hxxps://youtube[.]com/@boffy/

Resubmissions

20-01-2025 05:23

250120-f3dfastmap 7

20-01-2025 05:07

31-12-2024 05:12

31-12-2024 04:49

31-12-2024 04:46

31-12-2024 04:31

Analysis

max time kernel
1800s
max time network
1685s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-01-2025 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://youtube.com/@boffy/

Score

7^/10

credential_access discovery persistence stealer

Malware Config

Signatures

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Whiter.a.exe

Executes dropped EXE 25 IoCs

pid	Process
3936	Free YouTube Downloader.exe
6712	svchost.exe
6868	taskhost.exe
4080	svchost.exe
7012	taskhost.exe
5672	svchost.exe
6504	svchost.exe
5784	taskhost.exe
5980	svchost.exe
984	taskhost.exe
5720	svchost.exe
4920	taskhost.exe
5292	svchost.exe
6164	taskhost.exe
2708	svchost.exe
2220	svchost.exe
976	taskhost.exe
6604	svchost.exe
2336	taskhost.exe
1360	svchost.exe
4648	taskhost.exe
5564	svchost.exe
5576	taskhost.exe
3008	svchost.exe
6548	taskhost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Whistler = "C:\\Windows\\system32\\whismng.exe -next"	Whiter.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Netagent = "c:\\windows\\system\\sysfile.exe"	Sevgi.a.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.22000.348_none_5e9c11248df37d0b\f\Desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Whiter.a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\Fonts\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\Offline Web Pages\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Program Files\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	Whiter.a.exe
File opened for modification	\??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Whiter.a.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\c:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	Whiter.a.exe
File created	\??\c:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	Whiter.a.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whismng.exe	Whiter.a.exe
File opened for modification	C:\Windows\SysWOW64\whismng.exe	Whiter.a.exe
File created	\??\c:\Windows\SysWOW64\regedit.exe	Whiter.a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js	Whiter.a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.scale-150.png	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\selector.js	Whiter.a.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo	Whiter.a.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Reflection.Primitives.dll	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-30_altform-lightunplated_contrast-black.png	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\ui-strings.js	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Windows.UI.Xaml.Core.Direct.XamlDirectContract.winmd	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-lightunplated_contrast-white.png	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif	Whiter.a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxC	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\OrientationControlOuterCircleHover.png	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ui-strings.js	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\desktop-tool-view.css	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Illustrations\icon1.scale-100_theme-dark.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubSmallTile.scale-100.png	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-80.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateSquare310x310Logo.scale-125.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-150.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-36.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-32_contrast-black.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\WeeklyDayPicker.js	Whiter.a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\LICENSE	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-100.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-unplated_contrast-white.png	Whiter.a.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.ServiceModel.dll	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Illustration_Seasons_Fall_Center.png	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\ar.pak	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-150_contrast-white.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\WorkingElsewhere_Dark.scale-125.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib\types\IAnimationStyles.js	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_en-GB.dll	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsSmallTile.scale-125_contrast-black.png	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\TXP_DiningReservation_Light.png	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugin.js	Whiter.a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar	Whiter.a.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	Whiter.a.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\VertexShader.cso	Whiter.a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\es-419.pak	Whiter.a.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Configuration.Install.resources.dll	Whiter.a.exe
File created	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Data.Entity.Design.resources.dll	Whiter.a.exe
File created	\??\c:\Windows\PolicyDefinitions\de-DE\WinMaps.adml	Whiter.a.exe
File created	\??\c:\Windows\servicing\InboxFodMetadataCache\metadata\Language.OCR~ru-ru~1.0.mum	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..pickerhost.appxmain_31bf3856ad364e35_10.0.22000.282_none_08c227a0c7c9c4c1\f\SplashScreen.scale-150.png	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..component.resources_31bf3856ad364e35_10.0.22000.120_ko-kr_4f1aacfaee8b29b2\f\W32UIRes.dll.mui	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..edia-base.resources_31bf3856ad364e35_10.0.22000.318_ko-kr_abffa8ed5fbb1f7b\f\SetupPrep.exe.mui	Whiter.a.exe
File created	\??\c:\Windows\Boot\EFI\ja-JP\memtest.efi.mui	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-search-adm.resources_31bf3856ad364e35_7.0.22000.120_fr-fr_9c81404d895c15d7\f\Search.adml	Whiter.a.exe
File created	\??\c:\Windows\diagnostics\system\Search\fr-FR\DiagPackage.dll.mui	Whiter.a.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardPermission.ascx	Whiter.a.exe
File created	\??\c:\Windows\PolicyDefinitions\it-IT\appv.adml	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..erprisesn.resources_31bf3856ad364e35_10.0.22000.493_el-gr_772a7d8261b2da50\f\license.rtf	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\f\i_clearSession.png	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..dlers-accessibility_31bf3856ad364e35_10.0.22000.41_none_80bf6708dd35dc0e\f\SettingsHandlers_Accessibility.dll	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..edia-base.resources_31bf3856ad364e35_10.0.22000.120_lv-lv_2f10e9d1c8244b0f\f\reagent.adml	Whiter.a.exe
File created	\??\c:\Windows\Cursors\size4_m.cur	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..edia-base.resources_31bf3856ad364e35_10.0.22000.120_zh-cn_17c494cf0de9521e\f\reagent.dll.mui	Whiter.a.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1252.TXT1	Whiter.a.exe
File created	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.ja.resx	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_it-it_b3ec1c462326dfaa\f\RS_ResetIdleDiskTimeout.psd1	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..orkstationn-license_31bf3856ad364e35_10.0.22000.348_none_851f4309c395c5c9\f\ProfessionalWorkstationN-Volume-CSVLK-1-ul-oob-rtm.xrm-ms	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.22000.132_nb-no_d9298739776532f6\f\CloudContent.adml	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..resources.resources_31bf3856ad364e35_10.0.22000.120_zh-cn_996509d55c230f43.manifest	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\Assets\contrast-black\GetStartedAppList.scale-400_contrast-black.png	Whiter.a.exe
File created	\??\c:\Windows\assembly\GAC_MSIL\System.Xml.Linq\3.5.0.0__b77a5c561934e089\System.Xml.Linq.dll	Whiter.a.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail	Whiter.a.exe
File created	\??\c:\Windows\servicing\InboxFodMetadataCache\metadata\Rsat.RemoteDesktop.Services.Tools~~1.0.mum	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..-security.resources_31bf3856ad364e35_10.0.22000.258_it-it_d62d585b93fd104b.manifest	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.22000.132_pt-br_1ff9179d5c3d3e63\f\EdgeUI.adml	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_10.0.22000.120_pt-pt_de214c814baa5897.manifest	Whiter.a.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardFinish.ascx	Whiter.a.exe
File created	\??\c:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\Microsoft.ConfigCI.Commands.Resources.dll	Whiter.a.exe
File created	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.it.resx	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_10.0.22000.434_en-us_55640bbfdf0e5f57.manifest	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\f\Square310x310Logo.contrast-white_scale-100.png	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..-security.resources_31bf3856ad364e35_10.0.22000.258_zh-tw_ad0536f5ae64d948\f\ikeext.dll.mui	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_es-es_270cb0005922e3ca\f\RS_ResetIdleDiskTimeout.psd1	Whiter.a.exe
File created	\??\c:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design.Resources\3.5.0.0_de_31bf3856ad364e35\System.Web.DynamicData.Design.Resources.dll	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mapi.resources_31bf3856ad364e35_10.0.22000.184_cs-cz_e24d275488985aaa\f\mapi32.dll.mui	Whiter.a.exe
File created	\??\c:\Windows\PLA\Reports\it-IT\Report.System.CPU.xml	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_gl-es_c04f23e11eac2063\f\license.rtf	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..-security.resources_31bf3856ad364e35_10.0.22000.258_nl-nl_028e809052da1ecd\f\ikeext.dll.mui	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\f\NarratorAppList.targetsize-16_altform-lightunplated.png	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..edia-base.resources_31bf3856ad364e35_10.0.22000.120_ko-kr_8a784f4cd67e3e82\f\wdsimage.dll.mui	Whiter.a.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config.comments	Whiter.a.exe
File opened for modification	\??\c:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\ba20ec2b3cd332b01074845b9a445ba8\Microsoft.WSMan.Runtime.ni.dll.aux	Whiter.a.exe
File created	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\aspnet_rc.dll	Whiter.a.exe
File created	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.NameResolution.dll	Whiter.a.exe
File created	\??\c:\Windows\PolicyDefinitions\fr-FR\Globalization.adml	Whiter.a.exe
File created	\??\c:\Windows\assembly\GAC_MSIL\System.Data.SqlXml.Resources\2.0.0.0_fr_b77a5c561934e089\system.data.sqlxml.resources.dll	Whiter.a.exe
File created	\??\c:\Windows\INF\mdmcpq.inf	Whiter.a.exe
File created	\??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll	Whiter.a.exe
File created	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\de\Microsoft.Workflow.Compiler.resources.dll	Whiter.a.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.fr.resx	Whiter.a.exe
File created	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.xml.resources.dll	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..-spp-plugin-windows_31bf3856ad364e35_10.0.22000.120_none_0d1f5b2781dbd9b0.manifest	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..aleducation-license_31bf3856ad364e35_10.0.22000.348_none_331eefd975a1bd2e\f\ProfessionalEducation-OEM-NONSLP-1-ul-phn-rtm.xrm-ms	Whiter.a.exe
File created	\??\c:\Windows\Fonts\dos737.fon	Whiter.a.exe
File created	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.Extensions.dll	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..em-ppipro.resources_31bf3856ad364e35_10.0.22000.493_ko-kr_d7d5f84bd2645868.manifest	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-propsys.resources_31bf3856ad364e35_7.0.22000.184_en-gb_ebab7f75676f45ce.manifest	Whiter.a.exe
File created	\??\c:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..dminflows.resources_31bf3856ad364e35_10.0.22000.184_ru-ru_465131e0852cdf44.manifest	Whiter.a.exe
File created	\??\c:\Windows\INF\errdev.inf	Whiter.a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6220	460	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopPuzzle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Whiter.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nostart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sevgi.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nostart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
3372	msedge.exe
3372	msedge.exe
3524	msedge.exe
3524	msedge.exe
3672	identity_helper.exe
3672	identity_helper.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe
5748	TaskILL.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2552	Sevgi.a.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5748	TaskILL.exe
Token: SeDebugPrivilege	6268	TaskILL.exe
Token: SeDebugPrivilege	3124	Zika.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3936	Free YouTube Downloader.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2920	MiniSearchHost.exe
2508	FreeYoutubeDownloader.exe
2008	OpenWith.exe
6712	svchost.exe
6868	taskhost.exe
4080	svchost.exe
7012	taskhost.exe
5672	svchost.exe
6504	svchost.exe
5784	taskhost.exe
5980	svchost.exe
984	taskhost.exe
5720	svchost.exe
4920	taskhost.exe
5292	svchost.exe
6164	taskhost.exe
2708	svchost.exe
2220	svchost.exe
976	taskhost.exe
6604	svchost.exe
2336	taskhost.exe
1360	svchost.exe
4648	taskhost.exe
5564	svchost.exe
5576	taskhost.exe
3008	svchost.exe
6548	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 1656	3372	msedge.exe	78
PID 3372 wrote to memory of 1656	3372	msedge.exe	78
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 4768	3372	msedge.exe	79
PID 3372 wrote to memory of 2712	3372	msedge.exe	80
PID 3372 wrote to memory of 2712	3372	msedge.exe	80
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81
PID 3372 wrote to memory of 4192	3372	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://youtube.com/@boffy/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa781f3cb8,0x7ffa781f3cc8,0x7ffa781f3cd8
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3372 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17286410312847677649,3810305180924863311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:976

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DesktopPuzzle.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DesktopPuzzle.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4556

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2508
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SendNotifyMessage
  PID:3936

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Whiter.a.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Whiter.a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 560
  2⤵
  - Program crash
  PID:6220

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\TaskILL.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\TaskILL.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5748

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2552

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5392

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\TaskILL.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\TaskILL.exe" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\VeryFun.exe C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\vi4a.apk
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6268

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Whiter.a.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Whiter.a.exe" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\vi4a.apk C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\VeryFun.exe
1⤵
PID:6824

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3124
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -extract C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6712
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6868
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -extract C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7012
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -addoverwrite C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe", "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5672
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -extract C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6504
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5784
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -extract C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5980
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:984
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -extract C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5720
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4920
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -extract C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5292
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6164
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -addoverwrite C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe", "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -extract C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:976
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -extract C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6604
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -extract C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4648
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -extract C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5564
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5576
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe" -extract C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc, C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6548

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\WindowsXPHorrorEdition.txt
1⤵
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 460 -ip 460
1⤵
PID:5516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.dll.sys.exe

Filesize
135KB

MD5
02dd97fda204fd462f220cef4c714d1d

SHA1
c6b705c05593709971dc4203ed98ea85f453c593

SHA256
842738dabeee709c2a7d706566bd3957f667b4c05f270d8d9448b121f2fbbe44

SHA512
8302b04e7f52e8343b0cc24a6d1e4e85bc8893ea8ea0d389f2dd5140cb473cf0865cdb1c2873fd3ce5ce4db186a475670f0dadaac3c859a4a3a95edae8d7ae47

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.dll.sys.exe

Filesize
287KB

MD5
a5a1e89d922f9d0e308391abd1e1e35b

SHA1
4480fdbbe4825a63bf8da81617b8d48cdfaf8fcc

SHA256
15052c9984705a582e4618b604cf02bd0c58faeef3698caf4a9735537f2e5e80

SHA512
86b0f35a89bad9b797f651043794a2a596e6c84c662ba7b58ddf354d3cea11ea97890e971477a092a4b0dc781e929a00aa0628ae2a2957eabfd009f34e0ccbca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll.sys.exe

Filesize
2.4MB

MD5
b885527bb2c0f0cd91070a58a23a1a46

SHA1
95f9c87a496817d6e98de260d1677fde217dfa09

SHA256
2fcd51e705e9c091e4f23ab61960dfc99883b7c7158008c2f77be22d0b97f853

SHA512
d79d93effe35bdba813aaf07cdcb7998bcf4bdc84851105fc288f09a36a18f22102df5b9b86d2b45bca93e12f51f685c5d80a1c17d488c8ea8df2b009545cb32

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Filesize
6.3MB

MD5
de4c41dfc13512265c5d1b83ae86e293

SHA1
fd0e4f97734a2509835e4b49601bda5ca246318e

SHA256
582e8745df9072518af8ff8b6895adb9d72136d7f66a6e3708dd5e4df05c1649

SHA512
6ed54c25abf4e0d7631bb363abef029c48f849b1d97da52b7960729ce56af052ff5ac7ca5298c38e541c16744783ecb40c2c200be8ba53fa27fee93836351f30

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.dll.sys.exe

Filesize
28KB

MD5
3b2a2c4ca7c1963bd8bebc1448948fa0

SHA1
818e1920df4f384509f6e8122afc2fb5c9a80183

SHA256
09047945b67367e65454fa1245430545a74f5d52f78f511b494514b531d6b2ae

SHA512
f66fd493f5ebaf8724b00c522761bee0a55efca4e3a40138445bc98a5d75dc48a12366e1bcd74e2ec8aa763e026bae5e0d979a99f7c4159370f5621e5f3cd612

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe

Filesize
5.6MB

MD5
40228458ca455d28e33951a2f3844209

SHA1
86165eb8eb3e99b6efa25426508a323be0e68a44

SHA256
1a904494bb7a21512af6013fe65745e7898cdd6fadac8cb58be04e02346ed95f

SHA512
da62cc244f9924444c7cb4fdbd46017c65e6130d639f6696f7930d867017c211df8b18601bfdaaee65438cee03977848513d7f08987b9b945f3f05241f55ec39

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.dll.sys.exe

Filesize
46KB

MD5
4343a8b44e6e3d0b3c346bd64d08c3fd

SHA1
2f73c3fae7821c2fb52d4a597774ce913dcb8bc6

SHA256
5c804029dfbfd8d927fe4f1e4d482b210a5d2c1fa57f3a6f8333a154ec0404a3

SHA512
3967c8c19ad9277787e2a190bcd1d6b97fb5643ad5f42c1b86bb9433b12e53d289150071735fd06dc53f861e511856f54a72e5da0e0e218f2dca0bcce46938fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
f9a039b420a8b4def993fab229a61551

SHA1
c81d658518234bbceb055768c9367cd0152d3f25

SHA256
70fb29c22fa252d72859a9ec427ef8db099f87ed968efbfbbfb88a12e1906637

SHA512
8887f1d86e19a69108b64cbf6d0ea36da720c9281063e481d6309ba648742797ffed30134daaaa68ecdf975b94f3bb3d817389c3531d5924f34ccc2640541c52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1f67ec59c5d54f9e10292b31d1cc6a3f

SHA1
154e5f1bf8ecd2058361fd1334e4ee3e97fdccd9

SHA256
2124f84109b9bda654e3410209009b787e86ca2220e996947af2690df9cbc4ba

SHA512
99ece0abee779397107731a7ad28bfd8cb154dc031cfab76202e660a49ab99b0bacaa6f5ab13810d769ca51ec1c6fb668961dcd8035a29ff1137bfbd0f8384f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3cf73b60450d4347e580fd9e7d20f8ca

SHA1
06bb88f4a7cfe0ad88ccae0918bd5b406f9bb8a3

SHA256
0ee1fe2c4b9e35199bcc1ed3872e65978d6705b7d0c406178036a623b093890b

SHA512
a02a4c884ecc8c737a816b69c4d2f58a4a79c93c4eb15bf9eaf50d9432309609eabbb0e02cc22e6656b6ae5fae8f25e660c7e4d0185f10a6a4737b1d49bb7d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9d9bc2e3ec7e815cc52e63a0c06f3b49

SHA1
149c6ea0b380c709950c11ba78edbc9ed1beca67

SHA256
bf9a0781308f344b23f0ad8681ea2ba19c012e613805282b0799a9e7eafe4de4

SHA512
1d65ac556fc854b35b0acb923c3a2d89b3c233df966b42fd9d93c78e1972f7c3d10f51fa6da7f1cf42eb912ea4b3bc50427100b571691d77c3a1cd9ec17309d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b10c948a55ff316b55bfe048ebde63e

SHA1
186497b4553783af3ea3c70f0803ec7a84860658

SHA256
f11ed01425e3c909307050c1c01fcd804fcd36fb1cf3f392d7693a8c57f583bc

SHA512
0778a28e5123436c94c4ad9217b9cff69584a0c065a5d5d2bc73a6292c18b3c9f6c649b8e4afcc4cf1985463f73e426ae7b4a99c1beaf7bb7983c9046f7bae69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
324b2a2e0b5505ef6a5d2e11733159b0

SHA1
73ceb257bcecdc7905fd96c55467497c928c8a6f

SHA256
25bea8a23d6df39c1e07a8d336d3cd427607055caac4dfd243eca353422a4c68

SHA512
8f8845662417abeefb87d52ccff98370afaba2d2fd1cfa24dab084fd0633b9c5fe980c832cdb2b26cd5065b32209a83e4abc3ce213bae12e3ac56f08bb71a377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
77f2009b617f41e05b0364ae44bcc98c

SHA1
cf0d3ce9a58c5018b9028a1a550a876644169a07

SHA256
fe0c53aa1f4feb9702d2aae2d39f249583b210e91f8f4062c835580749297bef

SHA512
16c9ddc784d20cc48e05dfaa52daead5a992025dd2e6e2220e124bbf8febbf6685af9ae24841297ce162fcf0fb676fe955f9792071bc3be2478a6899f5022d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0cf3a6e2d604c43214d071aaabbce800

SHA1
dafde71029157aa5742d3f6cb62888f5269df7ef

SHA256
1496876998da9aab1d0f1fe11a76fb8f2b0b1bf21edece3ca9f1f98ede829148

SHA512
5f0e9a7b09321b8d0734ddffb8a2443360cc168e12db9cc73b27e1ef44bc010d50ad2b9753a15e6a49b0b04d15aed405313bd42e04c91720efe52d72f2507074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
43ad469d6b653eafb61f037593a2a646

SHA1
0b35648e8eb5abe84ca35278f7822934eb717278

SHA256
a8f99e08ceaf02eebf34bd10aba414b92f95042808f7d9dd8662ccb7e1e5f042

SHA512
49b0012c86f9da31d986afe2c0e7b7c9a3407f10058694b6e952bc148e982a43850b4b898309e7e180680b93f8c7009bd9923cd295875d18d8a2b30c8855781d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c9a7b6352cb40be752ac23f55ccf7c0b

SHA1
bc18752490d202a0706b4b4c24314e557b1c6837

SHA256
d650958da530af583ca96c0b36b5d07b18aa1a6409fd2fb39c98b5d7d1d3c12c

SHA512
53c98ad6952902547d8c33205b91ce5c97f37ec127c9a633aa6250e07a91c99adec41e2b8013d6ee7003bb43857d744f1efe154ace6001060b35b981d95ef3db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d81324cd0bc79a2385e06b964e1f570d

SHA1
813c341b3ec53f396ebc9457f2b776d09143c2d5

SHA256
6893e37326977b2bd6f95f40a88f4a4802c29b9c72243c54d69427ba0242ee5e

SHA512
1e1bdf74e60577d1c55aed9381082df263ae041b371bf20ceb8991d7e76bd94422c7c01d984a80fa477707317e9f432911134140f6ca5e6f6b7f8b7dfc9e2b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
deace81483aa4cdda4d1def0a43226a9

SHA1
bac718990aa754c048aa8310a6fe5223ae2decfc

SHA256
6498a637f4a24e47559f2c92ba7e11aa27707bd0df23ca3895a6bdddb19b1f01

SHA512
03d32f8b9016bd8dd7c9ed03a53747fce5c184c496a1c44e36d1475ecaac22c721909ec68d625c435e62fcde0b43619cf88a4bfd7a2c52ddf7ea970489286752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
22d87b794aa7119c82537075bd128168

SHA1
5505a4e5a9e214e99fbf99adf90bc4f491f590e8

SHA256
4e8fd73f3018a273281b52d3ad90feef926de635d577b03df491669af0f89d83

SHA512
ad642268a94028435d649c90f6614811b6c0dcc51da23cfc2c05560581f3fac5855029d54118629a0b326dccadc7d18c2cace45a4099f3c164c70ee9ac4196a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
946e1b6a09782631cec40b3376483ab5

SHA1
9cdf2cf126642c166a34218c6656265c53ce0d2d

SHA256
8447f1cca20c3b92d88b46b1fdb175a4e5b8e3fde8e89fe5f770ba3f2bdb5dfc

SHA512
afeaca1bbd988df6d91b401e9954b380130137f19ba9474fb03c9cbb9daa3549cdbc3dd69a55f0e6832a309cdb237ea378bbffd14534d16f876db98254ab1198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5f40e67df97b66beea5c21a059ee5b53

SHA1
7e430c8001b56c36c83dafa8f8a0f0be57440f95

SHA256
d8fda0548443a6b913a6b94388dfa9be589dd2e78363aadd46fd980e8e6d9b26

SHA512
5e732994e466243e97f71b9cd0aa12475eb03c4a628706c145885d81efe25ee8498cb242f92acb3e377a7a5ce5c0815d07d565d9079e8f6783309a628b5e1b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5941b2.TMP

Filesize
539B

MD5
68ec2b87f96e8addc4e09fa4e28742e3

SHA1
6b256b35d20fdc8ad32f697f22b77f851812c000

SHA256
7134a9f8098b9581ed962a592c1feeae5d8dc4b616e91a605353bbad986290fe

SHA512
2aca44b6908655e722be313ff8424ea0191c2d107af62bb937a3c73472422b422e6dea9c16b6c7a9d95d5a755824f301dfc960a2eefb2d5cff5e5c26a209fb8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7728e87d2f340db4557fc1319dd4e48

SHA1
77233b921726cad3a83a4396395f2b1b82495e70

SHA256
c674b96906a7587fa5828f61052307edbc048ab469c46492cb77b579e75ae196

SHA512
16c48fef325a8fc26f5d7ffe7def5bd3b82ae948af6ced41f9521889d1bc073b668b151376bc308e060537806a4f2f92101861e2c84d2b24f7a2180de7c75a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5026b954fa05fd137971ac0b306ff8f2

SHA1
b12e55a3ebe956da4805e28e2ee9a166843de58f

SHA256
5762c512a024513b002bd533aa57b7d98f90c14f4fb82eff625d546eb536d38d

SHA512
42a5e95fee648b642a29be91656fa1f7eef706bc60464e51310164330d8d731018b82b522d7015eb2626eda9ff43acae86a1f4a0dfa2cfe48f09bc483acceefc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
648a856b0a969274871da77a71f483f6

SHA1
0d1e3c9585736b85ea3bcdd0b793203fdcd24119

SHA256
fe3939110951fc348bdb8b42ee8919802421afc046f4c6af003d4f2b5d60c1e0

SHA512
009d2353cac815cca51f02e2d53c51ed39bdab2d0cdd1e8ce21bb201501f1ef0e54c72dafa92d8a531f687cc7b1f3ad2f00cbd29b5fa47634caac6d0f27a3869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
94a7b36dbe826820ccfccec07c56818c

SHA1
b930ff64779c06c877ef103a58ade3793bd2b261

SHA256
4c0eb3b81f444694988eb8355f80bbe0b30c0afb5aa48ac54f6feb7e37a006e9

SHA512
ff34c22f9852b8d8a292472ba7240cbcf8b1ab86ce908e38b16a070e59412cb1fca7dcd6e247eb9838a8b89861831ad1d3f6a37fa4919ee32e3a6ea8eae47eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
31758506e7dba4273f06c83cbe1695b6

SHA1
2c405ca36c4eea41d78e169f8d8f1154c2a44fef

SHA256
258158a73e84c8a90183e7b52288b0d01556bb78a4942f6be014bd8070cd0440

SHA512
9dab4d82efafb17dd72aee49d26728ec0bb596ed7208211a906b57d0b045a3997a653fdd9b9c5939ea01e98a82c49cdc01145cbb59179377967c16a96fee95fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
77a8b2c86dd26c214bc11c989789b62d

SHA1
8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499

SHA256
e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8

SHA512
c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\Icon_1.ico

Filesize
361KB

MD5
ca45b937260f25e1b917c67977a7eaff

SHA1
b124f1eabe30bbee137ae4c7121eff0dc841e20e

SHA256
d090be4105342b7119ae95b29dcdfcfb3e47dada0200255626d9c5314f09cb22

SHA512
7cb66f242f04857d4982269f9cb0aadc803513986f5c33715b38d9b2ea6048b5d97b5c52f948cba0525b34b2548c7e8e38e7e437659402b01df17277c60c833a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\Icon_2.ico

Filesize
297KB

MD5
4bef69b287a1fd12e55ed975bff2e557

SHA1
c6564183f5abf471ee025700b588737b1d7d326a

SHA256
40c876451e420a2eff4599aa3e160aeaff3c617dc3bd92841bf9079738c42f70

SHA512
8cb04cb5f3b9c92824bc44e3dd49c50d1e5711be911006bdbaf2c89a56cad30d8b05f87265a1745e39c29bee42f90d718d8629727fa496c4ff487f56bb099659

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.rc

Filesize
46B

MD5
8756daeae08b0f0640d61d67b0ccaab3

SHA1
3a3cde8eb9ae750ccac443e8bf03666f6d0227a2

SHA256
3d04b083f6f7f9c4a5bf91ce2b7adc217166e329773ef990d7c6c2c996c8f63f

SHA512
991b3b93dc7eb18d2abbd8fc5120a15594f8e4255c57c298ba894b72059042e6e219dd8c9389aff62dd76e3af60f7392bf7b75121a9363bb8608af92534ab67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res

Filesize
625KB

MD5
3dd3d827ea49915b74db15283076e3ff

SHA1
2da8b164a1054a444c9189f76bc0bef350d2b4cf

SHA256
9b03ce33da179d684375d4069c192ff11c35347c312f1943733cfa6e02a6a7a9

SHA512
f15613620622f0f6b39e3de736b1485681af4333712f6e1ba2d37e03d6a7a34ced19c5551076abe400bc85dc8dbd1e6b2b797f48b91031cb1097b2f5a4cf7dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\icons.res

Filesize
32B

MD5
45d02203801ec5cae86ed0a68727b0fa

SHA1
1b22a6df3fc0ef23c6c5312c937db7c8c0df6703

SHA256
5e743f477333066c29c3742cc8f9f64a8cb9c54b71dbc8c69af5025d31f8c121

SHA512
8da0bf59066223aab96595c9fbf8532baa34f1f9c2c0dee674d310a82677b6c7d6a1cc0bbaa75262b986d2b805b049ec3a2bfb25a9ae30fe6d02e32660f15e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.exe

Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.ini

Filesize
435B

MD5
acfdec289a6f9697e3afcffce6a5e740

SHA1
6edff14c13c22b0bc6d8014d986a1c00820a1dd1

SHA256
e5314e9d51e1d36464e2f2da81622bc21098dd67b306b107ed47bbb52ad65370

SHA512
e7cff5633b056a35599725e87939e4ee6bf3432486d988bb6c37aa9febfe2e413203c624ba0a44fab0af6afca95d26b5015edecd137b68139f985fc0fb316c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.ini

Filesize
501B

MD5
f4a47c6cc859ec0250139e9d8782ef20

SHA1
2ca4fcd6369e8be1e84d42984cc8b902a998b64d

SHA256
170c469d7ef13b96bc7947447bbcb525a6a0ebc64a2e5810dce434f7e0c51771

SHA512
5de4e3225a296799662e0c509a67f0929effeb884c80d7458d54150210b2c7ce006fbf58d6a2b3b85fd21705df6449b5ff8015a67b2a7b9b0799a615497e50f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.ini

Filesize
579B

MD5
65d45470fd0b07b752a183a36db0e2a6

SHA1
650fb3c1826167d274ddad64045bf8f90f89ef1c

SHA256
2d71fc9028d423215ece51be8bc76fe6433023b4524f8a443c53b49fb83e6174

SHA512
d5201cf727da524c2a09ca86b81f5d0474eb99586c1a06e1cff75c4ab749071405f96352f066d1790e530f21608a481e6765d00fc2b41e2cbe9396b0a437bafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.ini

Filesize
586B

MD5
331e189aa3ee12cf589e41ab1a484ae9

SHA1
68132900d7dbefd0892a13350efded332d1e57bb

SHA256
dad7e25f6fcd98bef4f196ea677d832935d8318598c31b7c6aebd1ec1aeb7d87

SHA512
d098cf2e614b0912443af75693f7724c4f8eb5032ae5ba3a6bba70430ac780ca1e5bc5c02710d0b009d8cea3df27f2a24a370f5ca072134f208937db57b40372

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.ini

Filesize
585B

MD5
0fa6233c02083de15b2b0a5f38829e68

SHA1
0b1e12b3976785ca428c4100634cb7cf5d98c2d5

SHA256
6f90a73655c2943824ec3ee4f45282f99b0f5a24adaa241262f98dbb1d932562

SHA512
d1a4929414c01ff399c406b280cf5d7543f83db8aec798e6ea7622f47021cbe959c4d3b0a1bbe39938e516bd96b77088087394b115011df87d37363d82cf5b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.ini

Filesize
600B

MD5
0bc298e23a04e2b5410d3594a4ba76c8

SHA1
fd61c1edb3136d8b02bc34246521c2f451deef01

SHA256
da9e46ce12c2db1ffcbfe51e37b3c009a87d58882044558279805c99d213fbbf

SHA512
7857e994e12907aade89c752e25b28e5e4e006537cf35a4fdabb63c80797655023376012b69db446d8e421721326a8fdedf486afc58c23a3716005d1cf09b3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.log

Filesize
365B

MD5
690064033e14ef0671158ede6c780790

SHA1
7fe8d0f76f91d37451837ab77d2328b29230567a

SHA256
af21d840b79cba5d300e81ed1c84ab053bf3a01d7a3974b0cc65991d2c0ca95f

SHA512
8e79e144803de0b8eb6436d90d9da4ff3eb6b1377f2fbbdc331980a70011680810a3a2a4183858c7b88f210b7ec76f257e9aba8e24383eab29f2726e3f4fb24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.log

Filesize
419B

MD5
6149dee7c3d46c211652d7ff51d49e37

SHA1
fc20a4f30a5f48138098b208e9b81d814a13be95

SHA256
6f9c5ff003f8120296f103dc6a8d50e21c79288e7c68a7e6d55ce4c2984f1e6c

SHA512
4199b37eba28af49763bb002108daa80d824d49810d789da10ceec01185f70e3d2d54eabdf0aa5ff158c345eb63781be36e3bc4c214b376aa51816b3549c542b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.log

Filesize
307B

MD5
e0bca067aa5e5265701d5aac3645fbdf

SHA1
0d3abe301e331904562d8ff732ad65cb3f084c26

SHA256
f754b56ed9c232604339dd323134f4b42f3e62f1fa3c8d30cbc0c8d38ccef0bd

SHA512
7d863c4970ca57d8c459a7b6138252c2cfbc3c1db7f7fb5c2e3184f76fd0a3d1c0de9d3b4cc92210ea111cfd45eb02a0103f66d1a983e11b7adce1f363a85eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.log

Filesize
312B

MD5
1e6f26b3253890a7600fdf978fe27e8f

SHA1
42bf114a5b58a5f0f43c9fcc035bd1e094082e33

SHA256
860eda4d1c5183cbc870ee13a61ac0d7ee3bf3b4a814763c0aaf04e2eec5722a

SHA512
90ef412dfba326ec26c8e9aded2d3c09d8ec79fbd3a0239eaaae99341116dba638df9456fcd85f6b8150a6ec10916be05a65c2c8585e2bfac65b7393a54e0b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.log

Filesize
302B

MD5
763df9193c6dace4c2630bec99facfca

SHA1
9676c1f7bc2869ebfa72d47ce8358f7a3b3e0dee

SHA256
703465bbb85d7270743d7cb2d907af538521186b84bfcaed1c1f9a4e15779eb3

SHA512
0a222955584ac395c5471236be7d866fe255503ac3028e1ad472ff98a186378367f8f122fe8d5f2fc4e2a4f043d314daf807c964c28ecaa3a8ff9b47fb34bd2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\svchost.log

Filesize
376B

MD5
f928910e4a6c84bf98e10d2a3230cf18

SHA1
004d443ed960388ca1fbd8f87803342ee481c9ca

SHA256
84822292f5e5293c7631967b6f287be314f461ae7fbdae9dfd9163a3df27ccb7

SHA512
5ecc5a0d9273221fd58d4f7a9331103e1a2159ebd2a59adddf8a9e31413a4d294c52efaadeb0f9a49e87b6e54c7dd79e4b6bde10977466fd1c2c3f835425f804

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.exe

Filesize
4.1MB

MD5
c6391727ae405fb9812a8ad2a7729402

SHA1
83693dc297392c6a28f7f16d23414c6d62921711

SHA256
d98fbfca17f194400d19111e4813340e6666b254b99f833739b661a4d2d0217c

SHA512
7a4e2ff93d853415d433f5e90b36959c78b77590aa1fa00753831eb4d01cb1a972bb9e39eb8dee5b216005e7709eacda51c0c410aacfe37fcdb163603fd36570

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.ini

Filesize
44B

MD5
dbfea325d1e00a904309a682051778ad

SHA1
525562934d0866f2ba90b3c25ea005c8c5f1e9fb

SHA256
15a3a3303b4a77272ddb04454333a4c06aa2a113f210ba4a03314026e0821e6d

SHA512
cd853c67c2b1a44c3f592ff42d207b2251e8b9bc1eb22fc12cd710329069ef75abffccd169418c4f9bd008a40f2fbbfc6904519f27fd658f316309f94b8ff59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.log

Filesize
716B

MD5
4efa429894799da7b83d5d45591caf88

SHA1
47b45f3d36f7a8468f25c721946c3a571ef1c9d0

SHA256
a17b8f139e3ddfd09569a17daaa5d13d562b99a7acf4c03a5400a85975510755

SHA512
da036e84385dfce03a5b2abab42fa53ed7981b36539001ec2343e1584ed0aaa82b35d96405aa3d2073b0d03d6a86601022f509505641a9e51ff13a5b7765bbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.log

Filesize
716B

MD5
ae72bc03382da36d203ce74ba0be1dfc

SHA1
65a99f5dd2d6a882ac6f14e8eabe8e122c53e889

SHA256
e2580ac5ae227472248ecedbbffc91485b625c2231917d9a941513c63f081e46

SHA512
3b77dd5f3025ab5c4686c71d32a3766139e2da076f8b50e2e20067b12af336ccc469083f889e7bd8d0c9d9e80ef143e4c7c4bf31711701dc547a41f3efbcd43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdf01698d364d42994befe8430cb7fd\taskhost.log

Filesize
716B

MD5
c280afba8f71b39c58e9348a3d99942c

SHA1
97b13330ae6c206a4f7b36304759e53adae3e79a

SHA256
8b79a175a5f928e49f5f172827c2ac7165182ec4ccd31467ba4a045c4b5f5b4e

SHA512
5d970974940bf3ea5f679babc4c19a24f4f533ca7cff3ffea4e47e89f07b29d01e00713544a88819e8cffbf005a6785c64680072f27f8dea1f2ec06dc410de5e

Download Submit
C:\Users\Admin\Downloads\52ea2304-79bb-4024-8cde-a3312455c5e3.tmp

Filesize
2.7MB

MD5
878238daffac9ec94c5f858e619f202c

SHA1
e8b31db5ad9493955a4eb5a0dbe366dc2cd50168

SHA256
d62bb542270a0f600bb8b739b7a2242eb981365799d21929ff6bad205c4a6d6c

SHA512
9ccf3ca714233a0fe5371b36edf7ca5428298f86c2a59439bd95bdb45c2eba613a3d4cf706dcd2fa4f8cab55e48338f5733b40bd6542125aba0e3e5f0d2d4113

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
C:\wxp

Filesize
33B

MD5
3d2160fe4bcdc7b6c8686fec1e63a291

SHA1
8b979d773a5ee770824c2c6d19ebd3b233e5c1a6

SHA256
10d6ee17b9c86468fbb9a04d819eafdd88f87e81264ef215ec62b1194a024533

SHA512
fcbb81d44ff241f8cf0d81bc06e2d1641ea3f55c6d21f119590775a7734c80e9c6ab56a34d598d8c197b931d4cd3188010c4a5e36ad229ebe14c714cf4047c8f

Download Submit
memory/976-37620-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/984-36585-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/1360-38434-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2220-37514-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2336-38186-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/2508-740-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2552-96010-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2552-102995-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2552-100840-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2552-28692-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2552-68760-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2552-35015-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2552-49394-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2552-91170-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2552-76185-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2552-82013-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2708-37330-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3008-43195-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3124-31737-0x00000000007D0000-0x0000000000D7C000-memory.dmp

Filesize
5.7MB

Download
memory/3124-31820-0x0000000005D10000-0x00000000062B6000-memory.dmp

Filesize
5.6MB

Download
memory/3124-31829-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/3936-742-0x000001A31DA80000-0x000001A31DAAE000-memory.dmp

Filesize
184KB

Download
memory/4080-34769-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4556-87207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-98439-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-743-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-93930-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-38623-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/4920-36840-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/5292-37071-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5392-100842-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5392-35016-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5564-39042-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5576-39726-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/5672-35608-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5720-36739-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5748-7892-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/5784-36133-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/5980-36344-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/6036-35017-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6036-91176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6036-100845-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6164-37170-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/6504-35990-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/6548-44782-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/6604-38009-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/6712-34431-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/6868-34529-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/7012-35032-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download