Analysis Overview
Threat Level: Known bad
The file https://mega.nz/file/i6hDRJRQ#JLqR-5qqYJ6OkWcBS57auOl1AL70UrciKMP2WvXbnWg was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Dharma family
Wannacry
Dharma
Quasar payload
Wannacry family
Quasar family
Deletes shadow copies
Renames multiple (674) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Writes to the Master Boot Record (MBR)
Checks installed software on the system
Adds Run key to start application
Drops desktop.ini file(s)
UPX packed file
Sets desktop wallpaper using registry
Drops file in System32 directory
Subvert Trust Controls: Mark-of-the-Web Bypass
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies Control Panel
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Uses Volume Shadow Copy service COM API
Kills process with taskkill
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Interacts with shadow copies
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-20 16:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-20 16:51
Reported
2025-02-20 16:56
Platform
win11-20250217-en
Max time kernel
297s
Max time network
328s
Command Line
Signatures
Dharma
Dharma family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Wannacry
Wannacry family
Deletes shadow copies
Renames multiple (674) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wpe9zDqYnT51.exe | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5C8A.tmp | C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5CA0.tmp | C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" | C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C5shWjrkB7PY.exe\" /r" | C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wpe9zDqYnT51.exe = "C:\\Windows\\System32\\Wpe9zDqYnT51.exe" | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe" | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-112184765-1670301065-1210615588-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Wpe9zDqYnT51.exe | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Windows\System32\Info.hta | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\Validator.Tests.ps1 | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square150x150Logo.scale-400_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Stack.js | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\mr.pak.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-100.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\setFocusVisibility.js | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforsignature.svg.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\servertool.exe.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-200.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.ELM.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCard.styles.js | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-20_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\as.pak.DATA.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fa.pak.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-30_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIF.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\xul.dll.sig.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\mi.pak | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\media_poster.jpg | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare71x71Logo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-selector.js.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fil.pak.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireSmallTile.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-400.png | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js.id-98A77731.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe | C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe | N/A |
| File opened for modification | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe | N/A |
| File created | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe | N/A |
| File opened for modification | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\d8fe7b9f.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7yFqJ1aHDQde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AVB24mw0mCmN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8WBvbLR1R8Pt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Jb5zCjXLbxOU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wVcOIjy9XczJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XJm94rT7sBIp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\t93YkBzOJ1Ey.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vHr6IvuUj23H.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5q7oPUWa1tMO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\w2xA06T30ghJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\A1CR68Ce9O8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wHw5AdFL1u8a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\X48ENIPtevwX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OftMsUdvyqj2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0FsfJTv7zPXX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iMudI275C77w.