cb26fc2ba9343c0bd382c9255e246a190f881b958a50bc2fa544c037083b

SHA512
50df283086d0276fcf57ce547716dcc3a1c7ea0736494e8ccbc3bc2c891b3c03f7f1922c7859df5324b8ae82f4a848630a65c89aeb19269eafdb28bb95c8bc95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
70b441191956987a27db822d765d017a

SHA1
81226af2afec0fa74a000264a13f1a28c52633d2

SHA256
78271735787a616052e5b22d3631f04586d7bfee098ddd1a0db77942f3806dc9

SHA512
8f4a5006da08f57ab4270946b0ce926b5076c3272ae2dcfd0b2ccee32a6eb06a11832c254965e305abb91a4260c236befda564bb249ebae6b9ea38ee54cbf5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
57e52cf99451fd2d7a155066fc3fd6a3

SHA1
3878454c6c6d122f6899d7a982c476d091cfdcd6

SHA256
647dbb95f47800f03c4044c7f827c79222ebf8b7187324694730d63b06b9bb67

SHA512
0e9332984e806ee16a75f468fc3b64dceeb4e2a6f72cabce645f126aeaa10c34b76b25c33c90031eb6a8e2bb26e12265c7395bf9124b28d33a52de5ea4fba4ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
34d01adfa39de73555f70e23a8ef4815

SHA1
ffe9eff78898da0e7ff8bc6b717c8b1960a129da

SHA256
c66810f2b7c20f11b5546c7629e7157f5172fc490c9d729c4c9db5210c5dd98e

SHA512
11a513c75c06e421c6b5c0531c47184c6df33f5293d62f9d8eff380f44f403bba24ae31dc1ff92360db6334a9a4979ec1a2e1d335ce275882d50801821d9fd37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
196a04b25e58cd79fb1aea2b153b13e9

SHA1
51ad1f2bf9686a5c7b4369f8de28c6ce9a6562c4

SHA256
bb9f649d24ca1e48d9b7cf0bdbc9c816ec04384829193b7bc13624ac79cd0aa9

SHA512
8b47671c94815f7d14723cb4b2a51f0a7ce6143947fc2c788d6e8c69dc7c6bf01473b4993df871f659843e70b1518ff1375bad0065e52f206136a9b10fa76f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e8648f98-0a76-43bd-bcaa-fc3166b0d206.tmp

Filesize
10KB

MD5
3216e2cf06a7dec6ac567dbb2bfd4f00

SHA1
baa21aa976554ef8f275131a19be563a458e4249

SHA256
6c5adbdd39a7b88c58b1c8162708700cefc7ef9d2b979ce00fe0d9cf1169f160

SHA512
3e5d716528bccfee49dd86497a9cfe0d6dae4cd8969eb8e045742826c4abca03eb75d15fdbd61e7b45f2b2e0b06ea374ceaaa30e583fc510a6cd822d26495973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\65NL5GLV\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID562.tmp

Filesize
421KB

MD5
6480fcba16736e3403d6c0ad769ffe25

SHA1
dbbe89051854351bab03bf4e62c2f863d1fe0be8

SHA256
3b53053d5fa16cf295c6c802b6994dfebf476e7675a475af02ea0d30a1a5498e

SHA512
bd5bd6de378968da6bf7a163052273aa21c12ad369ff39d7095bec0dc5d97d3fceb721d113c682d7b0e7c3c91a15cd0d7abd27acf7348357b02beb90f38ec037

Download Submit
C:\Users\Admin\AppData\Local\Temp\{09EAD19A-804B-444F-B17C-15F8C5837E63}\BException.dll

Filesize
142KB

MD5
d7c8a5e488306d17b368b3edd6c92fff

SHA1
d5e3d2f00a17c8e7d9b067fa3aef56d1c8e59902

SHA256
02c5e8e8541645d16d68cb986b895b75d83f135aa8da4a8177e5534b9a86b7c9

SHA512
d44eff21b9559d972e459e47d49d788e11d75e30517ba1a6c8e07f08d1bd24ffd76fdb73232024db33a590cb8717079e7af8aa848768963a98a4fbb4a20e0d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{09EAD19A-804B-444F-B17C-15F8C5837E63}\BabyServices.dll

Filesize
922KB

MD5
a80876290a9ddbb9b24ad6b17ac805b8

SHA1
a748e945053c8358654bf72f4f1bfeb5326440e2

SHA256
8b614ae0babdaea704e2a6aca233333132a23ae463fe9390d769ba4110e5be4e

SHA512
7d05b15be914dac1115a66f6092cb160d54ff4dbafc185fc7f9f52408d0c2c45700132385109f2e2c47caf0ea3032f28ce8b259b434f129db9b46bcd4aa1562e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{09EAD19A-804B-444F-B17C-15F8C5837E63}\Babylon.dat

Filesize
12KB

MD5
caba4f92c996b698e7923ec7cf6d66f5

SHA1
5af3f322dc56c85a1bc0f4a884dac1907d2efa7f

SHA256
04c4ee982e3838368579739fcc0da68b3770f34fc6e2f200dc1499bc3268f3af

SHA512
f35f3a46b72c4a9b83de7ba1740b8cf2b4e32200dd43f687bf2f7ca16d4113b640d814525a5c4cb417aff66ed9cd5b03eac2b692396a332ce7613fa1564ec969

Download Submit
C:\Users\Admin\AppData\Local\Temp\{09EAD19A-804B-444F-B17C-15F8C5837E63}\VersionInfo.txt

Filesize
4KB

MD5
1d599cc877db7968b524df5617a553de

SHA1
680f8d4d5381a1cf7f12016c1234ef48ab8441ac

SHA256
6211dc3bf9a0524a8c35e8624cfcc83b2ef2fa7ea89dd2cbadadb61f1867531f

SHA512
7aa177ad3e7a6e513cd2767675333426cce20f4a1d39deb4a3b9f358a92d473eafc5bd998d73413c3429f0eb6355b86e8f018b65f8f690febfd3ffe250124259

Download Submit
C:\Users\Admin\Downloads\BabylonToolbar.txt

Filesize
57B

MD5
2ab0eb54f6e9388131e13a53d2c2af6c

SHA1
f64663b25c9141b54fe4fad4ee39e148f6d7f50a

SHA256
d24eee3b220c71fced3227906b0feed755d2e2b39958dd8cd378123dde692426

SHA512
6b5048eeff122ae33194f3f6089418e3492118288038007d62cdd30a384c79874c0728a2098a29d8ce1a9f2b4ba5f9683b3f440f85196d50dc8bc1275a909260

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 275557.crdownload

Filesize
8.7MB

MD5
799c965e0a5a132ec2263d5fea0b0e1c

SHA1
a15c5a706122fabdef1989c893c72c6530fedcb4

SHA256
001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

SHA512
6c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8

Download Submit
memory/2384-943-0x000001C3A6030000-0x000001C3A6031000-memory.dmp

Filesize
4KB

Download
memory/2384-944-0x000001C3A6030000-0x000001C3A6031000-memory.dmp

Filesize
4KB

Download
memory/2384-942-0x000001C3A6030000-0x000001C3A6031000-memory.dmp

Filesize
4KB

Download
memory/2384-954-0x000001C3A6030000-0x000001C3A6031000-memory.dmp

Filesize
4KB

Download
memory/2384-953-0x000001C3A6030000-0x000001C3A6031000-memory.dmp

Filesize
4KB

Download
memory/2384-952-0x000001C3A6030000-0x000001C3A6031000-memory.dmp

Filesize
4KB

Download
memory/2384-951-0x000001C3A6030000-0x000001C3A6031000-memory.dmp

Filesize
4KB

Download
memory/2384-950-0x000001C3A6030000-0x000001C3A6031000-memory.dmp

Filesize
4KB

Download
memory/2384-949-0x000001C3A6030000-0x000001C3A6031000-memory.dmp

Filesize
4KB

Download
memory/2384-948-0x000001C3A6030000-0x000001C3A6031000-memory.dmp

Filesize
4KB

Download
memory/2944-788-0x0000000002910000-0x0000000002937000-memory.dmp

Filesize
156KB

Download