dharma | hxxp://www[.]abuse[.]ch

Analysis

max time kernel
850s
max time network
862s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2025, 16:15

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://www.abuse.ch

Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (669) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 4 IoCs

flow	pid	Process
78	1464	msedge.exe
78	1464	msedge.exe
78	1464	msedge.exe
130	1464	msedge.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe

Executes dropped EXE 39 IoCs

pid	Process
1788	CoronaVirus.exe
200	CoronaVirus.exe
17196	msedge.exe
7988	msedge.exe
25268	msedge.exe
10388	msedge.exe
10720	msedge.exe
23736	msedge.exe
22444	msedge.exe
6728	msedge.exe
5700	msedge.exe
24196	msedge.exe
23568	msedge.exe
6980	msedge.exe
7348	FreeYoutubeDownloader.exe
1616	Free YouTube Downloader.exe
11480	Free YouTube Downloader.exe
23424	msedge.exe
10104	Box.exe
7644	msedge.exe
5268	Box.exe
5144	msedge.exe
15268	portmaster-installer.exe
7272	portmaster-start.exe
7072	portmaster-start.exe
14044	Free YouTube Downloader.exe
5472	Box.exe
5880	Box.exe
14876	Box.exe
11992	msedge.exe
12400	msedge.exe
12656	Box.exe
12800	msedge.exe
24104	Box.exe
12192	MEMZ.exe
11684	MEMZ.exe
11612	MEMZ.exe
11524	MEMZ.exe
11440	MEMZ.exe

Loads dropped DLL 22 IoCs

pid	Process
17196	msedge.exe
7988	msedge.exe
25268	msedge.exe
10720	msedge.exe
10388	msedge.exe
23736	msedge.exe
22444	msedge.exe
6728	msedge.exe
5700	msedge.exe
24196	msedge.exe
23568	msedge.exe
6980	msedge.exe
23424	msedge.exe
7644	msedge.exe
5144	msedge.exe
15268	portmaster-installer.exe
15268	portmaster-installer.exe
15268	portmaster-installer.exe
15268	portmaster-installer.exe
11992	msedge.exe
12400	msedge.exe
12800	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2250935964-4080446702-2776729278-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2250935964-4080446702-2776729278-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
63	raw.githubusercontent.com
78	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\selector.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\elevation_service.exe.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\ui-strings.js.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\resources.pri	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\PdfPreview\PdfPreviewHandler.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-200.png	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\ui-strings.js.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\ui-strings.js.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\GroupedList\GroupFooter.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\ImportUnregister.au3	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-lightunplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\NOTICE.txt	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsuProvider.resources.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\GroupedList\GroupFooter.styles.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags.png.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\NETWORK.ELM.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\km.pak.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClient.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-30_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-60_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ga.pak.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_90.0.818.66_neutral__8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\psuser.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\GroupedList\GroupShowAll.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\renderFunction\composeRenderFunction.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_anonymoususer_18.svg.id-901BD4FA.[[email protected]].ncov	CoronaVirus.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\portmaster-installer.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	portmaster-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
13296	vssadmin.exe
9876	vssadmin.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	portmaster-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F00FB48-65D5-4BA8-A35B-F194DA7E1A51}\LocalServer32	portmaster-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	portmaster-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F00FB48-65D5-4BA8-A35B-F194DA7E1A51}	portmaster-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F00FB48-65D5-4BA8-A35B-F194DA7E1A51}\LocalServer32\ = "\"C:\\ProgramData\\Safing\\Portmaster\\portmaster-start.exe\" notifier-snoretoast"	portmaster-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 214673.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\portmaster-installer.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe
4456	msedge.exe
4456	msedge.exe
1004	identity_helper.exe
1004	identity_helper.exe
3156	msedge.exe
3156	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
236	msedge.exe
236	msedge.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe
1788	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
15268	portmaster-installer.exe
4456	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	6652	vssvc.exe
Token: SeRestorePrivilege	6652	vssvc.exe
Token: SeAuditPrivilege	6652	vssvc.exe
Token: SeDebugPrivilege	7272	portmaster-start.exe
Token: SeDebugPrivilege	7072	portmaster-start.exe
Token: SeShutdownPrivilege	11612	MEMZ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
1616	Free YouTube Downloader.exe
11480	Free YouTube Downloader.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
14044	Free YouTube Downloader.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
1616	Free YouTube Downloader.exe
14044	Free YouTube Downloader.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
7348	FreeYoutubeDownloader.exe
15268	portmaster-installer.exe
12192	MEMZ.exe
11684	MEMZ.exe
11612	MEMZ.exe
11524	MEMZ.exe
11440	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe
11612	MEMZ.exe
11612	MEMZ.exe
11524	MEMZ.exe
11684	MEMZ.exe
11612	MEMZ.exe
11524	MEMZ.exe
11684	MEMZ.exe
11612	MEMZ.exe
11524	MEMZ.exe
11684	MEMZ.exe
11612	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe
11612	MEMZ.exe
11524	MEMZ.exe
11684	MEMZ.exe
11612	MEMZ.exe
11524	MEMZ.exe
11684	MEMZ.exe
11612	MEMZ.exe
11524	MEMZ.exe
11684	MEMZ.exe
11612	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe
11612	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe
11612	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe
11612	MEMZ.exe
11524	MEMZ.exe
11684	MEMZ.exe
11612	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe
11612	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe
11612	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe
11612	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe
11612	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe
11612	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe
11612	MEMZ.exe
11684	MEMZ.exe
11524	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4352	4456	msedge.exe	81
PID 4456 wrote to memory of 4352	4456	msedge.exe	81
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1776	4456	msedge.exe	82
PID 4456 wrote to memory of 1464	4456	msedge.exe	83
PID 4456 wrote to memory of 1464	4456	msedge.exe	83
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84
PID 4456 wrote to memory of 4840	4456	msedge.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.abuse.ch
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb39483cb8,0x7ffb39483cc8,0x7ffb39483cd8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6532 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6924 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6780 /prefetch:8
  2⤵
  PID:3152
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4836
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:764
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:13296
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:22020
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:6280
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:9876
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:10060
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:24776
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:17196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6752 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:7988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:25268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:23736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:22444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:24196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7020 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:23568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6980
- C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe
  "C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7348
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SendNotifyMessage
    PID:1616
  - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
      "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:10104
  - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
      "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5472
  - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
      "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:12656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:23424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:7644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:11992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:12400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,11471502155390935528,3889763820454871663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:12800
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:12192
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:11684
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:11612
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:11524
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:11440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6652