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NDqj6HfJ7RT2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hM5H0TJVkPoD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jy1pFUADDGMB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\AppWorkspace = "16 119 246" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowFrame = "91 100 209" | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\TitleText = "197 122 29" | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonFace = "140 57 99" | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\MenuText = "119 180 213" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveBorder = "81 162 56" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\AppWorkspace = "27 217 94" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonText = "247 255 147" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Background = "217 218 129" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitleText = "233 163 13" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitle = "126 205 136" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\MenuText = "189 88 240" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowText = "174 39 21" | C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Background = "59 47 32" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Menu = "185 169 21" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Window = "242 193 222" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\TitleText = "159 102 199" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\AppWorkspace = "15 161 85" | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\HilightText = "206 58 12" | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ActiveBorder = "25 49 112" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Hilight = "233 74 80" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonShadow = "189 86 136" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\GrayText = "54 43 211" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitleText = "37 86 56" | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ActiveBorder = "102 180 114" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Hilight = "116 70 243" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonText = "201 111 59" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\AppWorkspace = "247 21 48" | C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitle = "7 90 87" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowText = "23 217 104" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Menu = "128 109 214" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowFrame = "230 45 248" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ActiveTitle = "100 233 53" | C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveBorder = "155 177 27" | C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\GrayText = "129 156 160" | C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitleText = "71 75 74" | C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowFrame = "157 86 146" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ActiveBorder = "77 49 59" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveBorder = "255 15 227" | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitle = "165 231 7" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\AppWorkspace = "152 171 177" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonText = "173 241 132" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonShadow = "84 226 52" | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowText = "6 228 55" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Window = "214 136 195" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowFrame = "14 157 6" | C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\HilightText = "210 245 74" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Menu = "33 104 146" | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Window = "254 98 63" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitleText = "186 176 181" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\TitleText = "72 176 150" | C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonShadow = "164 163 42" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\GrayText = "224 141 151" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ActiveBorder = "113 1 238" | C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\TitleText = "219 39 71" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\HilightText = "45 3 38" | C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\MenuText = "45 143 204" | C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\TitleText = "200 174 216" | C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Scrollbar = "10 94 45" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Background = "32 36 157" | C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 800755.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\d8fe7b9f.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe\:SmartScreen:$DATA | C:\Users\Admin\Downloads\d8fe7b9f.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\d8fe7b9f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/i6hDRJRQ#JLqR-5qqYJ6OkWcBS57auOl1AL70UrciKMP2WvXbnWg
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1956 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5376 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6680 /prefetch:8
C:\Users\Admin\Downloads\d8fe7b9f.exe
"C:\Users\Admin\Downloads\d8fe7b9f.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "javavs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe
"C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "javavs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe
"C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 27611 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc58a43d-c48a-4eb7-b758-eaab8f831156} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 27489 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1c90631-357a-4162-b3c7-d9e4156f7f7d} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3268 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7abe9d9b-1419-4f4f-89bb-31a8fe92e375} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 2 -isForBrowser -prefsHandle 3188 -prefMapHandle 3172 -prefsLen 28555 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3aaddf5-3e16-4525-8467-80ed6a985939} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4284 -childID 3 -isForBrowser -prefsHandle 4276 -prefMapHandle 4272 -prefsLen 32863 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0b999ea-7208-4a9e-87bd-d8216288be4d} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4864 -prefMapHandle 5008 -prefsLen 32863 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02a5a496-2da2-4f15-8aa8-276ff448d3ea} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bc77ba6-6c37-45d9-abd2-33f7c5b73ad3} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5692 -prefMapHandle 5684 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {744674db-6e99-4d4d-8d63-c8e4081b8e36} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 6 -isForBrowser -prefsHandle 5948 -prefMapHandle 5956 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88ea5103-c192-42d8-be96-a0b39b32d311} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab
C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe
"C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe
"C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 262561740070401.bat
C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe
"C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe
"C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe"
C:\Users\Admin\AppData\Local\Temp\wHw5AdFL1u8a.exe
"C:\Users\Admin\AppData\Local\Temp\wHw5AdFL1u8a.exe"
C:\Users\Admin\AppData\Local\Temp\w2xA06T30ghJ.exe
"C:\Users\Admin\AppData\Local\Temp\w2xA06T30ghJ.exe"
C:\Users\Admin\AppData\Local\Temp\mRospJf6K4kz.exe
"C:\Users\Admin\AppData\Local\Temp\mRospJf6K4kz.exe"
C:\Users\Admin\AppData\Local\Temp\7yXGoA4N3yZu.exe
"C:\Users\Admin\AppData\Local\Temp\7yXGoA4N3yZu.exe"
C:\Users\Admin\AppData\Local\Temp\wVcOIjy9XczJ.exe
"C:\Users\Admin\AppData\Local\Temp\wVcOIjy9XczJ.exe"
C:\Users\Admin\AppData\Local\Temp\vHr6IvuUj23H.exe
"C:\Users\Admin\AppData\Local\Temp\vHr6IvuUj23H.exe"
C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe"
C:\Users\Admin\AppData\Local\Temp\IM5eWQMtc2Zn.exe
"C:\Users\Admin\AppData\Local\Temp\IM5eWQMtc2Zn.exe"
C:\Users\Admin\AppData\Local\Temp\8WBvbLR1R8Pt.exe
"C:\Users\Admin\AppData\Local\Temp\8WBvbLR1R8Pt.exe"
C:\Users\Admin\AppData\Local\Temp\XJm94rT7sBIp.exe
"C:\Users\Admin\AppData\Local\Temp\XJm94rT7sBIp.exe"
C:\Users\Admin\AppData\Local\Temp\A1CR68Ce9O8c.exe
"C:\Users\Admin\AppData\Local\Temp\A1CR68Ce9O8c.exe"
C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe"
C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe"
C:\Users\Admin\AppData\Local\Temp\iMudI275C77w.exe
"C:\Users\Admin\AppData\Local\Temp\iMudI275C77w.exe"
C:\Users\Admin\AppData\Local\Temp\NDqj6HfJ7RT2.exe
"C:\Users\Admin\AppData\Local\Temp\NDqj6HfJ7RT2.exe"
C:\Users\Admin\AppData\Local\Temp\6OKWvlSKnKAj.exe
"C:\Users\Admin\AppData\Local\Temp\6OKWvlSKnKAj.exe"
C:\Users\Admin\AppData\Local\Temp\X48ENIPtevwX.exe
"C:\Users\Admin\AppData\Local\Temp\X48ENIPtevwX.exe"
C:\Users\Admin\AppData\Local\Temp\hM5H0TJVkPoD.exe
"C:\Users\Admin\AppData\Local\Temp\hM5H0TJVkPoD.exe"
C:\Users\Admin\AppData\Local\Temp\t93YkBzOJ1Ey.exe
"C:\Users\Admin\AppData\Local\Temp\t93YkBzOJ1Ey.exe"
C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe
"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /main
C:\Users\Admin\AppData\Local\Temp\OftMsUdvyqj2.exe
"C:\Users\Admin\AppData\Local\Temp\OftMsUdvyqj2.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Users\Admin\AppData\Local\Temp\7yFqJ1aHDQde.exe
"C:\Users\Admin\AppData\Local\Temp\7yFqJ1aHDQde.exe"
C:\Users\Admin\AppData\Local\Temp\Hb4u4O5C4dLX.exe
"C:\Users\Admin\AppData\Local\Temp\Hb4u4O5C4dLX.exe"
C:\Users\Admin\AppData\Local\Temp\em9RZDNzLWhg.exe
"C:\Users\Admin\AppData\Local\Temp\em9RZDNzLWhg.exe"
C:\Users\Admin\AppData\Local\Temp\N5wez5oJLK4e.exe
"C:\Users\Admin\AppData\Local\Temp\N5wez5oJLK4e.exe"
C:\Users\Admin\AppData\Local\Temp\jy1pFUADDGMB.exe
"C:\Users\Admin\AppData\Local\Temp\jy1pFUADDGMB.exe"
C:\Users\Admin\AppData\Local\Temp\5q7oPUWa1tMO.exe
"C:\Users\Admin\AppData\Local\Temp\5q7oPUWa1tMO.exe"
C:\Users\Admin\AppData\Local\Temp\Jb5zCjXLbxOU.exe
"C:\Users\Admin\AppData\Local\Temp\Jb5zCjXLbxOU.exe"
C:\Users\Admin\AppData\Local\Temp\0pWCtOtM9DUH.exe
"C:\Users\Admin\AppData\Local\Temp\0pWCtOtM9DUH.exe"
C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe
"C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe"
C:\Users\Admin\AppData\Local\Temp\0FsfJTv7zPXX.exe
"C:\Users\Admin\AppData\Local\Temp\0FsfJTv7zPXX.exe"
C:\Users\Admin\AppData\Local\Temp\AVB24mw0mCmN.exe
"C:\Users\Admin\AppData\Local\Temp\AVB24mw0mCmN.exe"
C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe
"C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe"
C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe"
C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe
"C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe"
C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe
"C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe"
C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe"
C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe"
C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe"
C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe"
C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe"
C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe"
C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe"
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\83893eae0e0842398fbeabd105dc2755 /t 20556 /p 10576
C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe
"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /main
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8
C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe
"C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe"
C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe
"C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe"
C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe
"C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe"
C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe
"C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe"
C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe
"C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe"
C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe
"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /main
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe
"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /main
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe
"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /main
C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe
"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /main
C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe
"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /main
C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe
"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /main
C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe
"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /main
C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe
"C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe
"C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe
"C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe
"C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe
"C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe
"C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe
"C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe
"C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe
"C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe
"C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe
"C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe
"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /main
C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe
"C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe
"C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe
"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /main
C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe
"C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe
"C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| LU | 89.44.169.134:443 | eu.static.mega.co.nz | tcp |
| LU | 89.44.169.134:443 | eu.static.mega.co.nz | tcp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 51.140.244.186:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.244.186:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.244.186:443 | data-edge.smartscreen.microsoft.com | tcp |
| LU | 66.203.125.12:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.12:443 | g.api.mega.co.nz | tcp |
| LU | 89.44.169.134:443 | eu.static.mega.co.nz | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:6341 | tcp | |
| LU | 89.44.169.132:443 | g.megaad.nz | tcp |
| LU | 89.44.168.167:443 | gfs270n212.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.167:443 | gfs270n212.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.167:443 | gfs270n212.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.167:443 | gfs270n212.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.167:443 | gfs270n212.userstorage.mega.co.nz | tcp |
| LU | 66.203.125.12:443 | g.api.mega.co.nz | tcp |
| DE | 193.161.193.99:34885 | yivowas-34885.portmap.host | tcp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| N/A | 127.0.0.1:50169 | tcp | |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:50177 | tcp | |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www-mozilla.fastly-edge.com | udp |
| US | 151.101.67.19:443 | www-mozilla.fastly-edge.com | tcp |
| US | 151.101.67.19:443 | www-mozilla.fastly-edge.com | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| GB | 104.86.110.123:443 | tcp | |
| US | 52.182.143.215:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 2.18.66.163:443 | www.bing.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e45a14e89fdf82756edc65c97e606e63 |
| SHA1 | 42ce594393a4ce3b4e1c79dbe424841bd3f434c8 |
| SHA256 | 49af9d716c69fb93ebee18e708f4ceaab99abf505abcbad1bd46c60ace03da9f |
| SHA512 | 6af0cabb253026d7613065e7274f8be114fc2cbd0134e8d518a417bf4b2b94ffc8b9c05be4e47685ac6d7246e28c11a86852ee4b6e934bf6c6d56b6c97428425 |
\??\pipe\LOCAL\crashpad_3928_OMGOCGDTUPJIFINY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 825fb95a70bf7b56cfcda1f118800f98 |
| SHA1 | 15f1e212c1fb567c70ff4f716a4bba81f2857e0a |
| SHA256 | 2280c42f8ca4302a1d37d63532e3e981e33b596e3b2e930ce40b390dc0f09104 |
| SHA512 | 987189b84f58e5d64b662f80f47ae797bcf46aeba86584cc17afabd2f25885a4cf48d80400154ba22eeee1131b84f882cd1998d1686ee12013218f52049bc6d7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c97fe3c35bac6d6d925431c1d5a080c5 |
| SHA1 | b50d7835b1bb0b3cef26e37ad793b8732f5ff58e |
| SHA256 | 05bf0b4933eefa9b4f0b831147a1e2e25fd6785615c7c56a1381f180f55051a9 |
| SHA512 | 48ebaea64f136a0f781aaa61d91ed41489113619108877eccce2c0472900f21b98c575c2ecbce11d3be95dc104934b76a2ff92d620188b2a32e709e2bc8f6728 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6ea874346a9347e05be37950f2b9a8de |
| SHA1 | a893f83932612c2600da94eaf5265cd14965d873 |
| SHA256 | c19de2df0ac0cc62c4906bd815dc614e99c4d3e21210f1df3390ac1f250acf08 |
| SHA512 | 8076002df3d547c15fc8103c2c4a0f5a81de1fe070f9f7fac3c04ac746dd92d73ac2df4e4e7151068f5f03fe743f697f642172167f9fd1740ca2dc0598b09af5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b7e63949a60cfd50bef9f15629d59c59 |
| SHA1 | 523e0ae3acbf9052b2f583d1aad69c08c51a26b4 |
| SHA256 | 25fca7229d5a449f9ab81c6776178fef585bd02f91061d0664c343d26c8c7a23 |
| SHA512 | b4de20b3acd39b38a34ae63baf677d4eebd948902c8da9f2bdb6bd92e8912e1f3c2cdb49e7dfda7b06a7eba21735876b38ef54dc7c853e26d3f4279441e8f7bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8b55f92216367e0a93e0c1bbbdc29151 |
| SHA1 | e5d1a2e47aadf01686da94c4ed0ef1fff8b8c6e6 |
| SHA256 | c1649945f5ec50029e22c17f0c4235ff77a25e31bc499ca6f3b327efe354de90 |
| SHA512 | cb8ae45dd7cd67ece4f800441f6c925d8b570b096c6b8c0327d679aff5ef2f7e7775dea120351f996170b405ce3c3aff792ceff2c8e899d7f50ec5d10d5baab7 |
C:\Users\Admin\Downloads\d8fe7b9f.exe
| MD5 | 27e72d7ba1eb08bea5a880668bb8f17c |
| SHA1 | 8a63bf3a3d7ddc9f22a8cb1ed774904b9d9d26bb |
| SHA256 | 478129a4add06ae030a78a5c41236ded134cb4f08bb29bcdedf81c7067f2d0eb |
| SHA512 | b06c8a387832ebe927e72b1f8a7596288bfebe3e33e0383a0b53283addef8dd8b323a31db0e933e70a41180f4ac0b7932d4bc257ed04157f75b769b2c938b441 |
C:\Users\Admin\Downloads\d8fe7b9f.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 2592450c023537f1c8028150ed1c013d |
| SHA1 | 89ece2499243c26435aac6a22d2490edb28399be |
| SHA256 | c9229faf9ac2e5b5425332433730170fa6ba4133bbd6e24d154bdcda75475c18 |
| SHA512 | f6516542b6ba90a0f6e3ded2e3302f6267ee84747e4082f3d70dcc85bf2092766413dd8515a7762335c740b886acd5059d8472828ef2b05aeb50986854d2b0e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c7e4.TMP
| MD5 | 3f43d324afa9bc50b102937926f482f1 |
| SHA1 | c2de6651462f3603a8d1545ff05e9d12f5857f0a |
| SHA256 | 2ecf24223a8f9945a2dfe1521c33a02b62791641973a7a526c7eec223f6058ae |
| SHA512 | 2bcd4e773f86d4a73a2f83db39d264285bc57e325a7168f33798f7b9093e8b0408bc33e615881cba9551cc875d4f9f4eb8ab55d4035eb304febbaf65eac7d9bc |
memory/2772-240-0x0000000000060000-0x0000000000384000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d8fe7b9f.exe.log
| MD5 | b4e91d2e5f40d5e2586a86cf3bb4df24 |
| SHA1 | 31920b3a41aa4400d4a0230a7622848789b38672 |
| SHA256 | 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210 |
| SHA512 | 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5b930fd2466d8d2f273613afd89ce0c2 |
| SHA1 | 0f07a6d2167bb761133daa823e9786efc12ee8b5 |
| SHA256 | a1905ba1be5d5e80749b93fb098a846afecea211fbaadd8b6999145235c7e832 |
| SHA512 | 40a803ca49b207454e86fd2695c4b70c262dd1dc4f3129744fa48215923f07b392dadb6a91c34e6518e3a21361aff58cee24296551b90b07a8450b97f2ad415d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 18f972b0464491b8b90ea70f1d8169ef |
| SHA1 | a3e63b7d8fc5f02eb9f959aa3f159d1734051c04 |
| SHA256 | 66e3ae92bb153f436394a1520c05b93932930bf3e195210820f059b3b786b0f1 |
| SHA512 | 862bd08c67a3c1ff329093c06b0d47a9cd4e829827f80226c0a74268f48d58d19a5e253a0ae798433d46b4133346802eb4bcf70fe374d22ca2c4f00c88fd13d6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ba4e2003fe7d847c86a7514b27c21c5f |
| SHA1 | 7dc5189fa073797ff6cec15cf7921146f4fa0ab5 |
| SHA256 | 16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a |
| SHA512 | 079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e |
memory/5112-374-0x000000001C880000-0x000000001C8D0000-memory.dmp
memory/5112-375-0x000000001C990000-0x000000001CA42000-memory.dmp
memory/5112-376-0x000000001C8F0000-0x000000001C902000-memory.dmp
memory/5112-377-0x000000001C950000-0x000000001C98C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe
| MD5 | b01ee228c4a61a5c06b01160790f9f7c |
| SHA1 | e7cc238b6767401f6e3018d3f0acfe6d207450f8 |
| SHA256 | 14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160 |
| SHA512 | c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140 |
memory/4520-388-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4520-390-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5112-391-0x000000001DED0000-0x000000001E3F8000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2nimmy3l.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | f254075b381b4ec3420bdb6d8b48105a |
| SHA1 | 5d8882ec1f9c880ed2967063cc09bb6798aba619 |
| SHA256 | 595ea7f7c380b8302c07fcc86bd1bab1e7c442afc101cef712837b864484e455 |
| SHA512 | fb3a99332dc63d0507da74e46b6a5bb2b34d8cf357c35836d93f4aacc487491921ab31b8780288952bddf069c04dc7931ad82ae76bc0ef728562d14a6fdb42af |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\529d6098-75e0-4144-9793-c656ad6d6d3d
| MD5 | 7d66d70e23dfe0ca2c5f69537c5cc0d0 |
| SHA1 | 76e9390acb50948e7b09930e88b262aac99dcc45 |
| SHA256 | 28b0522f1ef144859af9d1eb7a5490aec10ee8b4268d66ee3e6e341b7c94dd10 |
| SHA512 | 4a82b99c5e2c0517754a687bee3e68f6614977d8f7361d8dce50d2bdf5f39521593c76b0d0c22c19b5d43a81e8adb9dd860dfee90fed41c59ec60f55925032d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\bad00306-d7ca-4859-a8ce-6c658ab45600
| MD5 | b1ed7a308eab01f11f2dcebef570f53b |
| SHA1 | aaed0dc5bfa32bfe343fb56d4a4c92a5a0d022a8 |
| SHA256 | a2a63c757554ce488dc80043c23b255fe82ddeed2d1e684ce946c1fb13c1a7e3 |
| SHA512 | ed38b24e807f7b25d53ff243050fd82b27b229ea7f8f5ebdf3fd952c2b9cca1bd64b68200adb5b39e42e76b186814301b8dfad025330617b7e08348f74939216 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\616c2e58-997e-4485-bed8-2da043805741
| MD5 | 77059920e7d805ce3412f4706fea5680 |
| SHA1 | 90a45e597c2729b319dfac9f8d4ac8fa8249f274 |
| SHA256 | 9284a0d5009c5f45b2ea79c5dc4d3e63328db2636062c61ebe8707465f95e36c |
| SHA512 | 69871e5fe929705337de6db3b730a7d9731e53ab60ff7db57399ee7aba0d75b917928b7884efb084209fbc24ae94d3dd51b9749d50f9b869fd4ae9b9a2058af5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | ff46e60835d90702db9e2aba621039fd |
| SHA1 | 5bb2d545566e4aa5b1de92414b059f249e99f8dc |
| SHA256 | 362083965af0724c75f7123800122cdbea624e7e9681fda898b09a1e5845ff25 |
| SHA512 | de185346375af4249923ebaa895352cbf9cb5181b1bd6e5d82e3066849776054e84e82386314b4637dc1ab6c8174f9147ec3dcedc27722c31673b3aa40a05c3c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\prefs-1.js
| MD5 | b75b6d8e9b5e43a6f52c3e1ada3c7cdf |
| SHA1 | 1417a3a3add0ed0a0258ffc28928dbb012da5d78 |
| SHA256 | 6604b6a35d78bb03ef1006d5f2c0efeaf4bec41e53fead626a196ffa9dac150b |
| SHA512 | ce1377eae7fbc9a5c541ba721a7ae4a41ddd3d6719d1e293da4bb5331062c9c1398e4e1ab0887abd217e823e7f7ad12d81a3e854abd37bfc8acb0f8e8fef21db |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 913c3ed62c21995d6ee2d19842ddf262 |
| SHA1 | 4757cd295c5f63eb32317d83e6b15db578dfc77f |
| SHA256 | dc0597ffbbd67ceeb0a28783f5f9e9951070ef69d41d667ce5fe401f4ed14c69 |
| SHA512 | fa99d14b93c4d269894dd44d47fc58286f691bba088c7c3b15a3a3020963841b325665cde414e0383ccd7f6eed5def383c99452fa5b3f8b8173c76e773adc0c2 |
C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe
| MD5 | 13f4b868603cf0dd6c32702d1bd858c9 |
| SHA1 | a595ab75e134f5616679be5f11deefdfaae1de15 |
| SHA256 | cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7 |
| SHA512 | e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24 |
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
| MD5 | f33a4e991a11baf336a2324f700d874d |
| SHA1 | 9da1891a164f2fc0a88d0de1ba397585b455b0f4 |
| SHA256 | a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7 |
| SHA512 | edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20 |
memory/1528-888-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3500-889-0x00000182C0F40000-0x00000182C0F6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe
| MD5 | 5c7fb0927db37372da25f270708103a2 |
| SHA1 | 120ed9279d85cbfa56e5b7779ffa7162074f7a29 |
| SHA256 | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844 |
| SHA512 | a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206 |
memory/5316-918-0x0000000010000000-0x0000000010012000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u.wry
| MD5 | cf1416074cd7791ab80a18f9e7e219d9 |
| SHA1 | 276d2ec82c518d887a8a3608e51c56fa28716ded |
| SHA256 | 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df |
| SHA512 | 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5 |
C:\Users\Admin\AppData\Local\Temp\262561740070401.bat
| MD5 | 3540e056349c6972905dc9706cd49418 |
| SHA1 | 492c20442d34d45a6d6790c720349b11ec591cde |
| SHA256 | 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc |
| SHA512 | c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c |
C:\Users\Admin\AppData\Local\Temp\c.vbs
| MD5 | 5f6d40ca3c34b470113ed04d06a88ff4 |
| SHA1 | 50629e7211ae43e32060686d6be17ebd492fd7aa |
| SHA256 | 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1 |
| SHA512 | 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35 |
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
| MD5 | 11b66e3e691ef00452183d435f5a8fdf |
| SHA1 | 731daea53c0f13d54be1ca661896c670217eacb2 |
| SHA256 | 1cd4aa05c1e4a42a0ead86cbbe254822ed8fb200b2f96406b2ab1a6fbdcde376 |
| SHA512 | 9bfbd85b41512145a28d22a66330751a3feb191e85c3f7944998fd00cb24d143990e55f61119bad10b6721a8ee5d7df1078058c24058125d7fb7947acdfe3ad1 |
C:\Users\Admin\AppData\Local\Temp\c.wry
| MD5 | 1f96a3c966f195d03a802f14cbf53ef9 |
| SHA1 | be4a92e4fdb80bbad344d9b3f5d9eaa5c0694e91 |
| SHA256 | 54f12cad8e0d09d9fdd05418c8f724e4fa7fe36b50523d3c8d51adc81c92c8d3 |
| SHA512 | 3a4d6916eefbc09f14701a874ad02edd5c41cdcbb9baf9f5717761ccb14d9ef42373c9e1dc89864f3986fa5a0c4f5d8cd3c8fef0ef78d3b9894085f9d51332ea |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | 173e4d33c28d21cc7327238f15814af4 |
| SHA1 | c2eaa27e61815dd24fe6ca9bc21e8727bc43bfc8 |
| SHA256 | 035889e3d9fdbb691c221670db472cd5b659171b950f946903f713e8c233a403 |
| SHA512 | 60bec760ce8ac940bf4ef22be299159815de06546aef6aae29ae72318718192289c5193dca4f298dcf44ffada00ea75fc915b6867a1a6b1a883815845629d226 |
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt
| MD5 | afa18cf4aa2660392111763fb93a8c3d |
| SHA1 | c219a3654a5f41ce535a09f2a188a464c3f5baf5 |
| SHA256 | 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0 |
| SHA512 | 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
| MD5 | 9a8e0fb6cf4941534771c38bb54a76be |
| SHA1 | 92d45ac2cc921f6733e68b454dc171426ec43c1c |
| SHA256 | 9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be |
| SHA512 | 12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
| MD5 | f4b36b031c37bed78143c551ec1b0de5 |
| SHA1 | 5bc4bb638c654ab1bed94d73b42627bffb8a1c5f |
| SHA256 | ae1bc0af08f5373ec0ab313ccff2e8226c7ea11c88390e9942579d39fe108ad1 |
| SHA512 | 935ef1821eb1263268a55286b16ab208f8e70b93946b4c3ca0d646d24c05f91103eb92c1693d43fbe187f076552d3439ec35a71334a6863feaa77516e8468dfa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db
| MD5 | d926f072b41774f50da6b28384e0fed1 |
| SHA1 | 237dfa5fa72af61f8c38a1e46618a4de59bd6f10 |
| SHA256 | 4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249 |
| SHA512 | a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db
| MD5 | 02e63f9dda664051c5f8e5f8825885c4 |
| SHA1 | 73b86a36f30c94143b60f599d73898c02d33093b |
| SHA256 | 1c57909ca621ab927b31aca493155754d389daecb5713f027d0e1bb54aeae860 |
| SHA512 | 754b1142320db002599c458ffab80d97ca7a4602fc405cd08423639284af06a966ffdd65147fa84fc31055d49d36b22ff08ec849349769497c00b5fc7704febb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\cert9.db
| MD5 | 8157ee9fed46397f901ad9101615a2da |
| SHA1 | 045707ac6386388992c087e10abef689459067ab |
| SHA256 | 92116ded421257ca49a1e16c6f6bf33f367f2bfafdd2c497b851b769c0002934 |
| SHA512 | b22b67f1c136533865a19afca48d7be9302e701113a2259209e6f3be6adf46c908726183db704e93edfbb57b5c3d6c4cc3e74a10d3a2731c71a2d1eea903991f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\prefs.js
| MD5 | 7ad61b204b74a58371e14dc46a7ef6fb |
| SHA1 | 832c87e9068c2f73ac33d988f93a96fc63ca2e2a |
| SHA256 | d693c03b0eade747409bef8819327838e5866b2154c99c452d84ded746548e23 |
| SHA512 | e64395f0c4b03f2d34ccd9e479346be7cdda24fa66b7c409cef288bfc4b53c6a9ae57ccda3fc61c0179c0d13864a79c735485d9aef0c277e9d5236e32d7f0f9e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
| MD5 | eff8bcd4b3108783bd9b8499d021820d |
| SHA1 | fc9063556afd0a30cd819d30f0b8ece8a8fdc389 |
| SHA256 | 79978104ab93f1db8eb9e32b6f746e73e40e435908342ac45ea8cb2779eb4d43 |
| SHA512 | 3de46fff0f4fb1ecdc1e8e644bca6f27c77b1d8de0a24599803749e0d1fccda9f2389f152abcf827b53089ec063d917486725f17f6289c9053ef6731977b75a2 |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | c0b5350281102d7be1c99d4b7006955c |
| SHA1 | 5ce57b323c874439f4111421d92f7091feacc7ac |
| SHA256 | e7471c737175e3f5e64546f5cafbe5471cb46e6619432cc8e84011f2ef11c8a6 |
| SHA512 | 56adcd531a118ff05f3f9393999e5409b28835e4113c8f4d5c162deddd399e8dad0d64a307983c0af83e91866b97daf969b7953534e10256dc3383a0550cd4df |
C:\Users\Admin\AppData\Local\Temp\m.wry
| MD5 | 980b08bac152aff3f9b0136b616affa5 |
| SHA1 | 2a9c9601ea038f790cc29379c79407356a3d25a3 |
| SHA256 | 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9 |
| SHA512 | 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496 |
C:\Users\Admin\AppData\Local\Temp\f.wry
| MD5 | 9255ff9caa1e9e67c8cc46741b093c6c |
| SHA1 | ff7c24a050cb14c103915376cc1361a572a6b91e |
| SHA256 | 8a081be48d54598d6bf3fea0b8747a08b43cb6cde63c72084c18031835dbcce6 |
| SHA512 | 1bc3f2d32f483d61a51a1c2798a00f0e641ac7d1eedfafeee7fc6dd17771cbfac55385da69cb65eb7f44edbafd50741255e701a9d93acf4abd93873f8ac729fb |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.WCRY
| MD5 | 00f93320c5ed25c032f2049020cb7bef |
| SHA1 | 18eb96a6871bac888218decbad87619c57536436 |
| SHA256 | 51b3ad4bf5df8836f698b2185300d28474d7e400253a8e6035ac0bcf307eca84 |
| SHA512 | 8655a7cfb22e50edd8ec5cef3088277a4a3c57e890c526563b45c33ea80acd911f6dbc2cc0b9d45ac39f98f0a00ee64e77609fe84f54e189d3490e158562f04a |
C:\Users\Admin\AppData\Local\Temp\00000000.eky
| MD5 | aa5816186756824abb35f65ffb45712d |
| SHA1 | 0b809ad5155fa8bba0746b1d57d300b6f32301d1 |
| SHA256 | 96a67819df4e09c7723d9f7526209bb2adfb47dc09754258c1a2737799f1fa5b |
| SHA512 | 6daad6e5d15255936368d87f1d4af886807f2ffc927ecc7193289765f390a6d00b06d1a0874a4e015185dccf68f6bbd5235e93c290e90a8ae46a7425df0cd9c2 |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | b7c132dc38b1bc77e232e7db763a7268 |
| SHA1 | 30cabf2ee5ba704f91271a8dc55634524b271036 |
| SHA256 | dacd870d4938525f78e149e0358f2341328b8fde1411938b9cf1913b4ca0147e |
| SHA512 | befe6d5e687ba53ec77cf18be53317415740ffd8d7bdc367994fdb3cab5b4393b53ec14cc349d54e497c5df056605e955c7440c781a3c3b3098205ddd395b194 |
C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe
| MD5 | 055d1462f66a350d9886542d4d79bc2b |
| SHA1 | f1086d2f667d807dbb1aa362a7a809ea119f2565 |
| SHA256 | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0 |
| SHA512 | 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1 |
memory/5568-2263-0x0000000000400000-0x000000000056F000-memory.dmp
memory/5568-2265-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-98A77731.[[email protected]].ncov
| MD5 | 2f2d375806c48800271b743de645ceb8 |
| SHA1 | 55a07953e362f6a5336ca1e6b109d7df4abbc750 |
| SHA256 | 5046ca487c8589490ad3fb46991bfbb50362a6122f66fe8f027430afdb16d0ad |
| SHA512 | 687476b3e335022b1f0bc50184663915f2ad50acbc57903819f3941c830e0ef33605a74e76a15d7cff9eaac534017355d4223bc7fb3c3010a98947a33dc4af0b |
memory/5568-6835-0x0000000000400000-0x000000000056F000-memory.dmp
memory/17512-28297-0x0000000000580000-0x00000000005F4000-memory.dmp
memory/17512-28298-0x0000000005510000-0x0000000005AB6000-memory.dmp
memory/17512-28300-0x0000000005000000-0x0000000005092000-memory.dmp
memory/17512-28303-0x0000000004F70000-0x0000000004F7A000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\80cafb94-e633-4bc7-8814-cb4e741a1b49.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe
| MD5 | 19dbec50735b5f2a72d4199c4e184960 |
| SHA1 | 6fed7732f7cb6f59743795b2ab154a3676f4c822 |
| SHA256 | a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d |
| SHA512 | aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d |
C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe
| MD5 | 6536b10e5a713803d034c607d2de19e3 |
| SHA1 | a6000c05f565a36d2250bdab2ce78f505ca624b7 |
| SHA256 | 775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de |
| SHA512 | 61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018 |
memory/6008-28602-0x0000000000400000-0x0000000000414000-memory.dmp
memory/6544-28610-0x0000000000400000-0x0000000000414000-memory.dmp
memory/7856-28621-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3376-28623-0x0000000000400000-0x0000000000414000-memory.dmp
memory/7048-28629-0x0000000000400000-0x0000000000414000-memory.dmp
C:\note.txt
| MD5 | afa6955439b8d516721231029fb9ca1b |
| SHA1 | 087a043cc123c0c0df2ffadcf8e71e3ac86bbae9 |
| SHA256 | 8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270 |
| SHA512 | 5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf |