Analysis
-
max time kernel
850s -
max time network
862s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/03/2025, 16:15
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://www.abuse.ch
Resource
win11-20250217-en
Errors
General
-
Target
http://www.abuse.ch
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (669) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file 4 IoCs
flow pid Process 78 1464 msedge.exe 78 1464 msedge.exe 78 1464 msedge.exe 130 1464 msedge.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe -
Executes dropped EXE 39 IoCs
pid Process 1788 CoronaVirus.exe 200 CoronaVirus.exe 17196 msedge.exe 7988 msedge.exe 25268 msedge.exe 10388 msedge.exe 10720 msedge.exe 23736 msedge.exe 22444 msedge.exe 6728 msedge.exe 5700 msedge.exe 24196 msedge.exe 23568 msedge.exe 6980 msedge.exe 7348 FreeYoutubeDownloader.exe 1616 Free YouTube Downloader.exe 11480 Free YouTube Downloader.exe 23424 msedge.exe 10104 Box.exe 7644 msedge.exe 5268 Box.exe 5144 msedge.exe 15268 portmaster-installer.exe 7272 portmaster-start.exe 7072 portmaster-start.exe 14044 Free YouTube Downloader.exe 5472 Box.exe 5880 Box.exe 14876 Box.exe 11992 msedge.exe 12400 msedge.exe 12656 Box.exe 12800 msedge.exe 24104 Box.exe 12192 MEMZ.exe 11684 MEMZ.exe 11612 MEMZ.exe 11524 MEMZ.exe 11440 MEMZ.exe -
Loads dropped DLL 22 IoCs
pid Process 17196 msedge.exe 7988 msedge.exe 25268 msedge.exe 10720 msedge.exe 10388 msedge.exe 23736 msedge.exe 22444 msedge.exe 6728 msedge.exe 5700 msedge.exe 24196 msedge.exe 23568 msedge.exe 6980 msedge.exe 23424 msedge.exe 7644 msedge.exe 5144 msedge.exe 15268 portmaster-installer.exe 15268 portmaster-installer.exe 15268 portmaster-installer.exe 15268 portmaster-installer.exe 11992 msedge.exe 12400 msedge.exe 12800 msedge.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" FreeYoutubeDownloader.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2250935964-4080446702-2776729278-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2250935964-4080446702-2776729278-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 63 raw.githubusercontent.com 78 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\selector.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\elevation_service.exe.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\ui-strings.js.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\resources.pri CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\PdfPreview\PdfPreviewHandler.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-200.png CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\lib\management\management.properties.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\ui-strings.js.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\ui-strings.js.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\GroupedList\GroupFooter.js CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\ImportUnregister.au3 CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-lightunplated_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\NOTICE.txt CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsuProvider.resources.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\GroupedList\GroupFooter.styles.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags.png.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\NETWORK.ELM.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\km.pak.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClient.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-30_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-60_contrast-white.png CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ga.pak.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_90.0.818.66_neutral__8wekyb3d8bbwe\AppxManifest.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\psuser.dll CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\GroupedList\GroupShowAll.js CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\renderFunction\composeRenderFunction.js CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_anonymoususer_18.svg.id-901BD4FA.[[email protected]].ncov CoronaVirus.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe FreeYoutubeDownloader.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe FreeYoutubeDownloader.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe FreeYoutubeDownloader.exe File created C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini FreeYoutubeDownloader.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\portmaster-installer.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FreeYoutubeDownloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language portmaster-installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 13296 vssadmin.exe 9876 vssadmin.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node portmaster-installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F00FB48-65D5-4BA8-A35B-F194DA7E1A51}\LocalServer32 portmaster-installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID portmaster-installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F00FB48-65D5-4BA8-A35B-F194DA7E1A51} portmaster-installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F00FB48-65D5-4BA8-A35B-F194DA7E1A51}\LocalServer32\ = "\"C:\\ProgramData\\Safing\\Portmaster\\portmaster-start.exe\" notifier-snoretoast" portmaster-installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings msedge.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 214673.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\portmaster-installer.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1464 msedge.exe 1464 msedge.exe 4456 msedge.exe 4456 msedge.exe 1004 identity_helper.exe 1004 identity_helper.exe 3156 msedge.exe 3156 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 236 msedge.exe 236 msedge.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe 1788 CoronaVirus.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 15268 portmaster-installer.exe 4456 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs
pid Process 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 6652 vssvc.exe Token: SeRestorePrivilege 6652 vssvc.exe Token: SeAuditPrivilege 6652 vssvc.exe Token: SeDebugPrivilege 7272 portmaster-start.exe Token: SeDebugPrivilege 7072 portmaster-start.exe Token: SeShutdownPrivilege 11612 MEMZ.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 1616 Free YouTube Downloader.exe 11480 Free YouTube Downloader.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 14044 Free YouTube Downloader.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 4456 msedge.exe 1616 Free YouTube Downloader.exe 14044 Free YouTube Downloader.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 7348 FreeYoutubeDownloader.exe 15268 portmaster-installer.exe 12192 MEMZ.exe 11684 MEMZ.exe 11612 MEMZ.exe 11524 MEMZ.exe 11440 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe 11612 MEMZ.exe 11612 MEMZ.exe 11524 MEMZ.exe 11684 MEMZ.exe 11612 MEMZ.exe 11524 MEMZ.exe 11684 MEMZ.exe 11612 MEMZ.exe 11524 MEMZ.exe 11684 MEMZ.exe 11612 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe 11612 MEMZ.exe 11524 MEMZ.exe 11684 MEMZ.exe 11612 MEMZ.exe 11524 MEMZ.exe 11684 MEMZ.exe 11612 MEMZ.exe 11524 MEMZ.exe 11684 MEMZ.exe 11612 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe 11612 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe 11612 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe 11612 MEMZ.exe 11524 MEMZ.exe 11684 MEMZ.exe 11612 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe 11612 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe 11612 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe 11612 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe 11612 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe 11612 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe 11612 MEMZ.exe 11684 MEMZ.exe 11524 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4456 wrote to memory of 4352 4456 msedge.exe 81 PID 4456 wrote to memory of 4352 4456 msedge.exe 81 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1776 4456 msedge.exe 82 PID 4456 wrote to memory of 1464 4456 msedge.exe 83 PID 4456 wrote to memory of 1464 4456 msedge.exe 83 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 PID 4456 wrote to memory of 4840 4456 msedge.exe 84 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.abuse.ch1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb39483cb8,0x7ffb39483cc8,0x7ffb39483cd82⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:12⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵PID:2888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵PID:3764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:12⤵PID:3024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:12⤵PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:1332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:12⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:12⤵PID:3164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6532 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6924 /prefetch:82⤵PID:2796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:12⤵PID:720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6780 /prefetch:82⤵PID:3152
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1788 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:4836
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:764
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:13296
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:22020
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:6280
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:9876
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:10060
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:24776
-
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:17196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6752 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:25268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:10388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:10720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:23736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:22444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:24196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7020 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:23568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6980
-
-
C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:7348 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"3⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:1616 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:10104
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5472
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:12656
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:23424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:7644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:11992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4984 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:12400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:12800
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:12192 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:11684
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:11612
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:11524
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:11440
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5016
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1500
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6652
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\92cab0fdb21a4d188624695f35b9863e /t 12008 /p 100601⤵PID:16752
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\dc86187d65204938b0b6366e83a0c649 /t 24868 /p 247761⤵PID:7360
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt1⤵PID:5336
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:11480 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5268
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5880
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:24104
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5116
-
C:\Users\Admin\Downloads\portmaster-installer.exe"C:\Users\Admin\Downloads\portmaster-installer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:15268 -
C:\ProgramData\Safing\Portmaster\portmaster-start.exeC:\ProgramData\Safing\Portmaster\portmaster-start.exe clean-structure --data=C:\ProgramData\Safing\Portmaster2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7272
-
-
C:\ProgramData\Safing\Portmaster\portmaster-start.exeC:\ProgramData\Safing\Portmaster\portmaster-start.exe update --data=C:\ProgramData\Safing\Portmaster2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7072
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:11744
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:14044 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:14876
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-901BD4FA.[[email protected]].ncov
Filesize2.7MB
MD5aa157dc59c537dcf42ee267b57d28f8f
SHA1cd8dc0c4a5a2db163f4ad6881cf6785d342fa1cc
SHA256519204b9ef0326b7ab506f63b6d476757334546a9326ee4f6646bc3f0f3e6ced
SHA512ac3900597726dc26c34fb0ab1dd1f32d104fd7c1456191d68430faa1a31ec595d1ca796b2314a5a132a7efd1ed3e69adc7d1c21dc205bfd3c0e8586f7fac31ba
-
Filesize
12.4MB
MD5b3a42120e87026f23babfe1476adbd0b
SHA1a5b95f933bedc2c6a051d6e94b3f5d22283927ae
SHA25693183497329e05da3a0e4aa0b5c10c0001ff4455915e7a1d32cd931bd47d57bc
SHA5126c44b12caf28eeeafc5aea469a389395f07c631dec436268de137eb966d2e2ea373d414021c6015b05d2f2c8453fdac20ef41a1b366b99fddeef29b78974edfe
-
Filesize
12KB
MD5304eadc6ba4659df3422ccec878e23f0
SHA19869385a416d779f98f30e36bea4b5b8ccc4eee0
SHA256924fce20619758711e8767be3f84afebe3e621b87dd29138235b92a4ba88ba2c
SHA51254cfd020a1c95c54b6702dc18313bdc2961166395d34f33887831c5aa23b46f8b96e0552ad539ecc1e8f05363defacdfeb6eb305c97966028d2a928edfe38842
-
Filesize
152B
MD5fe68444a298dfe7ce3afb15e1e04dc2d
SHA1ce8500b8bc9f8033bf5f6b28174d04852e996cde
SHA2564fa17fcbb66e9306869abf881cf02c7b890bd34c34852c8a8f0e276bab375ba0
SHA512ed3aec46de266977a45e00363f3e258e53e9763fd5304861d2a7582344f6364f9dba20d5a13e6c2eee42e6bb875eec2f3e900f45cc64bf911e7055008c2374c4
-
Filesize
152B
MD5648295913e8e74a91d84a0bd6dfa0efe
SHA1e42c17ec7e237fa16204bd204ba0d47c2e7aa057
SHA2563f46ccf49be312c1e7b3cd94ff1d27970975d6a80e052769daf31c772adb260c
SHA5126e3f03fade65388ad14c2443300f79d028986a7863d32ad731a3b1aef4bc4937e7cb150c814947befdf4d2a8510f70368ad35621ae854b9037e46488df7423e2
-
Filesize
215KB
MD5786c4894e2393c2a6df8fe0fd6aeee3f
SHA12242cd681f699ef3d642ed9ed1f202dbf6b0c1b0
SHA256258ce3bda497a9ddf8e00e70ab2b08608c3f3211aecc90348179eea95be084a4
SHA51273751c1624a8a7e8141c387159a700f637e4fed6f5974d7402fc4faf4dd72c0779eae74049746098ad2c05765fa97329c51e9cc5f422c02abaaa92035aa991db
-
Filesize
67KB
MD5cc63ec5f8962041727f3a20d6a278329
SHA16cbeee84f8f648f6c2484e8934b189ba76eaeb81
SHA25689a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1
SHA512107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
2.2MB
MD51cfd88d99fea3c760901c37f282023b6
SHA14ad2da7b06329e43bf3206f09fedfef11cc363d0
SHA256ac6451fd744b604e5ac6dcfd6195f15ff2cadca79d3f9ac005a5bb9ba6d7c587
SHA5128bc7d40a639b78e01c46909b8b3cfc04487bac88e523f17e9e71fc817a8cd08a9c12c964cf966c259c2af7d562be160729df359dde043ac4385f522fcc9a122c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD56706c568bc19277cadc9fe5e6090d05d
SHA1f53e47751cf5cc011c8e6e725079dc5529454729
SHA256e0fc886ca64acac44f6c54ba643e7f334a0cda7e1c18e5b06181d3335a7940cc
SHA51262e7b5ffe0634a5d81cc0cbe96572acddd1cdfe2103adc9b33b4d7608b3e001d39af36279222ea1121149822b58cb2375544512f0e74e8335358b4ab4a014f59
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize384B
MD52b7e1bdce7eb3af6308de25b7ac451ae
SHA1261d440173f77943beb6fad1afbc457e105313a7
SHA2567bdebea2608d26f4f0e2e2ff0355d709719b63188108277825f38d5032ec48c9
SHA5125c790aaf039c20c2e8dc17d0c522bc49d15230df5a1f834e4cac1a595362622f92bde19cc9b06a1ae21338b97b2cdb8e56926b3aabf69e1e37a9a831fcd3e681
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
733B
MD59d4382950ad16bbc72ba5b5b5039bf40
SHA157387141d602841ab2a9789c0f27459ac14876ce
SHA256ec40d0ddee751b08d9bad7fd0a22602f5b08e39dec0cfbc9eb9423d8e64709d7
SHA5123ea7fafa11945a1441427ebaf1dcc63b32e38a390ea069da97ef73b0e195c1d04af0a71a170cd13cecb3c148052182bbf5ad6c4042588a3de363cf0ee9a27f52
-
Filesize
733B
MD579a1cb1f8cf744fef05c2669ee6f5ec3
SHA19b69ce4d1871f21b679b31620ceb1fede771ae0c
SHA256b8156420f476a211c361dbb42391c8e517403af0c4ab95f8c084d2cf2743b79f
SHA512e30a8bc6c76ef64f0e130399f0808eb48c3dccbee2491a2aac0c954b83b02661df8233c4def492b2076fef8f937fcdac2c9c30d2dab38597776ff5b1284ac1bc
-
Filesize
2KB
MD501e143a2a8801989112edf291ab1aa85
SHA1d825e2d4383a9fcb0aaa93b28c1f26975c90f67a
SHA2563cd8c0548c044235bb0ae533f6d2e5845653da1cf523efb2d10ff4a3d57f22f3
SHA512bf0299e9f54bded95e6be076a60e6fedeef41c9db78ac7c0f96a684cbc130d02e7db8309f633423d5d8c70f2fe03e04dd2a812ac6b378a4fe5e3ac077bd9137a
-
Filesize
2KB
MD5292512f53e615806f7384b95d6933568
SHA1da9f9ba6e1cb52ca7fa603e6dce6b1e31220e9f1
SHA25623c8bad0dd94e0b5d28cb0186a38a01edd79cf556a857d5e28b460bef10df55a
SHA51207997d7d6b2a48a81da4ccf27fc5df1e61fb3ad60de0e8211afe1b297653ce96ae6814c0b779f986a00a96d10f48b3bddcdf619c47f66f66ebd1274ea7c821a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5f41a6.TMP
Filesize2KB
MD59b9c023f22c733a8aadddc9380ccc921
SHA12ea51f49774edd828bd57753f7261110470cfb2d
SHA25638fe35fb13c3c7e41ef6acb7c93f557fce306e6cdd6b22bac0178f62cba8992e
SHA512ba3615f40832e03088613bd42b390603648988d067891e494c1fe72ae36661b5c2e3b94a65e9cefcb131f76a1453e40f7defa7d16c2184999e5389adf580858c
-
Filesize
5KB
MD5e836f4951b0e95e7db40477cc320d0a5
SHA1697b844f3dc14e92497c7b4b00623163ea39cec2
SHA256d0bd6a08ac0487c145964d028a8dd0f994a28e99b0c94a8d39627934d36df051
SHA5127be43be372e6bc28f2ca6ce47f944c693ccf47624c02db09620ff5f44d390a4aa80a919b35660cfbc5c8045d7a93f5aa84f80178ee9d5b9f147cc282a69adb65
-
Filesize
6KB
MD520728036a2b8f58738023e851e51e3fe
SHA11a6961816b3de6aff39905afacc52457c363e2d7
SHA2568a61612c9487a8a99a73d509f48ba89141e97dfb9001c9f81832eafd4beae01a
SHA5129427eca972094f0a4176a7d3b52f7256acb8b164b0db1a9a72fb97585dfb04639fda7ad39204cbfb05936886175982628d157f80a50884d749abb4091f714406
-
Filesize
7KB
MD56eb3091a5e41b9b04d70446ff869e0f5
SHA12e59a1d50f863dcf187e1965ae176ed828089219
SHA25662269c1afc1cc4658c64243e52718f516bc3600a31649480de536e69100fc664
SHA5128714c8b2b1ea9ba24dd6d7f446c7754af2ed1cd5334f464c6f90d2e09df91c1950adf03ac4c58a3fceb1331513f131814108796b5ba132cb77d08a1d4adf2c02
-
Filesize
6KB
MD5844a879ca0098d230105308002031bf9
SHA14c6b00b8ba0b3dd4317de8f4f5a1eaf2cf15262b
SHA2565e97783e0d81f4da4ed368f11ba3b88bb697ed77d904ad6945cb904305193bb1
SHA5120fb20151bd148c46677f2f68a1352403cb1a9e00a455e9b237982c52783a7ed94001728428aec1ef25d603fa802e8b63ac8c5b2d6007403119c6aff502886fbc
-
Filesize
7KB
MD599ec24a149925de398e762e036a553b6
SHA1d2bb50d49e2a6439368a4d1e4dee766347311320
SHA25666c590e07f95ba9ae01f28603a96a8e65ece34e12d8de577f67ceb2f918b2776
SHA51261d218f7fe0752105b3cfb4e8c796db894885b1751be7ef79784a71e6235f9d77507fc05bbb5068be3ba7d1d351ea23c34567fabc1088954473718e8568503fb
-
Filesize
8KB
MD545c1d0b840215bab3f349f95ffbc1476
SHA183327b64fff709d3b69d219fa1ded490028ee14a
SHA2567578cafa6d5ad1f79e709c97127a6e3ad313cf29f8fde76b4f5c378f42ff664b
SHA512c8120a23d594f9b5f6323dcab4c4ffe8b0627cbb0a643aad275dbdd5ffb616236badc2f8665dee06dbeaab294bf01c4d7943e5afc07b363ab0e07460e198addb
-
Filesize
8KB
MD59e4a0e986fa47e936b67e12748f721b0
SHA1bc4dfb28a9cf2e050e57a925304c2898011227b5
SHA2563c52ac4abab104df1f9c6ccb629f3517b701405138a11f063b25078694068fbe
SHA5126559681d38407402588cf08ce5cf61adef048078a707f7a8f71a9de115b71ad7e9ab5efe32f742c853697710a266461029a2b10f0e8c73b41feb678c2d341834
-
Filesize
8KB
MD5e6f017ca5a57e89c10140dc3ca924441
SHA17fe6eb9c0a6193627102d917133b702b8322c87a
SHA2565dc0e5ef7f37966a41e258324db5670dbbf4eb8f91d66cc334cffdac7419ee9f
SHA51233efa0cd86b520d3488f4918ad8242077c20bed273a6bff102b4bb1766da5b6940d0cc6c2802f247ed2e80275f8242c26c9a758fd093887d6af9c954dfd08b76
-
Filesize
8KB
MD5167c4f310683147944d20f4c450c5a21
SHA121662a9ec105735f2663209bd43674a9affa9af1
SHA256a016ea9803304d3f1463391eec83832a24065f0fa298b59e0d0482dbcb4936ed
SHA5123790873846e8c33ccec7bae016a8a31ed69b4de882ee47181c7487b1e8ee948c91ba6555e3f15bf3ee048b3b914efb6ad7eaf3d5f05f7ca01633f68a2157d5c8
-
Filesize
8KB
MD50ce51a30369d81377f0961404a1a2a3e
SHA102a90c0bac1cf9bb754e4e132bfe0a6070990910
SHA2566b869e73a588c6754736952eba705642880533ebbb25a4a4a69e93459d334151
SHA51232774c14ef54a0ecb613633dbcfc413bd12496fa0dd1eb5b452ef0def7a822c847d73503303ed12351c680cd316a49dd309e3858e9c5283385f439ff29d7b914
-
Filesize
7KB
MD5dc73f5398c62e9cef574d7cc3c0de45d
SHA1522f6f93960494874285776b16ccc525d178df45
SHA256de4a8b76fae970579234a2ed5fd105e0266cf08acfde14c02ea1a90f1edbcab6
SHA512010539dc2f041161c926583ebda7eb701c06d36743968432c9c32b2f5ee1a6f9a3818d52daa3073a67b0af867e94728c74b9812656d8998c541ff9c44b96a544
-
Filesize
8KB
MD5a81529df8a5f7a9b5229c6f11f70f640
SHA1608e0e565c7684d82a05e43bcdcafa6cc57dd9e4
SHA256947d25e51d3a6f74e4a58aff0c5d717e13d1121ab41372e5535a5cfb2ec0f694
SHA51278f76ff8943a9504b84def5d7957548a7e173dc5ef4f7245931f6320f282e938b5eb2984288044046b7a9d6c09d52631d9b051f7bfdfe8fabaa6bfd9158e04fd
-
Filesize
8KB
MD56db4ada00fdc1ac4656eccfd32e7ef8b
SHA1a8c535791690aa2f58636c484011197f970d0cc9
SHA2561b8dd36ba2c3d8e53fd12ccdc68a183e3e481d47c8afbd94d8bd45b7a9aed382
SHA512bac0c9503c62bff1903ac20416659e274f45dcfbbfaa970dabc4ef7def311ea9012c228db73edb42cabc4ad79117f6b4e36bddb7ca18f225b4f37ea4e4c02b6e
-
Filesize
1KB
MD5f49f82d8aa85962906608c3df6a2fcc0
SHA1f77472b45de16b245a4422cb15b6a25ea58423f9
SHA256c9bbca7e9d610e7665a9be2882558a563caa0b2627b3614f121f49bba3d03c9d
SHA51269ee61c98dc7ce2f5143940476b8e1c41f2e792a0dd997a76c012c4a5b757350ef8820dafde45f80e6bddc87631d2b303a1979cc3e4132946761f9e82a1a9546
-
Filesize
2KB
MD55e7bff9c6af3641fbb968f4482aad904
SHA1b89888346bc855897a5bf03734116fb73d8547fb
SHA2560e89fe6e3557b2d7e23d34b251224ff3abe212d0e25505791cab71fef4473728
SHA512c4f985ee55aa30e7497c741da6f1c1ff5a5e1c26686467a685e6d6a1c4792c1f2bf2f352c7cd6c7c9c800c57f49134bf34cb8d76192ff76799eff46eefb1ff28
-
Filesize
2KB
MD5f5c7d74e55df6da8d3faf06bfa106015
SHA179a7c821c4c50b276886f98f6a1a9c45c3047416
SHA2566c519431817ed35fdda0a940d1cfda5ebd004ab211ebc196091863a10fd93638
SHA512b2a38faec7a485307b5adff79107efcf5e19b04a0679f724bc10d6312e67954b4248a9ba058e5f8e52cc6d45be2d5a6f1813893129c2feadbb7a4ebd775731a3
-
Filesize
2KB
MD52dcf9c4d15c912e253aef667e327e04e
SHA19a9f0ed78b4c6c466fca893029ade7a51714575e
SHA2564ede9050644411dadd54f25641bb000026d44c2dbe64b15c7bfeb97f8dff0fd9
SHA5120dc0155826340cd7ddc850041560b3492efd433b3f5174b50b3ff2326b11cb93f0ee07232a43d96eaed16ed93085729030633b4d7ecb99b4557363b1059496e9
-
Filesize
1KB
MD55b3905ce27183c9b32b251fef754afeb
SHA1da755d6548b33fe4779eec3ac0c5e557c9035715
SHA2566d44ac67831f57a4f077de294d9bd29b67fd097f2e4fb080ff750d5cd4c8e806
SHA512a6c5baa6012a26e512e7a805a3ab7d805f358bef7c4fdd92db4abeff3a8317db94ea5450b5a922b5edde9cb202d5ffe4087ea1d5710369a56f2ed9bf14d85459
-
Filesize
2KB
MD5e269043758520533f044dbe2b958fec8
SHA100398ea85c7b90885ef3b325ce0fbde78b492597
SHA2560b9a1d60052c4c07e0f2ad48a078540bfba779666223b1ea5ece1fd815a9d8d0
SHA512bbd9d79add40d99c2595afcb57c718fbee889b379edd9df9b78f77cde0ba27847e872e07c74ca30512ddcdb66a5205df7d697d6c1c0f70d6516d08b412803e09
-
Filesize
2KB
MD543a1996b89d0a72700b8b2af0622cbf8
SHA10cabba2a5efac40bd062a7046062c772d69ef565
SHA25655347ad824e374799ef6e7350c0ed1df7dd24764423af9d28fc7ab1763868830
SHA51290cdb73ba33dab0e3e626b50c0ca1bdf256a76ff4b233ec4ebafe61c615b7f94727ed2f9ca2bc58d144e0be64e97e47ffd9322c54db216c69fee55f7632a9f28
-
Filesize
2KB
MD5de68696b6de9efb99f6430e320c83963
SHA10742552bbb9eb95519e591f6c17af50d60827a0c
SHA256a1b60fcb96481aa1e01a6bfe2b705f87ae066de38d05f78e7d083490332b9dac
SHA5122b657d16bbd80956b62ecabcb9423dff3c571947cb8bb8d2482f85ccd46a0d7ba15e38cacf77cd8df644af13f3a673919df0ed2ba739d599f01b7b957ddfb7da
-
Filesize
2KB
MD590daed3ab2aafd98410591a4b3463441
SHA1eba85ada8c258a6927e7cce4e6b87500c7f09ab9
SHA256ba56cb6b3717a27287b92c6b71595accd5124cb79828d261a7b09461ebe478a2
SHA5126cbc5ca8d94deb86281239559aadaa0feba300739caac9bb9dac59f64ced8b4d8a003cd242c09f06304037ba840638366981f10c449305aa23405c3df082bb09
-
Filesize
2KB
MD5605b4d61d4b1799939bd62eff9c8c6a4
SHA1c70cfe5629ec43089de878ae07a56215ed669bac
SHA2567beae9fd3452bfd0e6c622294dda1436730bdabfe1cb02216507604c589b51e6
SHA5127a0ed8553d3362677a9d9a1f702427c5fc02f9f0f652da474d181e90f9f2dda9b412cf6d46eb296334ff261c107d3613f550f73f93ee261309312f70d87f49e0
-
Filesize
2KB
MD5943d1a39ede51ce4b35d216399997950
SHA1f19df652e27f9f777951e0681533a8329fa0caf7
SHA256c4ffa1c0fc943077b7924c56cd3dd7f9495445e4eea3fc99efad0cf6cdc8f362
SHA512c3a77cb2bb3fac189a3f770cb5c335fcc0c5c8c090ca6caa0e46d92660b96052edde588e60d1cb0b839438525ab86721ef697a8f9252716ddc5143aad80b56fd
-
Filesize
537B
MD519096d4c16d51a15ad9385345e1c6ff1
SHA1363d9344b14b6a71fbc3a9acd38f47f88cdbf3b3
SHA256fc70f255dec90b75933d2c038cfd55a25d54f001d6e934675de9ed689b2434c6
SHA512684c3076cc1a66a8c726b5e5b5e303dcac8e157fba83537d13b83987a7bfe66c96aa0a293b90bba7c99aecfefcb7e03e3fcf46ea8aa5133492f610e037a7ae3e
-
Filesize
2KB
MD56c2bbfd6a3b7b7f5f8dfdc2e305114f3
SHA1df64e935539777653520a011484cf7ce8acc1ac2
SHA25622f27f1b181f3f737e2b017280e45c37acea155f1b0c0f27783180cf38e2cb85
SHA51244d17de3149067aa03ae9e03f69400325082366c6a4bcbaddbd3e8f33e63af3bfe3577fd3e22b9823ab0a521e06f3c02a0c95cefd48fb5437655622745148a92
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fb8be369-a013-47f8-9aa0-aacdccd1e6d6.tmp
Filesize2KB
MD5f3cafc15b2d50abb734151716950b277
SHA1f13a5b10770b6ec73991a4c19fe0083c483c5f57
SHA25664167daccd928243bf63c7ce5b3a053f03dca76e2bf44838174c096b93475d49
SHA51218231fd2dc04021cdae737e49385b948ddd541b53664f5041f6dbd90066ec1998e4b15be1488a50ed43f59a5c4127085a2211f6be02fab601b134f35af39f9c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fbb72f05-fefd-4a78-a224-e54cefc7caa5.tmp
Filesize2KB
MD5d591053042fa60cd9349e34db3665eee
SHA1cfc28cedaaf11e2d264c823068ebfecec284fa4b
SHA25667dd2e5dbf361f3c9be07b6fdd88db43831357336585869cdafee1228d3777c7
SHA5122e5b5d70b81e8f329a810ef43c377787d497c1af9b3beb0ce4e6f70472e423656ca998d96c4931637bed0cd324563b21dec2f83067e28c61eddfad478ac50ef5
-
Filesize
12KB
MD5aa7da5b853201afde7532fda87125f26
SHA1e5d0157ee5834582cc2daafa468e71862f6ce81c
SHA256c438e3824ea36249790e438cd8f75f51d92e5d27279b75c3d239e1e6f252666e
SHA51231b396a3433282483b1d135f53532f6123d1edc11de749c99a427b6f69889709589c331b9739e654b7bae457832e725253f2f1ead164bcc94612ee1c2d2e8b53
-
Filesize
12KB
MD537f97ecfefcce4229812fbb64aa154f7
SHA108237cdc95ed374f9b3206ae3df9aebe302f6da6
SHA2563c71b486220987a28a1c61a85b560e3dcf546163d8ffb5237c2974460b915814
SHA512776dcc11911ade6dc94dc0bda058dfcd655b73c6b06d341b3e3f65bdaf6822ad09744281d3269d821d066b14c9b19f3977828d885249b56a9c2890c741facb3e
-
Filesize
11KB
MD532288a631954ee3e7407f549c427888b
SHA1fecddac3d04ea9607c0d1a5bfa016dd96f274940
SHA256167b50ecbc751bf1f4a3f65bd6e2ec75fdf338e2918d6e2187c33ce000f576ef
SHA5125f286dc669c39a034a25688e160e32c99e40eaa69d4ae248f39adf391fb2aa3e1acc4cc289667535fc49071c7548199dfb0b03dbb0b8b766126f833685783a21
-
Filesize
12KB
MD5caa85546ed3f1c6450a8b49155f26d40
SHA1ac9e3772ba335393f4430233281e14ebe33e1220
SHA25659dc9b3f473e6a18c1d15dd033f8fb196c8ba604d516adced8dea2bc185217d1
SHA512eac4ba7d4d8a6227bc269010d7392d80dd41941fe359e39bb7deb8175c8d4ae3c5828144b47ac0915eedf788997d2a85f358f1a528971dc4edae6ea247d114a3
-
Filesize
12KB
MD531e448463c6aae7a6563b51c70ffb5dc
SHA10e9e5e8d94ced52f686ba0437d4885a832aaf8c6
SHA256d673b40d8070ae9ec54010cbd1e2c9ef8fc73e5c827ba1682cca9accb9d7593a
SHA512cd49caeb2e51b41342ac613b0ea895d387f295eba418760cec52bec2d53e9b72e098f0c2e93685c5e7b43ad49a8a0ef30992ebc46bf5e38ace96621e6b2c669f
-
Filesize
12KB
MD5b9f6094b66747113cd7d1136ac519341
SHA11d0bce510db0d538a7c9a408ab59d8b8b5358447
SHA2563c9bcfe1de37bde6e12bd6b64fb0603085a5a299d1403423b554ca5f21afca78
SHA512cc5a41bf370be6830fb0bf053ed65caecbee7c8ed29033c3d4f38aed76017fefc7c8be35f2d5e00833af601b78ca0bd4a8a470cdbd18b084b03bb881b5521bce
-
Filesize
12KB
MD5582bf201faddadd7248786940abc0289
SHA167f6bbdc4589220090654a364e3df527636adf38
SHA256354bcdc6ccfecfa3c3d2e3b76265de6af2859d75370960b4345eaf4e454ccc25
SHA512aa68b6cc5e81cef1b5989ee40f36fd0bcd618708ec457520adf9e5a8b100dc658fc735f481693571ee7ab0b77ccbfee5bba6c2d7d6e0c9aea11aade791a00395
-
Filesize
12KB
MD591f75b10fb94a4abdf107fd0c8751dcb
SHA186029ca26f3f580f797996b1ada310aeb324fce8
SHA256893062464b05534f76ff9a56b41b1ccc30f2e3807c3ae88bc0887dc0d4894331
SHA51277cfaeca86cde8b49d545e50558c9a5a1fe2f143f7a5beb03227b367765649a22b8da70d071e5759ea962e59ae03e98c9c754cd90a5d95426efa5408a4baebd0
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8508cae6-1f4c-4913-869a-82d437b2ef1a.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
7KB
MD5f27689c513e7d12c7c974d5f8ef710d6
SHA1e305f2a2898d765a64c82c449dfb528665b4a892
SHA2561f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
SHA512734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
Filesize
396KB
MD513f4b868603cf0dd6c32702d1bd858c9
SHA1a595ab75e134f5616679be5f11deefdfaae1de15
SHA256cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
SHA512e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
153KB
MD5f33a4e991a11baf336a2324f700d874d
SHA19da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20