Malware Analysis Report

2025-03-14 23:59

Sample ID 250220-vcwlhssjw4
Target https://mega.nz/file/i6hDRJRQ#JLqR-5qqYJ6OkWcBS57auOl1AL70UrciKMP2WvXbnWg
Tags
dharma quasar wannacry office04 bootkit credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://mega.nz/file/i6hDRJRQ#JLqR-5qqYJ6OkWcBS57auOl1AL70UrciKMP2WvXbnWg was found to be: Known bad.

Malicious Activity Summary

dharma quasar wannacry office04 bootkit credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm

Quasar RAT

Dharma family

Wannacry

Dharma

Quasar payload

Wannacry family

Quasar family

Deletes shadow copies

Renames multiple (674) files with added filename extension

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Adds Run key to start application

Drops desktop.ini file(s)

UPX packed file

Sets desktop wallpaper using registry

Drops file in System32 directory

Subvert Trust Controls: Mark-of-the-Web Bypass

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Uses Volume Shadow Copy service COM API

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Interacts with shadow copies

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-20 16:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-20 16:51

Reported

2025-02-20 16:56

Platform

win11-20250217-en

Max time kernel

297s

Max time network

328s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/i6hDRJRQ#JLqR-5qqYJ6OkWcBS57auOl1AL70UrciKMP2WvXbnWg

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Wannacry

ransomware worm wannacry

Wannacry family

wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (674) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wpe9zDqYnT51.exe C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5C8A.tmp C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5CA0.tmp C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wHw5AdFL1u8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\w2xA06T30ghJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mRospJf6K4kz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7yXGoA4N3yZu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wVcOIjy9XczJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vHr6IvuUj23H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IM5eWQMtc2Zn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8WBvbLR1R8Pt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XJm94rT7sBIp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1CR68Ce9O8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iMudI275C77w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NDqj6HfJ7RT2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6OKWvlSKnKAj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\X48ENIPtevwX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hM5H0TJVkPoD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\t93YkBzOJ1Ey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OftMsUdvyqj2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7yFqJ1aHDQde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hb4u4O5C4dLX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\em9RZDNzLWhg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\N5wez5oJLK4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jy1pFUADDGMB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5q7oPUWa1tMO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Jb5zCjXLbxOU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0pWCtOtM9DUH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0FsfJTv7zPXX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AVB24mw0mCmN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C5shWjrkB7PY.exe\" /r" C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wpe9zDqYnT51.exe = "C:\\Windows\\System32\\Wpe9zDqYnT51.exe" C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe" C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-112184765-1670301065-1210615588-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\Wpe9zDqYnT51.exe C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\Validator.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square150x150Logo.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Stack.js C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\mr.pak.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-100.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\setFocusVisibility.js C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforsignature.svg.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-200.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.ELM.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCard.styles.js C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\as.pak.DATA.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fa.pak.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-30_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIF.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files\Mozilla Firefox\xul.dll.sig.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\mi.pak C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\media_poster.jpg C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare71x71Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-selector.js.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fil.pak.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireSmallTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-400.png C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js.id-98A77731.[[email protected]].ncov C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe N/A
File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe N/A
File created C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe N/A
File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\d8fe7b9f.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7yFqJ1aHDQde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AVB24mw0mCmN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8WBvbLR1R8Pt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Jb5zCjXLbxOU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wVcOIjy9XczJ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XJm94rT7sBIp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\t93YkBzOJ1Ey.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vHr6IvuUj23H.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5q7oPUWa1tMO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\w2xA06T30ghJ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A1CR68Ce9O8c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wHw5AdFL1u8a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\X48ENIPtevwX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OftMsUdvyqj2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0FsfJTv7zPXX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iMudI275C77w.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NDqj6HfJ7RT2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hM5H0TJVkPoD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jy1pFUADDGMB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\AppWorkspace = "16 119 246" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowFrame = "91 100 209" C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\TitleText = "197 122 29" C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonFace = "140 57 99" C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\MenuText = "119 180 213" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveBorder = "81 162 56" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\AppWorkspace = "27 217 94" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonText = "247 255 147" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Background = "217 218 129" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitleText = "233 163 13" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitle = "126 205 136" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\MenuText = "189 88 240" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowText = "174 39 21" C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Background = "59 47 32" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Menu = "185 169 21" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Window = "242 193 222" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\TitleText = "159 102 199" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\AppWorkspace = "15 161 85" C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\HilightText = "206 58 12" C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ActiveBorder = "25 49 112" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Hilight = "233 74 80" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Key created \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonShadow = "189 86 136" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\GrayText = "54 43 211" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitleText = "37 86 56" C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ActiveBorder = "102 180 114" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Hilight = "116 70 243" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonText = "201 111 59" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\AppWorkspace = "247 21 48" C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe N/A
Key created \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitle = "7 90 87" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowText = "23 217 104" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Menu = "128 109 214" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowFrame = "230 45 248" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ActiveTitle = "100 233 53" C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveBorder = "155 177 27" C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\GrayText = "129 156 160" C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitleText = "71 75 74" C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowFrame = "157 86 146" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ActiveBorder = "77 49 59" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveBorder = "255 15 227" C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Key created \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitle = "165 231 7" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\AppWorkspace = "152 171 177" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonText = "173 241 132" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonShadow = "84 226 52" C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowText = "6 228 55" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Window = "214 136 195" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\WindowFrame = "14 157 6" C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\HilightText = "210 245 74" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Menu = "33 104 146" C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Window = "254 98 63" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\InactiveTitleText = "186 176 181" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\TitleText = "72 176 150" C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ButtonShadow = "164 163 42" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\GrayText = "224 141 151" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\ActiveBorder = "113 1 238" C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\TitleText = "219 39 71" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\HilightText = "45 3 38" C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\MenuText = "45 143 204" C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\TitleText = "200 174 216" C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Scrollbar = "10 94 45" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Control Panel\Colors\Background = "32 36 157" C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 800755.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\d8fe7b9f.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe\:SmartScreen:$DATA C:\Users\Admin\Downloads\d8fe7b9f.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\d8fe7b9f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/i6hDRJRQ#JLqR-5qqYJ6OkWcBS57auOl1AL70UrciKMP2WvXbnWg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1956 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5376 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1292,12111126045854243692,1826906115101393542,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6680 /prefetch:8

C:\Users\Admin\Downloads\d8fe7b9f.exe

"C:\Users\Admin\Downloads\d8fe7b9f.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "javavs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe

"C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "javavs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\d8fe7b9f.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe

"C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 27611 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc58a43d-c48a-4eb7-b758-eaab8f831156} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 27489 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1c90631-357a-4162-b3c7-d9e4156f7f7d} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3268 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7abe9d9b-1419-4f4f-89bb-31a8fe92e375} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 2 -isForBrowser -prefsHandle 3188 -prefMapHandle 3172 -prefsLen 28555 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3aaddf5-3e16-4525-8467-80ed6a985939} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4284 -childID 3 -isForBrowser -prefsHandle 4276 -prefMapHandle 4272 -prefsLen 32863 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0b999ea-7208-4a9e-87bd-d8216288be4d} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4864 -prefMapHandle 5008 -prefsLen 32863 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02a5a496-2da2-4f15-8aa8-276ff448d3ea} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bc77ba6-6c37-45d9-abd2-33f7c5b73ad3} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5692 -prefMapHandle 5684 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {744674db-6e99-4d4d-8d63-c8e4081b8e36} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 6 -isForBrowser -prefsHandle 5948 -prefMapHandle 5956 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88ea5103-c192-42d8-be96-a0b39b32d311} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" tab

C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe

"C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"

C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe

"C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 262561740070401.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe

"C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe

"C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe"

C:\Users\Admin\AppData\Local\Temp\wHw5AdFL1u8a.exe

"C:\Users\Admin\AppData\Local\Temp\wHw5AdFL1u8a.exe"

C:\Users\Admin\AppData\Local\Temp\w2xA06T30ghJ.exe

"C:\Users\Admin\AppData\Local\Temp\w2xA06T30ghJ.exe"

C:\Users\Admin\AppData\Local\Temp\mRospJf6K4kz.exe

"C:\Users\Admin\AppData\Local\Temp\mRospJf6K4kz.exe"

C:\Users\Admin\AppData\Local\Temp\7yXGoA4N3yZu.exe

"C:\Users\Admin\AppData\Local\Temp\7yXGoA4N3yZu.exe"

C:\Users\Admin\AppData\Local\Temp\wVcOIjy9XczJ.exe

"C:\Users\Admin\AppData\Local\Temp\wVcOIjy9XczJ.exe"

C:\Users\Admin\AppData\Local\Temp\vHr6IvuUj23H.exe

"C:\Users\Admin\AppData\Local\Temp\vHr6IvuUj23H.exe"

C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe

"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe"

C:\Users\Admin\AppData\Local\Temp\IM5eWQMtc2Zn.exe

"C:\Users\Admin\AppData\Local\Temp\IM5eWQMtc2Zn.exe"

C:\Users\Admin\AppData\Local\Temp\8WBvbLR1R8Pt.exe

"C:\Users\Admin\AppData\Local\Temp\8WBvbLR1R8Pt.exe"

C:\Users\Admin\AppData\Local\Temp\XJm94rT7sBIp.exe

"C:\Users\Admin\AppData\Local\Temp\XJm94rT7sBIp.exe"

C:\Users\Admin\AppData\Local\Temp\A1CR68Ce9O8c.exe

"C:\Users\Admin\AppData\Local\Temp\A1CR68Ce9O8c.exe"

C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe

"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe"

C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe

"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe"

C:\Users\Admin\AppData\Local\Temp\iMudI275C77w.exe

"C:\Users\Admin\AppData\Local\Temp\iMudI275C77w.exe"

C:\Users\Admin\AppData\Local\Temp\NDqj6HfJ7RT2.exe

"C:\Users\Admin\AppData\Local\Temp\NDqj6HfJ7RT2.exe"

C:\Users\Admin\AppData\Local\Temp\6OKWvlSKnKAj.exe

"C:\Users\Admin\AppData\Local\Temp\6OKWvlSKnKAj.exe"

C:\Users\Admin\AppData\Local\Temp\X48ENIPtevwX.exe

"C:\Users\Admin\AppData\Local\Temp\X48ENIPtevwX.exe"

C:\Users\Admin\AppData\Local\Temp\hM5H0TJVkPoD.exe

"C:\Users\Admin\AppData\Local\Temp\hM5H0TJVkPoD.exe"

C:\Users\Admin\AppData\Local\Temp\t93YkBzOJ1Ey.exe

"C:\Users\Admin\AppData\Local\Temp\t93YkBzOJ1Ey.exe"

C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe

"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe

"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe

"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe

"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe

"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe

"C:\Users\Admin\AppData\Local\Temp\MYkTLqvs1zFu.exe" /main

C:\Users\Admin\AppData\Local\Temp\OftMsUdvyqj2.exe

"C:\Users\Admin\AppData\Local\Temp\OftMsUdvyqj2.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Users\Admin\AppData\Local\Temp\7yFqJ1aHDQde.exe

"C:\Users\Admin\AppData\Local\Temp\7yFqJ1aHDQde.exe"

C:\Users\Admin\AppData\Local\Temp\Hb4u4O5C4dLX.exe

"C:\Users\Admin\AppData\Local\Temp\Hb4u4O5C4dLX.exe"

C:\Users\Admin\AppData\Local\Temp\em9RZDNzLWhg.exe

"C:\Users\Admin\AppData\Local\Temp\em9RZDNzLWhg.exe"

C:\Users\Admin\AppData\Local\Temp\N5wez5oJLK4e.exe

"C:\Users\Admin\AppData\Local\Temp\N5wez5oJLK4e.exe"

C:\Users\Admin\AppData\Local\Temp\jy1pFUADDGMB.exe

"C:\Users\Admin\AppData\Local\Temp\jy1pFUADDGMB.exe"

C:\Users\Admin\AppData\Local\Temp\5q7oPUWa1tMO.exe

"C:\Users\Admin\AppData\Local\Temp\5q7oPUWa1tMO.exe"

C:\Users\Admin\AppData\Local\Temp\Jb5zCjXLbxOU.exe

"C:\Users\Admin\AppData\Local\Temp\Jb5zCjXLbxOU.exe"

C:\Users\Admin\AppData\Local\Temp\0pWCtOtM9DUH.exe

"C:\Users\Admin\AppData\Local\Temp\0pWCtOtM9DUH.exe"

C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe

"C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe"

C:\Users\Admin\AppData\Local\Temp\0FsfJTv7zPXX.exe

"C:\Users\Admin\AppData\Local\Temp\0FsfJTv7zPXX.exe"

C:\Users\Admin\AppData\Local\Temp\AVB24mw0mCmN.exe

"C:\Users\Admin\AppData\Local\Temp\AVB24mw0mCmN.exe"

C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe

"C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe"

C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe

"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe"

C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe

"C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe"

C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe

"C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe"

C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe

"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe"

C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe

"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe"

C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe

"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe"

C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe

"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe"

C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe

"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe"

C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe

"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe"

C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe

"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe"

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\83893eae0e0842398fbeabd105dc2755 /t 20556 /p 10576

C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe

"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe

"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe

"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe

"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe

"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe

"C:\Users\Admin\AppData\Local\Temp\SZMzKwY6VLVE.exe" /main

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8

C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe

"C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe"

C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe

"C:\Users\Admin\AppData\Local\Temp\n9q3EU8pOWDR.exe"

C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe

"C:\Users\Admin\AppData\Local\Temp\l8me5mDPOmRD.exe"

C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe

"C:\Users\Admin\AppData\Local\Temp\BV5jkr3xcfLR.exe"

C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe

"C:\Users\Admin\AppData\Local\Temp\ESgUilGt7mgk.exe"

C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe

"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe

"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe

"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe

"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe

"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe

"C:\Users\Admin\AppData\Local\Temp\OXvEvMjuYhfR.exe" /main

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe

"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe

"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe

"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe

"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe

"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe

"C:\Users\Admin\AppData\Local\Temp\EZ0nlpS45y19.exe" /main

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc2d8c3cb8,0x7ffc2d8c3cc8,0x7ffc2d8c3cd8

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"

C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe

"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe

"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe

"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe

"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe

"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe

"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe

"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe

"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe

"C:\Users\Admin\AppData\Local\Temp\4Sqrkg4Awo7w.exe" /main

C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe

"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe

"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe

"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe

"C:\Users\Admin\AppData\Local\Temp\TLJWrRIqH6ic.exe" /main

C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe

"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe

"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe

"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe

"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe

"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe

"C:\Users\Admin\AppData\Local\Temp\7UytqtytlGFJ.exe" /main

C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe

"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe

"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe

"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe

"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe

"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe

"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe

"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe

"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe

"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe

"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe

"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe

"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe

"C:\Users\Admin\AppData\Local\Temp\5NascNFx7wGI.exe" /main

C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe

"C:\Users\Admin\AppData\Local\Temp\ElxFbSSh6ghc.exe" /main

C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe

"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe

"C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe

"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe

"C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe

"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe

"C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe

"C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe

"C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe

"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe

"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe

"C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe

"C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe

"C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"

C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe

"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe

"C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe

"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe

"C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe

"C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe

"C:\Users\Admin\AppData\Local\Temp\T16gBy127MVm.exe" /main

C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe

"C:\Users\Admin\AppData\Local\Temp\3WVHx1Yy6Waq.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe

"C:\Users\Admin\AppData\Local\Temp\RjnKvtUAO3kc.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe

"C:\Users\Admin\AppData\Local\Temp\SG9UF95vkh8h.exe" /main

C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe

"C:\Users\Admin\AppData\Local\Temp\axsZBTrRZ9Uv.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe

"C:\Users\Admin\AppData\Local\Temp\qiPZP7o4tleY.exe" /watchdog

Network

Country Destination Domain Proto
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
LU 31.216.144.5:443 mega.nz tcp
LU 31.216.144.5:443 mega.nz tcp
LU 89.44.169.134:443 eu.static.mega.co.nz tcp
LU 89.44.169.134:443 eu.static.mega.co.nz tcp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp
LU 66.203.125.12:443 g.api.mega.co.nz tcp
LU 66.203.125.12:443 g.api.mega.co.nz tcp
LU 89.44.169.134:443 eu.static.mega.co.nz tcp
N/A 127.0.0.1:6341 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:6341 tcp
LU 89.44.169.132:443 g.megaad.nz tcp
LU 89.44.168.167:443 gfs270n212.userstorage.mega.co.nz tcp
LU 89.44.168.167:443 gfs270n212.userstorage.mega.co.nz tcp
LU 89.44.168.167:443 gfs270n212.userstorage.mega.co.nz tcp
LU 89.44.168.167:443 gfs270n212.userstorage.mega.co.nz tcp
LU 89.44.168.167:443 gfs270n212.userstorage.mega.co.nz tcp
LU 66.203.125.12:443 g.api.mega.co.nz tcp
DE 193.161.193.99:34885 yivowas-34885.portmap.host tcp
DE 195.201.57.90:443 ipwho.is tcp
N/A 127.0.0.1:50169 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:50177 tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 www-mozilla.fastly-edge.com udp
US 151.101.67.19:443 www-mozilla.fastly-edge.com tcp
US 151.101.67.19:443 www-mozilla.fastly-edge.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
GB 104.86.110.123:443 tcp
US 52.182.143.215:443 browser.pipe.aria.microsoft.com tcp
GB 2.18.66.163:443 www.bing.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e45a14e89fdf82756edc65c97e606e63
SHA1 42ce594393a4ce3b4e1c79dbe424841bd3f434c8
SHA256 49af9d716c69fb93ebee18e708f4ceaab99abf505abcbad1bd46c60ace03da9f
SHA512 6af0cabb253026d7613065e7274f8be114fc2cbd0134e8d518a417bf4b2b94ffc8b9c05be4e47685ac6d7246e28c11a86852ee4b6e934bf6c6d56b6c97428425

\??\pipe\LOCAL\crashpad_3928_OMGOCGDTUPJIFINY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 825fb95a70bf7b56cfcda1f118800f98
SHA1 15f1e212c1fb567c70ff4f716a4bba81f2857e0a
SHA256 2280c42f8ca4302a1d37d63532e3e981e33b596e3b2e930ce40b390dc0f09104
SHA512 987189b84f58e5d64b662f80f47ae797bcf46aeba86584cc17afabd2f25885a4cf48d80400154ba22eeee1131b84f882cd1998d1686ee12013218f52049bc6d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c97fe3c35bac6d6d925431c1d5a080c5
SHA1 b50d7835b1bb0b3cef26e37ad793b8732f5ff58e
SHA256 05bf0b4933eefa9b4f0b831147a1e2e25fd6785615c7c56a1381f180f55051a9
SHA512 48ebaea64f136a0f781aaa61d91ed41489113619108877eccce2c0472900f21b98c575c2ecbce11d3be95dc104934b76a2ff92d620188b2a32e709e2bc8f6728

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6ea874346a9347e05be37950f2b9a8de
SHA1 a893f83932612c2600da94eaf5265cd14965d873
SHA256 c19de2df0ac0cc62c4906bd815dc614e99c4d3e21210f1df3390ac1f250acf08
SHA512 8076002df3d547c15fc8103c2c4a0f5a81de1fe070f9f7fac3c04ac746dd92d73ac2df4e4e7151068f5f03fe743f697f642172167f9fd1740ca2dc0598b09af5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b7e63949a60cfd50bef9f15629d59c59
SHA1 523e0ae3acbf9052b2f583d1aad69c08c51a26b4
SHA256 25fca7229d5a449f9ab81c6776178fef585bd02f91061d0664c343d26c8c7a23
SHA512 b4de20b3acd39b38a34ae63baf677d4eebd948902c8da9f2bdb6bd92e8912e1f3c2cdb49e7dfda7b06a7eba21735876b38ef54dc7c853e26d3f4279441e8f7bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8b55f92216367e0a93e0c1bbbdc29151
SHA1 e5d1a2e47aadf01686da94c4ed0ef1fff8b8c6e6
SHA256 c1649945f5ec50029e22c17f0c4235ff77a25e31bc499ca6f3b327efe354de90
SHA512 cb8ae45dd7cd67ece4f800441f6c925d8b570b096c6b8c0327d679aff5ef2f7e7775dea120351f996170b405ce3c3aff792ceff2c8e899d7f50ec5d10d5baab7

C:\Users\Admin\Downloads\d8fe7b9f.exe

MD5 27e72d7ba1eb08bea5a880668bb8f17c
SHA1 8a63bf3a3d7ddc9f22a8cb1ed774904b9d9d26bb
SHA256 478129a4add06ae030a78a5c41236ded134cb4f08bb29bcdedf81c7067f2d0eb
SHA512 b06c8a387832ebe927e72b1f8a7596288bfebe3e33e0383a0b53283addef8dd8b323a31db0e933e70a41180f4ac0b7932d4bc257ed04157f75b769b2c938b441

C:\Users\Admin\Downloads\d8fe7b9f.exe:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 2592450c023537f1c8028150ed1c013d
SHA1 89ece2499243c26435aac6a22d2490edb28399be
SHA256 c9229faf9ac2e5b5425332433730170fa6ba4133bbd6e24d154bdcda75475c18
SHA512 f6516542b6ba90a0f6e3ded2e3302f6267ee84747e4082f3d70dcc85bf2092766413dd8515a7762335c740b886acd5059d8472828ef2b05aeb50986854d2b0e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c7e4.TMP

MD5 3f43d324afa9bc50b102937926f482f1
SHA1 c2de6651462f3603a8d1545ff05e9d12f5857f0a
SHA256 2ecf24223a8f9945a2dfe1521c33a02b62791641973a7a526c7eec223f6058ae
SHA512 2bcd4e773f86d4a73a2f83db39d264285bc57e325a7168f33798f7b9093e8b0408bc33e615881cba9551cc875d4f9f4eb8ab55d4035eb304febbaf65eac7d9bc

memory/2772-240-0x0000000000060000-0x0000000000384000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d8fe7b9f.exe.log

MD5 b4e91d2e5f40d5e2586a86cf3bb4df24
SHA1 31920b3a41aa4400d4a0230a7622848789b38672
SHA256 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5b930fd2466d8d2f273613afd89ce0c2
SHA1 0f07a6d2167bb761133daa823e9786efc12ee8b5
SHA256 a1905ba1be5d5e80749b93fb098a846afecea211fbaadd8b6999145235c7e832
SHA512 40a803ca49b207454e86fd2695c4b70c262dd1dc4f3129744fa48215923f07b392dadb6a91c34e6518e3a21361aff58cee24296551b90b07a8450b97f2ad415d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 18f972b0464491b8b90ea70f1d8169ef
SHA1 a3e63b7d8fc5f02eb9f959aa3f159d1734051c04
SHA256 66e3ae92bb153f436394a1520c05b93932930bf3e195210820f059b3b786b0f1
SHA512 862bd08c67a3c1ff329093c06b0d47a9cd4e829827f80226c0a74268f48d58d19a5e253a0ae798433d46b4133346802eb4bcf70fe374d22ca2c4f00c88fd13d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ba4e2003fe7d847c86a7514b27c21c5f
SHA1 7dc5189fa073797ff6cec15cf7921146f4fa0ab5
SHA256 16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a
SHA512 079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

memory/5112-374-0x000000001C880000-0x000000001C8D0000-memory.dmp

memory/5112-375-0x000000001C990000-0x000000001CA42000-memory.dmp

memory/5112-376-0x000000001C8F0000-0x000000001C902000-memory.dmp

memory/5112-377-0x000000001C950000-0x000000001C98C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\G5LWNtPYgIms.exe

MD5 b01ee228c4a61a5c06b01160790f9f7c
SHA1 e7cc238b6767401f6e3018d3f0acfe6d207450f8
SHA256 14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160
SHA512 c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

memory/4520-388-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4520-390-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5112-391-0x000000001DED0000-0x000000001E3F8000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2nimmy3l.default-release\activity-stream.discovery_stream.json.tmp

MD5 f254075b381b4ec3420bdb6d8b48105a
SHA1 5d8882ec1f9c880ed2967063cc09bb6798aba619
SHA256 595ea7f7c380b8302c07fcc86bd1bab1e7c442afc101cef712837b864484e455
SHA512 fb3a99332dc63d0507da74e46b6a5bb2b34d8cf357c35836d93f4aacc487491921ab31b8780288952bddf069c04dc7931ad82ae76bc0ef728562d14a6fdb42af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\529d6098-75e0-4144-9793-c656ad6d6d3d

MD5 7d66d70e23dfe0ca2c5f69537c5cc0d0
SHA1 76e9390acb50948e7b09930e88b262aac99dcc45
SHA256 28b0522f1ef144859af9d1eb7a5490aec10ee8b4268d66ee3e6e341b7c94dd10
SHA512 4a82b99c5e2c0517754a687bee3e68f6614977d8f7361d8dce50d2bdf5f39521593c76b0d0c22c19b5d43a81e8adb9dd860dfee90fed41c59ec60f55925032d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\bad00306-d7ca-4859-a8ce-6c658ab45600

MD5 b1ed7a308eab01f11f2dcebef570f53b
SHA1 aaed0dc5bfa32bfe343fb56d4a4c92a5a0d022a8
SHA256 a2a63c757554ce488dc80043c23b255fe82ddeed2d1e684ce946c1fb13c1a7e3
SHA512 ed38b24e807f7b25d53ff243050fd82b27b229ea7f8f5ebdf3fd952c2b9cca1bd64b68200adb5b39e42e76b186814301b8dfad025330617b7e08348f74939216

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\616c2e58-997e-4485-bed8-2da043805741

MD5 77059920e7d805ce3412f4706fea5680
SHA1 90a45e597c2729b319dfac9f8d4ac8fa8249f274
SHA256 9284a0d5009c5f45b2ea79c5dc4d3e63328db2636062c61ebe8707465f95e36c
SHA512 69871e5fe929705337de6db3b730a7d9731e53ab60ff7db57399ee7aba0d75b917928b7884efb084209fbc24ae94d3dd51b9749d50f9b869fd4ae9b9a2058af5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\db\data.safe.tmp

MD5 ff46e60835d90702db9e2aba621039fd
SHA1 5bb2d545566e4aa5b1de92414b059f249e99f8dc
SHA256 362083965af0724c75f7123800122cdbea624e7e9681fda898b09a1e5845ff25
SHA512 de185346375af4249923ebaa895352cbf9cb5181b1bd6e5d82e3066849776054e84e82386314b4637dc1ab6c8174f9147ec3dcedc27722c31673b3aa40a05c3c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\prefs-1.js

MD5 b75b6d8e9b5e43a6f52c3e1ada3c7cdf
SHA1 1417a3a3add0ed0a0258ffc28928dbb012da5d78
SHA256 6604b6a35d78bb03ef1006d5f2c0efeaf4bec41e53fead626a196ffa9dac150b
SHA512 ce1377eae7fbc9a5c541ba721a7ae4a41ddd3d6719d1e293da4bb5331062c9c1398e4e1ab0887abd217e823e7f7ad12d81a3e854abd37bfc8acb0f8e8fef21db

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\db\data.safe.tmp

MD5 913c3ed62c21995d6ee2d19842ddf262
SHA1 4757cd295c5f63eb32317d83e6b15db578dfc77f
SHA256 dc0597ffbbd67ceeb0a28783f5f9e9951070ef69d41d667ce5fe401f4ed14c69
SHA512 fa99d14b93c4d269894dd44d47fc58286f691bba088c7c3b15a3a3020963841b325665cde414e0383ccd7f6eed5def383c99452fa5b3f8b8173c76e773adc0c2

C:\Users\Admin\AppData\Local\Temp\DApaq4et8N9X.exe

MD5 13f4b868603cf0dd6c32702d1bd858c9
SHA1 a595ab75e134f5616679be5f11deefdfaae1de15
SHA256 cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
SHA512 e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

MD5 f33a4e991a11baf336a2324f700d874d
SHA1 9da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256 a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512 edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

memory/1528-888-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3500-889-0x00000182C0F40000-0x00000182C0F6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C5shWjrkB7PY.exe

MD5 5c7fb0927db37372da25f270708103a2
SHA1 120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512 a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

memory/5316-918-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u.wry

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\262561740070401.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 11b66e3e691ef00452183d435f5a8fdf
SHA1 731daea53c0f13d54be1ca661896c670217eacb2
SHA256 1cd4aa05c1e4a42a0ead86cbbe254822ed8fb200b2f96406b2ab1a6fbdcde376
SHA512 9bfbd85b41512145a28d22a66330751a3feb191e85c3f7944998fd00cb24d143990e55f61119bad10b6721a8ee5d7df1078058c24058125d7fb7947acdfe3ad1

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 1f96a3c966f195d03a802f14cbf53ef9
SHA1 be4a92e4fdb80bbad344d9b3f5d9eaa5c0694e91
SHA256 54f12cad8e0d09d9fdd05418c8f724e4fa7fe36b50523d3c8d51adc81c92c8d3
SHA512 3a4d6916eefbc09f14701a874ad02edd5c41cdcbb9baf9f5717761ccb14d9ef42373c9e1dc89864f3986fa5a0c4f5d8cd3c8fef0ef78d3b9894085f9d51332ea

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 173e4d33c28d21cc7327238f15814af4
SHA1 c2eaa27e61815dd24fe6ca9bc21e8727bc43bfc8
SHA256 035889e3d9fdbb691c221670db472cd5b659171b950f946903f713e8c233a403
SHA512 60bec760ce8ac940bf4ef22be299159815de06546aef6aae29ae72318718192289c5193dca4f298dcf44ffada00ea75fc915b6867a1a6b1a883815845629d226

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

MD5 9a8e0fb6cf4941534771c38bb54a76be
SHA1 92d45ac2cc921f6733e68b454dc171426ec43c1c
SHA256 9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be
SHA512 12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 f4b36b031c37bed78143c551ec1b0de5
SHA1 5bc4bb638c654ab1bed94d73b42627bffb8a1c5f
SHA256 ae1bc0af08f5373ec0ab313ccff2e8226c7ea11c88390e9942579d39fe108ad1
SHA512 935ef1821eb1263268a55286b16ab208f8e70b93946b4c3ca0d646d24c05f91103eb92c1693d43fbe187f076552d3439ec35a71334a6863feaa77516e8468dfa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

MD5 d926f072b41774f50da6b28384e0fed1
SHA1 237dfa5fa72af61f8c38a1e46618a4de59bd6f10
SHA256 4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249
SHA512 a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db

MD5 02e63f9dda664051c5f8e5f8825885c4
SHA1 73b86a36f30c94143b60f599d73898c02d33093b
SHA256 1c57909ca621ab927b31aca493155754d389daecb5713f027d0e1bb54aeae860
SHA512 754b1142320db002599c458ffab80d97ca7a4602fc405cd08423639284af06a966ffdd65147fa84fc31055d49d36b22ff08ec849349769497c00b5fc7704febb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\cert9.db

MD5 8157ee9fed46397f901ad9101615a2da
SHA1 045707ac6386388992c087e10abef689459067ab
SHA256 92116ded421257ca49a1e16c6f6bf33f367f2bfafdd2c497b851b769c0002934
SHA512 b22b67f1c136533865a19afca48d7be9302e701113a2259209e6f3be6adf46c908726183db704e93edfbb57b5c3d6c4cc3e74a10d3a2731c71a2d1eea903991f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\prefs.js

MD5 7ad61b204b74a58371e14dc46a7ef6fb
SHA1 832c87e9068c2f73ac33d988f93a96fc63ca2e2a
SHA256 d693c03b0eade747409bef8819327838e5866b2154c99c452d84ded746548e23
SHA512 e64395f0c4b03f2d34ccd9e479346be7cdda24fa66b7c409cef288bfc4b53c6a9ae57ccda3fc61c0179c0d13864a79c735485d9aef0c277e9d5236e32d7f0f9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

MD5 eff8bcd4b3108783bd9b8499d021820d
SHA1 fc9063556afd0a30cd819d30f0b8ece8a8fdc389
SHA256 79978104ab93f1db8eb9e32b6f746e73e40e435908342ac45ea8cb2779eb4d43
SHA512 3de46fff0f4fb1ecdc1e8e644bca6f27c77b1d8de0a24599803749e0d1fccda9f2389f152abcf827b53089ec063d917486725f17f6289c9053ef6731977b75a2

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 c0b5350281102d7be1c99d4b7006955c
SHA1 5ce57b323c874439f4111421d92f7091feacc7ac
SHA256 e7471c737175e3f5e64546f5cafbe5471cb46e6619432cc8e84011f2ef11c8a6
SHA512 56adcd531a118ff05f3f9393999e5409b28835e4113c8f4d5c162deddd399e8dad0d64a307983c0af83e91866b97daf969b7953534e10256dc3383a0550cd4df

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\f.wry

MD5 9255ff9caa1e9e67c8cc46741b093c6c
SHA1 ff7c24a050cb14c103915376cc1361a572a6b91e
SHA256 8a081be48d54598d6bf3fea0b8747a08b43cb6cde63c72084c18031835dbcce6
SHA512 1bc3f2d32f483d61a51a1c2798a00f0e641ac7d1eedfafeee7fc6dd17771cbfac55385da69cb65eb7f44edbafd50741255e701a9d93acf4abd93873f8ac729fb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.WCRY

MD5 00f93320c5ed25c032f2049020cb7bef
SHA1 18eb96a6871bac888218decbad87619c57536436
SHA256 51b3ad4bf5df8836f698b2185300d28474d7e400253a8e6035ac0bcf307eca84
SHA512 8655a7cfb22e50edd8ec5cef3088277a4a3c57e890c526563b45c33ea80acd911f6dbc2cc0b9d45ac39f98f0a00ee64e77609fe84f54e189d3490e158562f04a

C:\Users\Admin\AppData\Local\Temp\00000000.eky

MD5 aa5816186756824abb35f65ffb45712d
SHA1 0b809ad5155fa8bba0746b1d57d300b6f32301d1
SHA256 96a67819df4e09c7723d9f7526209bb2adfb47dc09754258c1a2737799f1fa5b
SHA512 6daad6e5d15255936368d87f1d4af886807f2ffc927ecc7193289765f390a6d00b06d1a0874a4e015185dccf68f6bbd5235e93c290e90a8ae46a7425df0cd9c2

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 b7c132dc38b1bc77e232e7db763a7268
SHA1 30cabf2ee5ba704f91271a8dc55634524b271036
SHA256 dacd870d4938525f78e149e0358f2341328b8fde1411938b9cf1913b4ca0147e
SHA512 befe6d5e687ba53ec77cf18be53317415740ffd8d7bdc367994fdb3cab5b4393b53ec14cc349d54e497c5df056605e955c7440c781a3c3b3098205ddd395b194

C:\Users\Admin\AppData\Local\Temp\Wpe9zDqYnT51.exe

MD5 055d1462f66a350d9886542d4d79bc2b
SHA1 f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256 dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

memory/5568-2263-0x0000000000400000-0x000000000056F000-memory.dmp

memory/5568-2265-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-98A77731.[[email protected]].ncov

MD5 2f2d375806c48800271b743de645ceb8
SHA1 55a07953e362f6a5336ca1e6b109d7df4abbc750
SHA256 5046ca487c8589490ad3fb46991bfbb50362a6122f66fe8f027430afdb16d0ad
SHA512 687476b3e335022b1f0bc50184663915f2ad50acbc57903819f3941c830e0ef33605a74e76a15d7cff9eaac534017355d4223bc7fb3c3010a98947a33dc4af0b

memory/5568-6835-0x0000000000400000-0x000000000056F000-memory.dmp

memory/17512-28297-0x0000000000580000-0x00000000005F4000-memory.dmp

memory/17512-28298-0x0000000005510000-0x0000000005AB6000-memory.dmp

memory/17512-28300-0x0000000005000000-0x0000000005092000-memory.dmp

memory/17512-28303-0x0000000004F70000-0x0000000004F7A000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\80cafb94-e633-4bc7-8814-cb4e741a1b49.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

C:\Users\Admin\AppData\Local\Temp\daTWcvQQAy4N.exe

MD5 19dbec50735b5f2a72d4199c4e184960
SHA1 6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256 a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512 aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

C:\Users\Admin\AppData\Local\Temp\K9tklfHePQes.exe

MD5 6536b10e5a713803d034c607d2de19e3
SHA1 a6000c05f565a36d2250bdab2ce78f505ca624b7
SHA256 775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de
SHA512 61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

memory/6008-28602-0x0000000000400000-0x0000000000414000-memory.dmp

memory/6544-28610-0x0000000000400000-0x0000000000414000-memory.dmp

memory/7856-28621-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3376-28623-0x0000000000400000-0x0000000000414000-memory.dmp

memory/7048-28629-0x0000000000400000-0x0000000000414000-memory.dmp

C:\note.txt

MD5 afa6955439b8d516721231029fb9ca1b
SHA1 087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA256 8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA512 5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf