Overview

overview

10

Static

static

1

URLScan

urlscan

https://mega.nz/file...

windows11-21h2-x64

Analysis

  • max time kernel
    297s
  • max time network
    328s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-02-2025 16:51

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://mega.nz/file/i6hDRJRQ#JLqR-5qqYJ6OkWcBS57auOl1AL70UrciKMP2WvXbnWg

Score
10/10
dharmaquasarwannacryoffice04bootkitcredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealertrojanupxworm

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

yivowas-34885.portmap.host:34885

Mutex

ac051154-f959-41ac-91a5-6b3292bba59e

Attributes
  • encryption_key

    8E0B590FBC1D8C9D2BA2768B89828285B1FCE5BC

  • install_name

    d8fe7b9f.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    javavs

  • subdirectory

    SubDir

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Dharma family
    dharma
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (674) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 7 IoCs
  • Executes dropped EXE 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 64 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 4 IoCs
    defense_evasion
  • Modifies Control Panel 64 IoCs
    defense_evasion
  • Modifies registry class 4 IoCs
  • NTFS ADS 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/i6hDRJRQ#JLqR-5qqYJ6OkWcBS57auOl1AL70UrciKMP2WvXbnWg
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8
      2⤵
        PID:2672
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
        2⤵
          PID:3784
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3564
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1956 /prefetch:8
          2⤵
            PID:3124
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
            2⤵
              PID:2648
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
              2⤵
                PID:4548
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
                2⤵
                  PID:1220
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
                  2⤵
                    PID:2084
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
                    2⤵
                      PID:4704
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
                      2⤵
                        PID:3108
                      • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
                        2⤵
                          PID:756
                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4488
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
                          2⤵
                            PID:1012
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4264
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5376 /prefetch:8
                            2⤵
                              PID:252
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
                              2⤵
                                PID:4432
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
                                2⤵
                                • Subvert Trust Controls: Mark-of-the-Web Bypass
                                • NTFS ADS
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4568
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6680 /prefetch:8
                                2⤵
                                  PID:3092
                                • C:\Users\Admin\Downloads\d8fe7b9f.exe
                                  "C:\Users\Admin\Downloads\d8fe7b9f.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • NTFS ADS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2772
                                  • C:\Windows\SYSTEM32\schtasks.exe
                                    "schtasks" /create /tn "javavs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe" /rl HIGHEST /f
                                    3⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2244
                                  • C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe"
                                    3⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of SetWindowsHookEx
                                    PID:5112
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "javavs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe" /rl HIGHEST /f
                                      4⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3168
                                    • C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe
                                      "C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe"
                                      4⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:4520
                                    • C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe
                                      "C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe"
                                      4⤵
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in Windows directory
                                      PID:1528
                                      • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
                                        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
                                        5⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SendNotifyMessage
                                        PID:3500
                                        • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
                                          "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:17512
                                        • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
                                          "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
                                          6⤵
                                            PID:15480
                                      • C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe
                                        "C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe"
                                        4⤵
                                        • Drops startup file
                                        • Executes dropped EXE
                                        • Adds Run key to start application
                                        PID:5316
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c 262561740070401.bat
                                          5⤵
                                            PID:5988
                                            • C:\Windows\SysWOW64\cscript.exe
                                              cscript //nologo c.vbs
                                              6⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2120
                                          • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
                                            !WannaDecryptor!.exe f
                                            5⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetWindowsHookEx
                                            PID:5108
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /f /im MSExchange*
                                            5⤵
                                            • System Location Discovery: System Language Discovery
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3968
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /f /im Microsoft.Exchange.*
                                            5⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:8
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /f /im sqlserver.exe
                                            5⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:800
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /f /im sqlwriter.exe
                                            5⤵
                                            • System Location Discovery: System Language Discovery
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4080
                                          • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
                                            !WannaDecryptor!.exe c
                                            5⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of SetWindowsHookEx
                                            PID:5908
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd.exe /c start /b !WannaDecryptor!.exe v
                                            5⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:5936
                                            • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
                                              !WannaDecryptor!.exe v
                                              6⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of SetWindowsHookEx
                                              PID:6032
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                7⤵
                                                  PID:3704
                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                    wmic shadowcopy delete
                                                    8⤵
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3524
                                            • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
                                              !WannaDecryptor!.exe
                                              5⤵
                                              • Executes dropped EXE
                                              • Sets desktop wallpaper using registry
                                              • Suspicious behavior: GetForegroundWindowSpam
                                              • Suspicious use of SetWindowsHookEx
                                              PID:5616
                                          • C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe"
                                            4⤵
                                            • Drops startup file
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            • Drops desktop.ini file(s)
                                            • Drops file in System32 directory
                                            • Drops file in Program Files directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5568
                                            • C:\Windows\system32\cmd.exe
                                              "C:\Windows\system32\cmd.exe"
                                              5⤵
                                                PID:4592
                                                • C:\Windows\system32\mode.com
                                                  mode con cp select=1251
                                                  6⤵
                                                    PID:5692
                                                  • C:\Windows\system32\vssadmin.exe
                                                    vssadmin delete shadows /all /quiet
                                                    6⤵
                                                    • Interacts with shadow copies
                                                    PID:11072
                                                • C:\Windows\system32\cmd.exe
                                                  "C:\Windows\system32\cmd.exe"
                                                  5⤵
                                                    PID:6984
                                                    • C:\Windows\system32\mode.com
                                                      mode con cp select=1251
                                                      6⤵
                                                        PID:6832
                                                      • C:\Windows\system32\vssadmin.exe
                                                        vssadmin delete shadows /all /quiet
                                                        6⤵
                                                        • Interacts with shadow copies
                                                        PID:10512
                                                    • C:\Windows\System32\mshta.exe
                                                      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                                      5⤵
                                                        PID:10576
                                                      • C:\Windows\System32\mshta.exe
                                                        "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                                        5⤵
                                                          PID:10448
                                                      • C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:8636
                                                      • C:\Users\Admin\AppData\Local\Temp\wHw5AdFL1u8a.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\wHw5AdFL1u8a.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:21136
                                                      • C:\Users\Admin\AppData\Local\Temp\w2xA06T30ghJ.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\w2xA06T30ghJ.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:21236
                                                      • C:\Users\Admin\AppData\Local\Temp\mRospJf6K4kz.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\mRospJf6K4kz.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        PID:332
                                                      • C:\Users\Admin\AppData\Local\Temp\7yXGoA4N3yZu.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\7yXGoA4N3yZu.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        PID:11408
                                                      • C:\Users\Admin\AppData\Local\Temp\wVcOIjy9XczJ.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\wVcOIjy9XczJ.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:16504
                                                      • C:\Users\Admin\AppData\Local\Temp\vHr6IvuUj23H.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\vHr6IvuUj23H.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:17388
                                                      • C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:18728
                                                        • C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog
                                                          5⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:9380
                                                        • C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog
                                                          5⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:8964
                                                        • C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog
                                                          5⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4520
                                                        • C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog
                                                          5⤵
                                                          • Executes dropped EXE
                                                          PID:20472
                                                        • C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog
                                                          5⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:7704
                                                        • C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /main
                                                          5⤵
                                                          • Executes dropped EXE
                                                          • Writes to the Master Boot Record (MBR)
                                                          PID:19048
                                                          • C:\Windows\SysWOW64\notepad.exe
                                                            "C:\Windows\System32\notepad.exe" \note.txt
                                                            6⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2080
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
                                                            6⤵
                                                              PID:5660
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8
                                                                7⤵
                                                                  PID:18368
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
                                                                6⤵
                                                                  PID:20888
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8
                                                                    7⤵
                                                                      PID:14736
                                                              • C:\Users\Admin\AppData\Local\Temp\IM5eWQMtc2Zn.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\IM5eWQMtc2Zn.exe"
                                                                4⤵
                                                                • Executes dropped EXE
                                                                PID:10628
                                                              • C:\Users\Admin\AppData\Local\Temp\8WBvbLR1R8Pt.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\8WBvbLR1R8Pt.exe"
                                                                4⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:11336
                                                              • C:\Users\Admin\AppData\Local\Temp\XJm94rT7sBIp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\XJm94rT7sBIp.exe"
                                                                4⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:14428
                                                              • C:\Users\Admin\AppData\Local\Temp\A1CR68Ce9O8c.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\A1CR68Ce9O8c.exe"
                                                                4⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2368
                                                              • C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe"
                                                                4⤵
                                                                • Executes dropped EXE
                                                                PID:6356
                                                                • C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog
                                                                  5⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:7896
                                                                • C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog
                                                                  5⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:9776
                                                                • C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog
                                                                  5⤵
                                                                    PID:8208
                                                                  • C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog
                                                                    5⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:8332
                                                                  • C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog
                                                                    5⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:8644
                                                                  • C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /main
                                                                    5⤵
                                                                    • Writes to the Master Boot Record (MBR)
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:8768
                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                      "C:\Windows\System32\notepad.exe" \note.txt
                                                                      6⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2244
                                                                • C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe"
                                                                  4⤵
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:20060
                                                                  • C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog
                                                                    5⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:9688
                                                                  • C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog
                                                                    5⤵
                                                                      PID:9620
                                                                    • C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog
                                                                      5⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:436
                                                                    • C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog
                                                                      5⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:9972
                                                                    • C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog
                                                                      5⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:10168
                                                                    • C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /main
                                                                      5⤵
                                                                      • Writes to the Master Boot Record (MBR)
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:10508
                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                        "C:\Windows\System32\notepad.exe" \note.txt
                                                                        6⤵
                                                                          PID:11068
                                                                    • C:\Users\Admin\AppData\Local\Temp\iMudI275C77w.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\iMudI275C77w.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:12228
                                                                    • C:\Users\Admin\AppData\Local\Temp\NDqj6HfJ7RT2.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\NDqj6HfJ7RT2.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:1640
                                                                    • C:\Users\Admin\AppData\Local\Temp\6OKWvlSKnKAj.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\6OKWvlSKnKAj.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      PID:11204
                                                                    • C:\Users\Admin\AppData\Local\Temp\X48ENIPtevwX.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\X48ENIPtevwX.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:11768
                                                                    • C:\Users\Admin\AppData\Local\Temp\hM5H0TJVkPoD.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\hM5H0TJVkPoD.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:10096
                                                                    • C:\Users\Admin\AppData\Local\Temp\t93YkBzOJ1Ey.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\t93YkBzOJ1Ey.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:11280
                                                                    • C:\Users\Admin\AppData\Local\Temp\OftMsUdvyqj2.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\OftMsUdvyqj2.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3316
                                                                    • C:\Users\Admin\AppData\Local\Temp\7yFqJ1aHDQde.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\7yFqJ1aHDQde.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4744
                                                                    • C:\Users\Admin\AppData\Local\Temp\Hb4u4O5C4dLX.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\Hb4u4O5C4dLX.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      PID:21388
                                                                    • C:\Users\Admin\AppData\Local\Temp\em9RZDNzLWhg.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\em9RZDNzLWhg.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      PID:12364
                                                                    • C:\Users\Admin\AppData\Local\Temp\N5wez5oJLK4e.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\N5wez5oJLK4e.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      PID:12780
                                                                    • C:\Users\Admin\AppData\Local\Temp\jy1pFUADDGMB.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\jy1pFUADDGMB.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:13144
                                                                    • C:\Users\Admin\AppData\Local\Temp\5q7oPUWa1tMO.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\5q7oPUWa1tMO.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:13316
                                                                    • C:\Users\Admin\AppData\Local\Temp\Jb5zCjXLbxOU.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\Jb5zCjXLbxOU.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:13544
                                                                    • C:\Users\Admin\AppData\Local\Temp\0pWCtOtM9DUH.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\0pWCtOtM9DUH.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      PID:13804
                                                                    • C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:11328
                                                                      • C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog
                                                                        5⤵
                                                                          PID:17472
                                                                        • C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog
                                                                          5⤵
                                                                            PID:17480
                                                                          • C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog
                                                                            5⤵
                                                                              PID:14248
                                                                            • C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog
                                                                              5⤵
                                                                                PID:20656
                                                                            • C:\Users\Admin\AppData\Local\Temp\0FsfJTv7zPXX.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\0FsfJTv7zPXX.exe"
                                                                              4⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:11500
                                                                            • C:\Users\Admin\AppData\Local\Temp\AVB24mw0mCmN.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\AVB24mw0mCmN.exe"
                                                                              4⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:11800
                                                                            • C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe"
                                                                              4⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:12532
                                                                              • C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog
                                                                                5⤵
                                                                                  PID:19692
                                                                                • C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog
                                                                                  5⤵
                                                                                    PID:20120
                                                                                  • C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog
                                                                                    5⤵
                                                                                      PID:21184
                                                                                    • C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog
                                                                                      5⤵
                                                                                        PID:12920
                                                                                    • C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe"
                                                                                      4⤵
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:14400
                                                                                      • C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog
                                                                                        5⤵
                                                                                          PID:9592
                                                                                        • C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog
                                                                                          5⤵
                                                                                            PID:19632
                                                                                          • C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog
                                                                                            5⤵
                                                                                              PID:376
                                                                                            • C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog
                                                                                              5⤵
                                                                                                PID:16760
                                                                                              • C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog
                                                                                                5⤵
                                                                                                  PID:7468
                                                                                                • C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /main
                                                                                                  5⤵
                                                                                                    PID:18128
                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                      "C:\Windows\System32\notepad.exe" \note.txt
                                                                                                      6⤵
                                                                                                        PID:13888
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe"
                                                                                                    4⤵
                                                                                                      PID:14892
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe" /watchdog
                                                                                                        5⤵
                                                                                                          PID:15408
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe" /watchdog
                                                                                                          5⤵
                                                                                                            PID:2068
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe" /watchdog
                                                                                                            5⤵
                                                                                                              PID:4080
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe"
                                                                                                            4⤵
                                                                                                              PID:15208
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog
                                                                                                                5⤵
                                                                                                                  PID:16512
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog
                                                                                                                  5⤵
                                                                                                                    PID:18264
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog
                                                                                                                    5⤵
                                                                                                                      PID:17444
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog
                                                                                                                      5⤵
                                                                                                                        PID:5824
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe"
                                                                                                                      4⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:15616
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog
                                                                                                                        5⤵
                                                                                                                          PID:3156
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog
                                                                                                                          5⤵
                                                                                                                            PID:7212
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog
                                                                                                                            5⤵
                                                                                                                              PID:6492
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog
                                                                                                                              5⤵
                                                                                                                                PID:2940
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog
                                                                                                                                5⤵
                                                                                                                                  PID:5576
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /main
                                                                                                                                  5⤵
                                                                                                                                    PID:10604
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe"
                                                                                                                                  4⤵
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:15944
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog
                                                                                                                                    5⤵
                                                                                                                                      PID:7848
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog
                                                                                                                                      5⤵
                                                                                                                                        PID:11772
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog
                                                                                                                                        5⤵
                                                                                                                                          PID:18088
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog
                                                                                                                                          5⤵
                                                                                                                                            PID:7112
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog
                                                                                                                                            5⤵
                                                                                                                                              PID:12220
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /main
                                                                                                                                              5⤵
                                                                                                                                                PID:4312
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe"
                                                                                                                                              4⤵
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:16332
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog
                                                                                                                                                5⤵
                                                                                                                                                  PID:17300
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog
                                                                                                                                                  5⤵
                                                                                                                                                    PID:16072
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog
                                                                                                                                                    5⤵
                                                                                                                                                      PID:15752
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog
                                                                                                                                                      5⤵
                                                                                                                                                        PID:10420
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog
                                                                                                                                                        5⤵
                                                                                                                                                          PID:17744
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /main
                                                                                                                                                          5⤵
                                                                                                                                                            PID:18352
                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                              "C:\Windows\System32\notepad.exe" \note.txt
                                                                                                                                                              6⤵
                                                                                                                                                                PID:7236
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe"
                                                                                                                                                            4⤵
                                                                                                                                                              PID:16808
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:11616
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:17168
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:16300
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:19488
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:14788
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /main
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:12448
                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                              "C:\Windows\System32\notepad.exe" \note.txt
                                                                                                                                                                              6⤵
                                                                                                                                                                                PID:2404
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe"
                                                                                                                                                                            4⤵
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:17088
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:9848
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:17916
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:15820
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:5240
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog
                                                                                                                                                                                      5⤵
                                                                                                                                                                                        PID:15212
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /main
                                                                                                                                                                                        5⤵
                                                                                                                                                                                          PID:16872
                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            "C:\Windows\System32\notepad.exe" \note.txt
                                                                                                                                                                                            6⤵
                                                                                                                                                                                              PID:15280
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:17324
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog
                                                                                                                                                                                              5⤵
                                                                                                                                                                                                PID:17840
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                  PID:17952
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:12960
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:180
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                        PID:11644
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /main
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:7756
                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                            "C:\Windows\System32\notepad.exe" \note.txt
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                              PID:4932
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe"
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                            PID:18068
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog
                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                PID:19140
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog
                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                  PID:19204
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  PID:19320
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  PID:19424
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                    PID:19748
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /main
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                    • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                    PID:2936
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                      "C:\Windows\System32\notepad.exe" \note.txt
                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:20112
                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                        PID:13040
                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8
                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                            PID:13308
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe"
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      • Modifies Control Panel
                                                                                                                                                                                                                      PID:6008
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe"
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      • Modifies Control Panel
                                                                                                                                                                                                                      PID:6544
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe"
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      • Modifies Control Panel
                                                                                                                                                                                                                      PID:7856
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe"
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      • Modifies Control Panel
                                                                                                                                                                                                                      PID:3376
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe"
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • Modifies Control Panel
                                                                                                                                                                                                                      PID:7048
                                                                                                                                                                                                              • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:4672
                                                                                                                                                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:3004
                                                                                                                                                                                                                  • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                                                    C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D8
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:2096
                                                                                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:2436
                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                        PID:3136
                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 27611 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc58a43d-c48a-4eb7-b758-eaab8f831156} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" gpu
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:3044
                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 27489 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1c90631-357a-4162-b3c7-d9e4156f7f7d} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" socket
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                            PID:224
                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3268 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7abe9d9b-1419-4f4f-89bb-31a8fe92e375} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:556
                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 2 -isForBrowser -prefsHandle 3188 -prefMapHandle 3172 -prefsLen 28555 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3aaddf5-3e16-4525-8467-80ed6a985939} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:1224
                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4284 -childID 3 -isForBrowser -prefsHandle 4276 -prefMapHandle 4272 -prefsLen 32863 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0b999ea-7208-4a9e-87bd-d8216288be4d} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:668
                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4864 -prefMapHandle 5008 -prefsLen 32863 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02a5a496-2da2-4f15-8aa8-276ff448d3ea} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" utility
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                  PID:5224
                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bc77ba6-6c37-45d9-abd2-33f7c5b73ad3} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:5652
                                                                                                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5692 -prefMapHandle 5684 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {744674db-6e99-4d4d-8d63-c8e4081b8e36} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:5660
                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 6 -isForBrowser -prefsHandle 5948 -prefMapHandle 5956 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88ea5103-c192-42d8-be96-a0b39b32d311} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:5684
                                                                                                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:3224
                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                        PID:4696
                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:5012
                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                          PID:5096
                                                                                                                                                                                                                                      • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
                                                                                                                                                                                                                                        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                        PID:6092
                                                                                                                                                                                                                                        • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
                                                                                                                                                                                                                                          "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          PID:8532
                                                                                                                                                                                                                                        • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
                                                                                                                                                                                                                                          "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:14808
                                                                                                                                                                                                                                        • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
                                                                                                                                                                                                                                          "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                          PID:6136
                                                                                                                                                                                                                                          • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
                                                                                                                                                                                                                                            "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            PID:1680
                                                                                                                                                                                                                                        • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
                                                                                                                                                                                                                                          "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                          PID:5232
                                                                                                                                                                                                                                          • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
                                                                                                                                                                                                                                            "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            PID:11128
                                                                                                                                                                                                                                        • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
                                                                                                                                                                                                                                          "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                          PID:4368
                                                                                                                                                                                                                                          • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
                                                                                                                                                                                                                                            "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            PID:2628
                                                                                                                                                                                                                                        • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
                                                                                                                                                                                                                                          "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                          PID:2984
                                                                                                                                                                                                                                          • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
                                                                                                                                                                                                                                            "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            PID:9236
                                                                                                                                                                                                                                        • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
                                                                                                                                                                                                                                          "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                          PID:1356
                                                                                                                                                                                                                                          • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
                                                                                                                                                                                                                                            "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            PID:9992
                                                                                                                                                                                                                                        • C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                          C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                          PID:1336
                                                                                                                                                                                                                                        • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                                                                                                                                                          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                          PID:9844
                                                                                                                                                                                                                                        • C:\Windows\system32\werfault.exe
                                                                                                                                                                                                                                          werfault.exe /h /shared Global\83893eae0e0842398fbeabd105dc2755 /t 20556 /p 10576
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:18116

                                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                          Reconnaissance

                                                                                                                                                                                                                                          Resource Development

                                                                                                                                                                                                                                          Initial Access

                                                                                                                                                                                                                                          Execution

                                                                                                                                                                                                                                          Scheduled Task/Job

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1053

                                                                                                                                                                                                                                          Scheduled Task

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1053.005

                                                                                                                                                                                                                                          Windows Management Instrumentation

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1047

                                                                                                                                                                                                                                          Persistence

                                                                                                                                                                                                                                          Boot or Logon Autostart Execution

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1547

                                                                                                                                                                                                                                          Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1547.001

                                                                                                                                                                                                                                          Pre-OS Boot

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1542

                                                                                                                                                                                                                                          Bootkit

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1542.003

                                                                                                                                                                                                                                          Scheduled Task/Job

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1053

                                                                                                                                                                                                                                          Scheduled Task

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1053.005

                                                                                                                                                                                                                                          Privilege Escalation

                                                                                                                                                                                                                                          Boot or Logon Autostart Execution

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1547

                                                                                                                                                                                                                                          Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1547.001

                                                                                                                                                                                                                                          Scheduled Task/Job

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1053

                                                                                                                                                                                                                                          Scheduled Task

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1053.005

                                                                                                                                                                                                                                          Defense Evasion

                                                                                                                                                                                                                                          Direct Volume Access

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1006

                                                                                                                                                                                                                                          Indicator Removal

                                                                                                                                                                                                                                          2
                                                                                                                                                                                                                                          T1070

                                                                                                                                                                                                                                          File Deletion

                                                                                                                                                                                                                                          2
                                                                                                                                                                                                                                          T1070.004

                                                                                                                                                                                                                                          Modify Registry

                                                                                                                                                                                                                                          2
                                                                                                                                                                                                                                          T1112

                                                                                                                                                                                                                                          Pre-OS Boot

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1542

                                                                                                                                                                                                                                          Bootkit

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1542.003

                                                                                                                                                                                                                                          Subvert Trust Controls

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1553

                                                                                                                                                                                                                                          SIP and Trust Provider Hijacking

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1553.003

                                                                                                                                                                                                                                          Credential Access

                                                                                                                                                                                                                                          Credentials from Password Stores

                                                                                                                                                                                                                                          2
                                                                                                                                                                                                                                          T1555

                                                                                                                                                                                                                                          Credentials from Web Browsers

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1555.003

                                                                                                                                                                                                                                          Windows Credential Manager

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1555.004

                                                                                                                                                                                                                                          Unsecured Credentials

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1552

                                                                                                                                                                                                                                          Credentials In Files

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1552.001

                                                                                                                                                                                                                                          Discovery

                                                                                                                                                                                                                                          Browser Information Discovery

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1217

                                                                                                                                                                                                                                          Query Registry

                                                                                                                                                                                                                                          4
                                                                                                                                                                                                                                          T1012

                                                                                                                                                                                                                                          System Information Discovery

                                                                                                                                                                                                                                          3
                                                                                                                                                                                                                                          T1082

                                                                                                                                                                                                                                          System Location Discovery

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1614

                                                                                                                                                                                                                                          System Language Discovery

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1614.001

                                                                                                                                                                                                                                          Lateral Movement

                                                                                                                                                                                                                                          Collection

                                                                                                                                                                                                                                          Data from Local System

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1005

                                                                                                                                                                                                                                          Command and Control

                                                                                                                                                                                                                                          Exfiltration

                                                                                                                                                                                                                                          Impact

                                                                                                                                                                                                                                          Defacement

                                                                                                                                                                                                                                          1
                                                                                                                                                                                                                                          T1491

                                                                                                                                                                                                                                          Inhibit System Recovery

                                                                                                                                                                                                                                          2
                                                                                                                                                                                                                                          T1490

                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                          • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-98A77731.[[email protected]].ncov
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            2.7MB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            2f2d375806c48800271b743de645ceb8

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            55a07953e362f6a5336ca1e6b109d7df4abbc750

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            5046ca487c8589490ad3fb46991bfbb50362a6122f66fe8f027430afdb16d0ad

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            687476b3e335022b1f0bc50184663915f2ad50acbc57903819f3941c830e0ef33605a74e76a15d7cff9eaac534017355d4223bc7fb3c3010a98947a33dc4af0b

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d8fe7b9f.exe.log
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            1KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            b4e91d2e5f40d5e2586a86cf3bb4df24

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            31920b3a41aa4400d4a0230a7622848789b38672

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            152B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            825fb95a70bf7b56cfcda1f118800f98

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            15f1e212c1fb567c70ff4f716a4bba81f2857e0a

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            2280c42f8ca4302a1d37d63532e3e981e33b596e3b2e930ce40b390dc0f09104

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            987189b84f58e5d64b662f80f47ae797bcf46aeba86584cc17afabd2f25885a4cf48d80400154ba22eeee1131b84f882cd1998d1686ee12013218f52049bc6d7

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            152B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            e45a14e89fdf82756edc65c97e606e63

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            42ce594393a4ce3b4e1c79dbe424841bd3f434c8

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            49af9d716c69fb93ebee18e708f4ceaab99abf505abcbad1bd46c60ace03da9f

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            6af0cabb253026d7613065e7274f8be114fc2cbd0134e8d518a417bf4b2b94ffc8b9c05be4e47685ac6d7246e28c11a86852ee4b6e934bf6c6d56b6c97428425

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            72B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            8b55f92216367e0a93e0c1bbbdc29151

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            e5d1a2e47aadf01686da94c4ed0ef1fff8b8c6e6

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            c1649945f5ec50029e22c17f0c4235ff77a25e31bc499ca6f3b327efe354de90

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            cb8ae45dd7cd67ece4f800441f6c925d8b570b096c6b8c0327d679aff5ef2f7e7775dea120351f996170b405ce3c3aff792ceff2c8e899d7f50ec5d10d5baab7

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            41B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            5af87dfd673ba2115e2fcf5cfdb727ab

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            16B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            46295cac801e5d4857d09837238a6394

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            257B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            ba4e2003fe7d847c86a7514b27c21c5f

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            7dc5189fa073797ff6cec15cf7921146f4fa0ab5

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            5KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            c97fe3c35bac6d6d925431c1d5a080c5

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            b50d7835b1bb0b3cef26e37ad793b8732f5ff58e

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            05bf0b4933eefa9b4f0b831147a1e2e25fd6785615c7c56a1381f180f55051a9

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            48ebaea64f136a0f781aaa61d91ed41489113619108877eccce2c0472900f21b98c575c2ecbce11d3be95dc104934b76a2ff92d620188b2a32e709e2bc8f6728

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            6KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            18f972b0464491b8b90ea70f1d8169ef

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            a3e63b7d8fc5f02eb9f959aa3f159d1734051c04

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            66e3ae92bb153f436394a1520c05b93932930bf3e195210820f059b3b786b0f1

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            862bd08c67a3c1ff329093c06b0d47a9cd4e829827f80226c0a74268f48d58d19a5e253a0ae798433d46b4133346802eb4bcf70fe374d22ca2c4f00c88fd13d6

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            6KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            b7e63949a60cfd50bef9f15629d59c59

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            523e0ae3acbf9052b2f583d1aad69c08c51a26b4

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            25fca7229d5a449f9ab81c6776178fef585bd02f91061d0664c343d26c8c7a23

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            b4de20b3acd39b38a34ae63baf677d4eebd948902c8da9f2bdb6bd92e8912e1f3c2cdb49e7dfda7b06a7eba21735876b38ef54dc7c853e26d3f4279441e8f7bb

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            72B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            2592450c023537f1c8028150ed1c013d

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            89ece2499243c26435aac6a22d2490edb28399be

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            c9229faf9ac2e5b5425332433730170fa6ba4133bbd6e24d154bdcda75475c18

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            f6516542b6ba90a0f6e3ded2e3302f6267ee84747e4082f3d70dcc85bf2092766413dd8515a7762335c740b886acd5059d8472828ef2b05aeb50986854d2b0e2

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c7e4.TMP
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            48B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            3f43d324afa9bc50b102937926f482f1

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            c2de6651462f3603a8d1545ff05e9d12f5857f0a

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            2ecf24223a8f9945a2dfe1521c33a02b62791641973a7a526c7eec223f6058ae

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            2bcd4e773f86d4a73a2f83db39d264285bc57e325a7168f33798f7b9093e8b0408bc33e615881cba9551cc875d4f9f4eb8ab55d4035eb304febbaf65eac7d9bc

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            16B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            206702161f94c5cd39fadd03f4014d98

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            28KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            02e63f9dda664051c5f8e5f8825885c4

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            73b86a36f30c94143b60f599d73898c02d33093b

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            1c57909ca621ab927b31aca493155754d389daecb5713f027d0e1bb54aeae860

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            754b1142320db002599c458ffab80d97ca7a4602fc405cd08423639284af06a966ffdd65147fa84fc31055d49d36b22ff08ec849349769497c00b5fc7704febb

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            16KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            9a8e0fb6cf4941534771c38bb54a76be

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            92d45ac2cc921f6733e68b454dc171426ec43c1c

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            52KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            f4b36b031c37bed78143c551ec1b0de5

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            5bc4bb638c654ab1bed94d73b42627bffb8a1c5f

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            ae1bc0af08f5373ec0ab313ccff2e8226c7ea11c88390e9942579d39fe108ad1

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            935ef1821eb1263268a55286b16ab208f8e70b93946b4c3ca0d646d24c05f91103eb92c1693d43fbe187f076552d3439ec35a71334a6863feaa77516e8468dfa

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            16KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            d926f072b41774f50da6b28384e0fed1

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            237dfa5fa72af61f8c38a1e46618a4de59bd6f10

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            11KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            6ea874346a9347e05be37950f2b9a8de

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            a893f83932612c2600da94eaf5265cd14965d873

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            c19de2df0ac0cc62c4906bd815dc614e99c4d3e21210f1df3390ac1f250acf08

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            8076002df3d547c15fc8103c2c4a0f5a81de1fe070f9f7fac3c04ac746dd92d73ac2df4e4e7151068f5f03fe743f697f642172167f9fd1740ca2dc0598b09af5

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            11KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            5b930fd2466d8d2f273613afd89ce0c2

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            0f07a6d2167bb761133daa823e9786efc12ee8b5

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            a1905ba1be5d5e80749b93fb098a846afecea211fbaadd8b6999145235c7e832

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            40a803ca49b207454e86fd2695c4b70c262dd1dc4f3129744fa48215923f07b392dadb6a91c34e6518e3a21361aff58cee24296551b90b07a8450b97f2ad415d

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            4B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            eff8bcd4b3108783bd9b8499d021820d

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            fc9063556afd0a30cd819d30f0b8ece8a8fdc389

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            79978104ab93f1db8eb9e32b6f746e73e40e435908342ac45ea8cb2779eb4d43

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            3de46fff0f4fb1ecdc1e8e644bca6f27c77b1d8de0a24599803749e0d1fccda9f2389f152abcf827b53089ec063d917486725f17f6289c9053ef6731977b75a2

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.WCRY
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            888B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            00f93320c5ed25c032f2049020cb7bef

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            18eb96a6871bac888218decbad87619c57536436

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            51b3ad4bf5df8836f698b2185300d28474d7e400253a8e6035ac0bcf307eca84

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            8655a7cfb22e50edd8ec5cef3088277a4a3c57e890c526563b45c33ea80acd911f6dbc2cc0b9d45ac39f98f0a00ee64e77609fe84f54e189d3490e158562f04a

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2nimmy3l.default-release\activity-stream.discovery_stream.json.tmp
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            21KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            f254075b381b4ec3420bdb6d8b48105a

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            5d8882ec1f9c880ed2967063cc09bb6798aba619

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            595ea7f7c380b8302c07fcc86bd1bab1e7c442afc101cef712837b864484e455

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            fb3a99332dc63d0507da74e46b6a5bb2b34d8cf357c35836d93f4aacc487491921ab31b8780288952bddf069c04dc7931ad82ae76bc0ef728562d14a6fdb42af

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\80cafb94-e633-4bc7-8814-cb4e741a1b49.down_data
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            555KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            5683c0028832cae4ef93ca39c8ac5029

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            797B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            afa18cf4aa2660392111763fb93a8c3d

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            c219a3654a5f41ce535a09f2a188a464c3f5baf5

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            1KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            11b66e3e691ef00452183d435f5a8fdf

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            731daea53c0f13d54be1ca661896c670217eacb2

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            1cd4aa05c1e4a42a0ead86cbbe254822ed8fb200b2f96406b2ab1a6fbdcde376

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            9bfbd85b41512145a28d22a66330751a3feb191e85c3f7944998fd00cb24d143990e55f61119bad10b6721a8ee5d7df1078058c24058125d7fb7947acdfe3ad1

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\00000000.eky
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            1KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            aa5816186756824abb35f65ffb45712d

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            0b809ad5155fa8bba0746b1d57d300b6f32301d1

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            96a67819df4e09c7723d9f7526209bb2adfb47dc09754258c1a2737799f1fa5b

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            6daad6e5d15255936368d87f1d4af886807f2ffc927ecc7193289765f390a6d00b06d1a0874a4e015185dccf68f6bbd5235e93c290e90a8ae46a7425df0cd9c2

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\00000000.res
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            136B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            c0b5350281102d7be1c99d4b7006955c

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            5ce57b323c874439f4111421d92f7091feacc7ac

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            e7471c737175e3f5e64546f5cafbe5471cb46e6619432cc8e84011f2ef11c8a6

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            56adcd531a118ff05f3f9393999e5409b28835e4113c8f4d5c162deddd399e8dad0d64a307983c0af83e91866b97daf969b7953534e10256dc3383a0550cd4df

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\00000000.res
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            136B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            b7c132dc38b1bc77e232e7db763a7268

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            30cabf2ee5ba704f91271a8dc55634524b271036

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            dacd870d4938525f78e149e0358f2341328b8fde1411938b9cf1913b4ca0147e

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            befe6d5e687ba53ec77cf18be53317415740ffd8d7bdc367994fdb3cab5b4393b53ec14cc349d54e497c5df056605e955c7440c781a3c3b3098205ddd395b194

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\00000000.res
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            136B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            173e4d33c28d21cc7327238f15814af4

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            c2eaa27e61815dd24fe6ca9bc21e8727bc43bfc8

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            035889e3d9fdbb691c221670db472cd5b659171b950f946903f713e8c233a403

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            60bec760ce8ac940bf4ef22be299159815de06546aef6aae29ae72318718192289c5193dca4f298dcf44ffada00ea75fc915b6867a1a6b1a883815845629d226

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\262561740070401.bat
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            336B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            3540e056349c6972905dc9706cd49418

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            492c20442d34d45a6d6790c720349b11ec591cde

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            224KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            5c7fb0927db37372da25f270708103a2

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            120ed9279d85cbfa56e5b7779ffa7162074f7a29

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            396KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            13f4b868603cf0dd6c32702d1bd858c9

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            a595ab75e134f5616679be5f11deefdfaae1de15

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            9KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            b01ee228c4a61a5c06b01160790f9f7c

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            e7cc238b6767401f6e3018d3f0acfe6d207450f8

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            53KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            6536b10e5a713803d034c607d2de19e3

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            a6000c05f565a36d2250bdab2ce78f505ca624b7

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            1.0MB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            055d1462f66a350d9886542d4d79bc2b

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            f1086d2f667d807dbb1aa362a7a809ea119f2565

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\c.vbs
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            219B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            5f6d40ca3c34b470113ed04d06a88ff4

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            50629e7211ae43e32060686d6be17ebd492fd7aa

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\c.wry
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            628B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            1f96a3c966f195d03a802f14cbf53ef9

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            be4a92e4fdb80bbad344d9b3f5d9eaa5c0694e91

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            54f12cad8e0d09d9fdd05418c8f724e4fa7fe36b50523d3c8d51adc81c92c8d3

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            3a4d6916eefbc09f14701a874ad02edd5c41cdcbb9baf9f5717761ccb14d9ef42373c9e1dc89864f3986fa5a0c4f5d8cd3c8fef0ef78d3b9894085f9d51332ea

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            14KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            19dbec50735b5f2a72d4199c4e184960

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            6fed7732f7cb6f59743795b2ab154a3676f4c822

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\f.wry
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            112B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            9255ff9caa1e9e67c8cc46741b093c6c

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            ff7c24a050cb14c103915376cc1361a572a6b91e

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            8a081be48d54598d6bf3fea0b8747a08b43cb6cde63c72084c18031835dbcce6

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            1bc3f2d32f483d61a51a1c2798a00f0e641ac7d1eedfafeee7fc6dd17771cbfac55385da69cb65eb7f44edbafd50741255e701a9d93acf4abd93873f8ac729fb

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\m.wry
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            42KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            980b08bac152aff3f9b0136b616affa5

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            2a9c9601ea038f790cc29379c79407356a3d25a3

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\u.wry
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            236KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            cf1416074cd7791ab80a18f9e7e219d9

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            276d2ec82c518d887a8a3608e51c56fa28716ded

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\cert9.db
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            224KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            8157ee9fed46397f901ad9101615a2da

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            045707ac6386388992c087e10abef689459067ab

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            92116ded421257ca49a1e16c6f6bf33f367f2bfafdd2c497b851b769c0002934

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            b22b67f1c136533865a19afca48d7be9302e701113a2259209e6f3be6adf46c908726183db704e93edfbb57b5c3d6c4cc3e74a10d3a2731c71a2d1eea903991f

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            6KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            913c3ed62c21995d6ee2d19842ddf262

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            4757cd295c5f63eb32317d83e6b15db578dfc77f

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            dc0597ffbbd67ceeb0a28783f5f9e9951070ef69d41d667ce5fe401f4ed14c69

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            fa99d14b93c4d269894dd44d47fc58286f691bba088c7c3b15a3a3020963841b325665cde414e0383ccd7f6eed5def383c99452fa5b3f8b8173c76e773adc0c2

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            5KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            ff46e60835d90702db9e2aba621039fd

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            5bb2d545566e4aa5b1de92414b059f249e99f8dc

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            362083965af0724c75f7123800122cdbea624e7e9681fda898b09a1e5845ff25

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            de185346375af4249923ebaa895352cbf9cb5181b1bd6e5d82e3066849776054e84e82386314b4637dc1ab6c8174f9147ec3dcedc27722c31673b3aa40a05c3c

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\529d6098-75e0-4144-9793-c656ad6d6d3d
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            671B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            7d66d70e23dfe0ca2c5f69537c5cc0d0

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            76e9390acb50948e7b09930e88b262aac99dcc45

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            28b0522f1ef144859af9d1eb7a5490aec10ee8b4268d66ee3e6e341b7c94dd10

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            4a82b99c5e2c0517754a687bee3e68f6614977d8f7361d8dce50d2bdf5f39521593c76b0d0c22c19b5d43a81e8adb9dd860dfee90fed41c59ec60f55925032d3

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\616c2e58-997e-4485-bed8-2da043805741
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            982B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            77059920e7d805ce3412f4706fea5680

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            90a45e597c2729b319dfac9f8d4ac8fa8249f274

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            9284a0d5009c5f45b2ea79c5dc4d3e63328db2636062c61ebe8707465f95e36c

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            69871e5fe929705337de6db3b730a7d9731e53ab60ff7db57399ee7aba0d75b917928b7884efb084209fbc24ae94d3dd51b9749d50f9b869fd4ae9b9a2058af5

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\bad00306-d7ca-4859-a8ce-6c658ab45600
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            25KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            b1ed7a308eab01f11f2dcebef570f53b

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            aaed0dc5bfa32bfe343fb56d4a4c92a5a0d022a8

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            a2a63c757554ce488dc80043c23b255fe82ddeed2d1e684ce946c1fb13c1a7e3

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            ed38b24e807f7b25d53ff243050fd82b27b229ea7f8f5ebdf3fd952c2b9cca1bd64b68200adb5b39e42e76b186814301b8dfad025330617b7e08348f74939216

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\prefs-1.js
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            9KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            b75b6d8e9b5e43a6f52c3e1ada3c7cdf

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            1417a3a3add0ed0a0258ffc28928dbb012da5d78

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            6604b6a35d78bb03ef1006d5f2c0efeaf4bec41e53fead626a196ffa9dac150b

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            ce1377eae7fbc9a5c541ba721a7ae4a41ddd3d6719d1e293da4bb5331062c9c1398e4e1ab0887abd217e823e7f7ad12d81a3e854abd37bfc8acb0f8e8fef21db

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\prefs.js
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            9KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            7ad61b204b74a58371e14dc46a7ef6fb

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            832c87e9068c2f73ac33d988f93a96fc63ca2e2a

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            d693c03b0eade747409bef8819327838e5866b2154c99c452d84ded746548e23

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            e64395f0c4b03f2d34ccd9e479346be7cdda24fa66b7c409cef288bfc4b53c6a9ae57ccda3fc61c0179c0d13864a79c735485d9aef0c277e9d5236e32d7f0f9e

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\Downloads\d8fe7b9f.exe
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            3.1MB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            27e72d7ba1eb08bea5a880668bb8f17c

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            8a63bf3a3d7ddc9f22a8cb1ed774904b9d9d26bb

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            478129a4add06ae030a78a5c41236ded134cb4f08bb29bcdedf81c7067f2d0eb

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            b06c8a387832ebe927e72b1f8a7596288bfebe3e33e0383a0b53283addef8dd8b323a31db0e933e70a41180f4ac0b7932d4bc257ed04157f75b769b2c938b441

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Users\Admin\Downloads\d8fe7b9f.exe:Zone.Identifier
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            26B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            fbccf14d504b7b2dbcb5a5bda75bd93b

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            d59fc84cdd5217c6cf74785703655f78da6b582b

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            153KB

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            f33a4e991a11baf336a2324f700d874d

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            9da1891a164f2fc0a88d0de1ba397585b455b0f4

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • C:\note.txt
                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            218B

                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                            afa6955439b8d516721231029fb9ca1b

                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                            087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                            8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                            5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

                                                                                                                                                                                                                                            Download Submit

                                                                                                                                                                                                                                          • memory/1528-888-0x0000000000400000-0x000000000043C000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            240KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/2772-240-0x0000000000060000-0x0000000000384000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            3.1MB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/3376-28623-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            80KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/3500-889-0x00000182C0F40000-0x00000182C0F6E000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            184KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/4520-390-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            36KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/4520-388-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            36KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/5112-376-0x000000001C8F0000-0x000000001C902000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            72KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/5112-374-0x000000001C880000-0x000000001C8D0000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            320KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/5112-375-0x000000001C990000-0x000000001CA42000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            712KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/5112-391-0x000000001DED0000-0x000000001E3F8000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            5.2MB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/5112-377-0x000000001C950000-0x000000001C98C000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            240KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/5316-918-0x0000000010000000-0x0000000010012000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            72KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/5568-2263-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/5568-6835-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/5568-2265-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            1.4MB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/6008-28602-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            80KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/6544-28610-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            80KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/7048-28629-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            80KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/7856-28621-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            80KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/17512-28303-0x0000000004F70000-0x0000000004F7A000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            40KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/17512-28300-0x0000000005000000-0x0000000005092000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            584KB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/17512-28298-0x0000000005510000-0x0000000005AB6000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            5.6MB

                                                                                                                                                                                                                                            Download

                                                                                                                                                                                                                                          • memory/17512-28297-0x0000000000580000-0x00000000005F4000-memory.dmp

                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                            464KB

                                                                                                                                                                                                                                            Download