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\92cab0fdb21a4d188624695f35b9863e /t 12008 /p 10060
1⤵
PID:16752

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\dc86187d65204938b0b6366e83a0c649 /t 24868 /p 24776
1⤵
PID:7360

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
1⤵
PID:5336

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:11480
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5268
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5880
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:24104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5116

C:\Users\Admin\Downloads\portmaster-installer.exe
"C:\Users\Admin\Downloads\portmaster-installer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:15268
- C:\ProgramData\Safing\Portmaster\portmaster-start.exe
  C:\ProgramData\Safing\Portmaster\portmaster-start.exe clean-structure --data=C:\ProgramData\Safing\Portmaster
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7272
- C:\ProgramData\Safing\Portmaster\portmaster-start.exe
  C:\ProgramData\Safing\Portmaster\portmaster-start.exe update --data=C:\ProgramData\Safing\Portmaster
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7072

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:11744

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:14044
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:14876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-901BD4FA.[[email protected]].ncov

Filesize
2.7MB

MD5
aa157dc59c537dcf42ee267b57d28f8f

SHA1
cd8dc0c4a5a2db163f4ad6881cf6785d342fa1cc

SHA256
519204b9ef0326b7ab506f63b6d476757334546a9326ee4f6646bc3f0f3e6ced

SHA512
ac3900597726dc26c34fb0ab1dd1f32d104fd7c1456191d68430faa1a31ec595d1ca796b2314a5a132a7efd1ed3e69adc7d1c21dc205bfd3c0e8586f7fac31ba

Download Submit
C:\ProgramData\Safing\Portmaster\portmaster-start.exe

Filesize
12.4MB

MD5
b3a42120e87026f23babfe1476adbd0b

SHA1
a5b95f933bedc2c6a051d6e94b3f5d22283927ae

SHA256
93183497329e05da3a0e4aa0b5c10c0001ff4455915e7a1d32cd931bd47d57bc

SHA512
6c44b12caf28eeeafc5aea469a389395f07c631dec436268de137eb966d2e2ea373d414021c6015b05d2f2c8453fdac20ef41a1b366b99fddeef29b78974edfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\783c4240-ce5e-4ddc-98ed-1af06f404cb4.tmp

Filesize
12KB

MD5
304eadc6ba4659df3422ccec878e23f0

SHA1
9869385a416d779f98f30e36bea4b5b8ccc4eee0

SHA256
924fce20619758711e8767be3f84afebe3e621b87dd29138235b92a4ba88ba2c

SHA512
54cfd020a1c95c54b6702dc18313bdc2961166395d34f33887831c5aa23b46f8b96e0552ad539ecc1e8f05363defacdfeb6eb305c97966028d2a928edfe38842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fe68444a298dfe7ce3afb15e1e04dc2d

SHA1
ce8500b8bc9f8033bf5f6b28174d04852e996cde

SHA256
4fa17fcbb66e9306869abf881cf02c7b890bd34c34852c8a8f0e276bab375ba0

SHA512
ed3aec46de266977a45e00363f3e258e53e9763fd5304861d2a7582344f6364f9dba20d5a13e6c2eee42e6bb875eec2f3e900f45cc64bf911e7055008c2374c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
648295913e8e74a91d84a0bd6dfa0efe

SHA1
e42c17ec7e237fa16204bd204ba0d47c2e7aa057

SHA256
3f46ccf49be312c1e7b3cd94ff1d27970975d6a80e052769daf31c772adb260c

SHA512
6e3f03fade65388ad14c2443300f79d028986a7863d32ad731a3b1aef4bc4937e7cb150c814947befdf4d2a8510f70368ad35621ae854b9037e46488df7423e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
215KB

MD5
786c4894e2393c2a6df8fe0fd6aeee3f

SHA1
2242cd681f699ef3d642ed9ed1f202dbf6b0c1b0

SHA256
258ce3bda497a9ddf8e00e70ab2b08608c3f3211aecc90348179eea95be084a4

SHA512
73751c1624a8a7e8141c387159a700f637e4fed6f5974d7402fc4faf4dd72c0779eae74049746098ad2c05765fa97329c51e9cc5f422c02abaaa92035aa991db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
2.2MB

MD5
1cfd88d99fea3c760901c37f282023b6

SHA1
4ad2da7b06329e43bf3206f09fedfef11cc363d0

SHA256
ac6451fd744b604e5ac6dcfd6195f15ff2cadca79d3f9ac005a5bb9ba6d7c587

SHA512
8bc7d40a639b78e01c46909b8b3cfc04487bac88e523f17e9e71fc817a8cd08a9c12c964cf966c259c2af7d562be160729df359dde043ac4385f522fcc9a122c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
6706c568bc19277cadc9fe5e6090d05d

SHA1
f53e47751cf5cc011c8e6e725079dc5529454729

SHA256
e0fc886ca64acac44f6c54ba643e7f334a0cda7e1c18e5b06181d3335a7940cc

SHA512
62e7b5ffe0634a5d81cc0cbe96572acddd1cdfe2103adc9b33b4d7608b3e001d39af36279222ea1121149822b58cb2375544512f0e74e8335358b4ab4a014f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
2b7e1bdce7eb3af6308de25b7ac451ae

SHA1
261d440173f77943beb6fad1afbc457e105313a7

SHA256
7bdebea2608d26f4f0e2e2ff0355d709719b63188108277825f38d5032ec48c9

SHA512
5c790aaf039c20c2e8dc17d0c522bc49d15230df5a1f834e4cac1a595362622f92bde19cc9b06a1ae21338b97b2cdb8e56926b3aabf69e1e37a9a831fcd3e681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
733B

MD5
9d4382950ad16bbc72ba5b5b5039bf40

SHA1
57387141d602841ab2a9789c0f27459ac14876ce

SHA256
ec40d0ddee751b08d9bad7fd0a22602f5b08e39dec0cfbc9eb9423d8e64709d7

SHA512
3ea7fafa11945a1441427ebaf1dcc63b32e38a390ea069da97ef73b0e195c1d04af0a71a170cd13cecb3c148052182bbf5ad6c4042588a3de363cf0ee9a27f52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
733B

MD5
79a1cb1f8cf744fef05c2669ee6f5ec3

SHA1
9b69ce4d1871f21b679b31620ceb1fede771ae0c

SHA256
b8156420f476a211c361dbb42391c8e517403af0c4ab95f8c084d2cf2743b79f

SHA512
e30a8bc6c76ef64f0e130399f0808eb48c3dccbee2491a2aac0c954b83b02661df8233c4def492b2076fef8f937fcdac2c9c30d2dab38597776ff5b1284ac1bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
01e143a2a8801989112edf291ab1aa85

SHA1
d825e2d4383a9fcb0aaa93b28c1f26975c90f67a

SHA256
3cd8c0548c044235bb0ae533f6d2e5845653da1cf523efb2d10ff4a3d57f22f3

SHA512
bf0299e9f54bded95e6be076a60e6fedeef41c9db78ac7c0f96a684cbc130d02e7db8309f633423d5d8c70f2fe03e04dd2a812ac6b378a4fe5e3ac077bd9137a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
292512f53e615806f7384b95d6933568

SHA1
da9f9ba6e1cb52ca7fa603e6dce6b1e31220e9f1

SHA256
23c8bad0dd94e0b5d28cb0186a38a01edd79cf556a857d5e28b460bef10df55a

SHA512
07997d7d6b2a48a81da4ccf27fc5df1e61fb3ad60de0e8211afe1b297653ce96ae6814c0b779f986a00a96d10f48b3bddcdf619c47f66f66ebd1274ea7c821a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5f41a6.TMP

Filesize
2KB

MD5
9b9c023f22c733a8aadddc9380ccc921

SHA1
2ea51f49774edd828bd57753f7261110470cfb2d

SHA256
38fe35fb13c3c7e41ef6acb7c93f557fce306e6cdd6b22bac0178f62cba8992e

SHA512
ba3615f40832e03088613bd42b390603648988d067891e494c1fe72ae36661b5c2e3b94a65e9cefcb131f76a1453e40f7defa7d16c2184999e5389adf580858c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e836f4951b0e95e7db40477cc320d0a5

SHA1
697b844f3dc14e92497c7b4b00623163ea39cec2

SHA256
d0bd6a08ac0487c145964d028a8dd0f994a28e99b0c94a8d39627934d36df051

SHA512
7be43be372e6bc28f2ca6ce47f944c693ccf47624c02db09620ff5f44d390a4aa80a919b35660cfbc5c8045d7a93f5aa84f80178ee9d5b9f147cc282a69adb65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20728036a2b8f58738023e851e51e3fe

SHA1
1a6961816b3de6aff39905afacc52457c363e2d7

SHA256
8a61612c9487a8a99a73d509f48ba89141e97dfb9001c9f81832eafd4beae01a

SHA512
9427eca972094f0a4176a7d3b52f7256acb8b164b0db1a9a72fb97585dfb04639fda7ad39204cbfb05936886175982628d157f80a50884d749abb4091f714406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6eb3091a5e41b9b04d70446ff869e0f5

SHA1
2e59a1d50f863dcf187e1965ae176ed828089219

SHA256
62269c1afc1cc4658c64243e52718f516bc3600a31649480de536e69100fc664

SHA512
8714c8b2b1ea9ba24dd6d7f446c7754af2ed1cd5334f464c6f90d2e09df91c1950adf03ac4c58a3fceb1331513f131814108796b5ba132cb77d08a1d4adf2c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
844a879ca0098d230105308002031bf9

SHA1
4c6b00b8ba0b3dd4317de8f4f5a1eaf2cf15262b

SHA256
5e97783e0d81f4da4ed368f11ba3b88bb697ed77d904ad6945cb904305193bb1

SHA512
0fb20151bd148c46677f2f68a1352403cb1a9e00a455e9b237982c52783a7ed94001728428aec1ef25d603fa802e8b63ac8c5b2d6007403119c6aff502886fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
99ec24a149925de398e762e036a553b6

SHA1
d2bb50d49e2a6439368a4d1e4dee766347311320

SHA256
66c590e07f95ba9ae01f28603a96a8e65ece34e12d8de577f67ceb2f918b2776

SHA512
61d218f7fe0752105b3cfb4e8c796db894885b1751be7ef79784a71e6235f9d77507fc05bbb5068be3ba7d1d351ea23c34567fabc1088954473718e8568503fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
45c1d0b840215bab3f349f95ffbc1476

SHA1
83327b64fff709d3b69d219fa1ded490028ee14a

SHA256
7578cafa6d5ad1f79e709c97127a6e3ad313cf29f8fde76b4f5c378f42ff664b

SHA512
c8120a23d594f9b5f6323dcab4c4ffe8b0627cbb0a643aad275dbdd5ffb616236badc2f8665dee06dbeaab294bf01c4d7943e5afc07b363ab0e07460e198addb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9e4a0e986fa47e936b67e12748f721b0

SHA1
bc4dfb28a9cf2e050e57a925304c2898011227b5

SHA256
3c52ac4abab104df1f9c6ccb629f3517b701405138a11f063b25078694068fbe

SHA512
6559681d38407402588cf08ce5cf61adef048078a707f7a8f71a9de115b71ad7e9ab5efe32f742c853697710a266461029a2b10f0e8c73b41feb678c2d341834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e6f017ca5a57e89c10140dc3ca924441

SHA1
7fe6eb9c0a6193627102d917133b702b8322c87a

SHA256
5dc0e5ef7f37966a41e258324db5670dbbf4eb8f91d66cc334cffdac7419ee9f

SHA512
33efa0cd86b520d3488f4918ad8242077c20bed273a6bff102b4bb1766da5b6940d0cc6c2802f247ed2e80275f8242c26c9a758fd093887d6af9c954dfd08b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
167c4f310683147944d20f4c450c5a21

SHA1
21662a9ec105735f2663209bd43674a9affa9af1

SHA256
a016ea9803304d3f1463391eec83832a24065f0fa298b59e0d0482dbcb4936ed

SHA512
3790873846e8c33ccec7bae016a8a31ed69b4de882ee47181c7487b1e8ee948c91ba6555e3f15bf3ee048b3b914efb6ad7eaf3d5f05f7ca01633f68a2157d5c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0ce51a30369d81377f0961404a1a2a3e

SHA1
02a90c0bac1cf9bb754e4e132bfe0a6070990910

SHA256
6b869e73a588c6754736952eba705642880533ebbb25a4a4a69e93459d334151

SHA512
32774c14ef54a0ecb613633dbcfc413bd12496fa0dd1eb5b452ef0def7a822c847d73503303ed12351c680cd316a49dd309e3858e9c5283385f439ff29d7b914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dc73f5398c62e9cef574d7cc3c0de45d

SHA1
522f6f93960494874285776b16ccc525d178df45

SHA256
de4a8b76fae970579234a2ed5fd105e0266cf08acfde14c02ea1a90f1edbcab6

SHA512
010539dc2f041161c926583ebda7eb701c06d36743968432c9c32b2f5ee1a6f9a3818d52daa3073a67b0af867e94728c74b9812656d8998c541ff9c44b96a544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a81529df8a5f7a9b5229c6f11f70f640

SHA1
608e0e565c7684d82a05e43bcdcafa6cc57dd9e4

SHA256
947d25e51d3a6f74e4a58aff0c5d717e13d1121ab41372e5535a5cfb2ec0f694

SHA512
78f76ff8943a9504b84def5d7957548a7e173dc5ef4f7245931f6320f282e938b5eb2984288044046b7a9d6c09d52631d9b051f7bfdfe8fabaa6bfd9158e04fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6db4ada00fdc1ac4656eccfd32e7ef8b

SHA1
a8c535791690aa2f58636c484011197f970d0cc9

SHA256
1b8dd36ba2c3d8e53fd12ccdc68a183e3e481d47c8afbd94d8bd45b7a9aed382

SHA512
bac0c9503c62bff1903ac20416659e274f45dcfbbfaa970dabc4ef7def311ea9012c228db73edb42cabc4ad79117f6b4e36bddb7ca18f225b4f37ea4e4c02b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f49f82d8aa85962906608c3df6a2fcc0

SHA1
f77472b45de16b245a4422cb15b6a25ea58423f9

SHA256
c9bbca7e9d610e7665a9be2882558a563caa0b2627b3614f121f49bba3d03c9d

SHA512
69ee61c98dc7ce2f5143940476b8e1c41f2e792a0dd997a76c012c4a5b757350ef8820dafde45f80e6bddc87631d2b303a1979cc3e4132946761f9e82a1a9546

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5e7bff9c6af3641fbb968f4482aad904

SHA1
b89888346bc855897a5bf03734116fb73d8547fb

SHA256
0e89fe6e3557b2d7e23d34b251224ff3abe212d0e25505791cab71fef4473728

SHA512
c4f985ee55aa30e7497c741da6f1c1ff5a5e1c26686467a685e6d6a1c4792c1f2bf2f352c7cd6c7c9c800c57f49134bf34cb8d76192ff76799eff46eefb1ff28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f5c7d74e55df6da8d3faf06bfa106015

SHA1
79a7c821c4c50b276886f98f6a1a9c45c3047416

SHA256
6c519431817ed35fdda0a940d1cfda5ebd004ab211ebc196091863a10fd93638

SHA512
b2a38faec7a485307b5adff79107efcf5e19b04a0679f724bc10d6312e67954b4248a9ba058e5f8e52cc6d45be2d5a6f1813893129c2feadbb7a4ebd775731a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2dcf9c4d15c912e253aef667e327e04e

SHA1
9a9f0ed78b4c6c466fca893029ade7a51714575e

SHA256
4ede9050644411dadd54f25641bb000026d44c2dbe64b15c7bfeb97f8dff0fd9

SHA512
0dc0155826340cd7ddc850041560b3492efd433b3f5174b50b3ff2326b11cb93f0ee07232a43d96eaed16ed93085729030633b4d7ecb99b4557363b1059496e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5b3905ce27183c9b32b251fef754afeb

SHA1
da755d6548b33fe4779eec3ac0c5e557c9035715

SHA256
6d44ac67831f57a4f077de294d9bd29b67fd097f2e4fb080ff750d5cd4c8e806

SHA512
a6c5baa6012a26e512e7a805a3ab7d805f358bef7c4fdd92db4abeff3a8317db94ea5450b5a922b5edde9cb202d5ffe4087ea1d5710369a56f2ed9bf14d85459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e269043758520533f044dbe2b958fec8

SHA1
00398ea85c7b90885ef3b325ce0fbde78b492597

SHA256
0b9a1d60052c4c07e0f2ad48a078540bfba779666223b1ea5ece1fd815a9d8d0

SHA512
bbd9d79add40d99c2595afcb57c718fbee889b379edd9df9b78f77cde0ba27847e872e07c74ca30512ddcdb66a5205df7d697d6c1c0f70d6516d08b412803e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
43a1996b89d0a72700b8b2af0622cbf8

SHA1
0cabba2a5efac40bd062a7046062c772d69ef565

SHA256
55347ad824e374799ef6e7350c0ed1df7dd24764423af9d28fc7ab1763868830

SHA512
90cdb73ba33dab0e3e626b50c0ca1bdf256a76ff4b233ec4ebafe61c615b7f94727ed2f9ca2bc58d144e0be64e97e47ffd9322c54db216c69fee55f7632a9f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
de68696b6de9efb99f6430e320c83963

SHA1
0742552bbb9eb95519e591f6c17af50d60827a0c

SHA256
a1b60fcb96481aa1e01a6bfe2b705f87ae066de38d05f78e7d083490332b9dac

SHA512
2b657d16bbd80956b62ecabcb9423dff3c571947cb8bb8d2482f85ccd46a0d7ba15e38cacf77cd8df644af13f3a673919df0ed2ba739d599f01b7b957ddfb7da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
90daed3ab2aafd98410591a4b3463441

SHA1
eba85ada8c258a6927e7cce4e6b87500c7f09ab9

SHA256
ba56cb6b3717a27287b92c6b71595accd5124cb79828d261a7b09461ebe478a2

SHA512
6cbc5ca8d94deb86281239559aadaa0feba300739caac9bb9dac59f64ced8b4d8a003cd242c09f06304037ba840638366981f10c449305aa23405c3df082bb09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
605b4d61d4b1799939bd62eff9c8c6a4

SHA1
c70cfe5629ec43089de878ae07a56215ed669bac

SHA256
7beae9fd3452bfd0e6c622294dda1436730bdabfe1cb02216507604c589b51e6

SHA512
7a0ed8553d3362677a9d9a1f702427c5fc02f9f0f652da474d181e90f9f2dda9b412cf6d46eb296334ff261c107d3613f550f73f93ee261309312f70d87f49e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
943d1a39ede51ce4b35d216399997950

SHA1
f19df652e27f9f777951e0681533a8329fa0caf7

SHA256
c4ffa1c0fc943077b7924c56cd3dd7f9495445e4eea3fc99efad0cf6cdc8f362

SHA512
c3a77cb2bb3fac189a3f770cb5c335fcc0c5c8c090ca6caa0e46d92660b96052edde588e60d1cb0b839438525ab86721ef697a8f9252716ddc5143aad80b56fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5943e5.TMP

Filesize
537B

MD5
19096d4c16d51a15ad9385345e1c6ff1

SHA1
363d9344b14b6a71fbc3a9acd38f47f88cdbf3b3

SHA256
fc70f255dec90b75933d2c038cfd55a25d54f001d6e934675de9ed689b2434c6

SHA512
684c3076cc1a66a8c726b5e5b5e303dcac8e157fba83537d13b83987a7bfe66c96aa0a293b90bba7c99aecfefcb7e03e3fcf46ea8aa5133492f610e037a7ae3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b16e0.TMP

Filesize
2KB

MD5
6c2bbfd6a3b7b7f5f8dfdc2e305114f3

SHA1
df64e935539777653520a011484cf7ce8acc1ac2

SHA256
22f27f1b181f3f737e2b017280e45c37acea155f1b0c0f27783180cf38e2cb85

SHA512
44d17de3149067aa03ae9e03f69400325082366c6a4bcbaddbd3e8f33e63af3bfe3577fd3e22b9823ab0a521e06f3c02a0c95cefd48fb5437655622745148a92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fb8be369-a013-47f8-9aa0-aacdccd1e6d6.tmp

Filesize
2KB

MD5
f3cafc15b2d50abb734151716950b277

SHA1
f13a5b10770b6ec73991a4c19fe0083c483c5f57

SHA256
64167daccd928243bf63c7ce5b3a053f03dca76e2bf44838174c096b93475d49

SHA512
18231fd2dc04021cdae737e49385b948ddd541b53664f5041f6dbd90066ec1998e4b15be1488a50ed43f59a5c4127085a2211f6be02fab601b134f35af39f9c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fbb72f05-fefd-4a78-a224-e54cefc7caa5.tmp

Filesize
2KB

MD5
d591053042fa60cd9349e34db3665eee

SHA1
cfc28cedaaf11e2d264c823068ebfecec284fa4b

SHA256
67dd2e5dbf361f3c9be07b6fdd88db43831357336585869cdafee1228d3777c7

SHA512
2e5b5d70b81e8f329a810ef43c377787d497c1af9b3beb0ce4e6f70472e423656ca998d96c4931637bed0cd324563b21dec2f83067e28c61eddfad478ac50ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aa7da5b853201afde7532fda87125f26

SHA1
e5d0157ee5834582cc2daafa468e71862f6ce81c

SHA256
c438e3824ea36249790e438cd8f75f51d92e5d27279b75c3d239e1e6f252666e

SHA512
31b396a3433282483b1d135f53532f6123d1edc11de749c99a427b6f69889709589c331b9739e654b7bae457832e725253f2f1ead164bcc94612ee1c2d2e8b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
37f97ecfefcce4229812fbb64aa154f7

SHA1
08237cdc95ed374f9b3206ae3df9aebe302f6da6

SHA256
3c71b486220987a28a1c61a85b560e3dcf546163d8ffb5237c2974460b915814

SHA512
776dcc11911ade6dc94dc0bda058dfcd655b73c6b06d341b3e3f65bdaf6822ad09744281d3269d821d066b14c9b19f3977828d885249b56a9c2890c741facb3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
32288a631954ee3e7407f549c427888b

SHA1
fecddac3d04ea9607c0d1a5bfa016dd96f274940

SHA256
167b50ecbc751bf1f4a3f65bd6e2ec75fdf338e2918d6e2187c33ce000f576ef

SHA512
5f286dc669c39a034a25688e160e32c99e40eaa69d4ae248f39adf391fb2aa3e1acc4cc289667535fc49071c7548199dfb0b03dbb0b8b766126f833685783a21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
caa85546ed3f1c6450a8b49155f26d40

SHA1
ac9e3772ba335393f4430233281e14ebe33e1220

SHA256
59dc9b3f473e6a18c1d15dd033f8fb196c8ba604d516adced8dea2bc185217d1

SHA512
eac4ba7d4d8a6227bc269010d7392d80dd41941fe359e39bb7deb8175c8d4ae3c5828144b47ac0915eedf788997d2a85f358f1a528971dc4edae6ea247d114a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
31e448463c6aae7a6563b51c70ffb5dc

SHA1
0e9e5e8d94ced52f686ba0437d4885a832aaf8c6

SHA256
d673b40d8070ae9ec54010cbd1e2c9ef8fc73e5c827ba1682cca9accb9d7593a

SHA512
cd49caeb2e51b41342ac613b0ea895d387f295eba418760cec52bec2d53e9b72e098f0c2e93685c5e7b43ad49a8a0ef30992ebc46bf5e38ace96621e6b2c669f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b9f6094b66747113cd7d1136ac519341

SHA1
1d0bce510db0d538a7c9a408ab59d8b8b5358447

SHA256
3c9bcfe1de37bde6e12bd6b64fb0603085a5a299d1403423b554ca5f21afca78

SHA512
cc5a41bf370be6830fb0bf053ed65caecbee7c8ed29033c3d4f38aed76017fefc7c8be35f2d5e00833af601b78ca0bd4a8a470cdbd18b084b03bb881b5521bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
582bf201faddadd7248786940abc0289

SHA1
67f6bbdc4589220090654a364e3df527636adf38

SHA256
354bcdc6ccfecfa3c3d2e3b76265de6af2859d75370960b4345eaf4e454ccc25

SHA512
aa68b6cc5e81cef1b5989ee40f36fd0bcd618708ec457520adf9e5a8b100dc658fc735f481693571ee7ab0b77ccbfee5bba6c2d7d6e0c9aea11aade791a00395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\dc220411-55cb-49a4-bad8-0a6778e77a10.tmp

Filesize
12KB

MD5
91f75b10fb94a4abdf107fd0c8751dcb

SHA1
86029ca26f3f580f797996b1ada310aeb324fce8

SHA256
893062464b05534f76ff9a56b41b1ccc30f2e3807c3ae88bc0887dc0d4894331

SHA512
77cfaeca86cde8b49d545e50558c9a5a1fe2f143f7a5beb03227b367765649a22b8da70d071e5759ea962e59ae03e98c9c754cd90a5d95426efa5408a4baebd0

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8508cae6-1f4c-4913-869a-82d437b2ef1a.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj977.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 706969.crdownload

Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 91069.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
memory/200-11525-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/200-11234-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/200-719-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-27270-0x000001F97E6D0000-0x000001F97E6FE000-memory.dmp

Filesize
184KB

Download
memory/1788-705-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1788-5857-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1788-720-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/7348-27269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/10104-27327-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/10104-27326-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/10104-27325-0x0000000005790000-0x0000000005D36000-memory.dmp

Filesize
5.6MB

Download
memory/10104-27324-0x0000000000650000-0x00000000006C4000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads