hxxps://github[.]com/Endermanch/MalwareDatabase/raw/master/rogues/NavaShield[.]zip

Analysis

max time kernel
116s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/NavaShield.zip

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Endermanch@NavaShield.exeNavaShield.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Endermanch@NavaShield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	NavaShield.exe

Executes dropped EXE 4 IoCs

Processes:

Endermanch@NavaShield.exeNavaShield.exeNavaBridge.exeNavaDebugger.exe

pid process

3212 Endermanch@NavaShield.exe
3632 NavaShield.exe
2804 NavaBridge.exe
396 NavaDebugger.exe

pid	process
3212	Endermanch@NavaShield.exe
3632	NavaShield.exe
2804	NavaBridge.exe
396	NavaDebugger.exe

Loads dropped DLL 12 IoCs

Processes:

NavaShield.exeNavaBridge.exeNavaDebugger.exe

pid	process
3632	NavaShield.exe
3632	NavaShield.exe
3632	NavaShield.exe
3632	NavaShield.exe
3632	NavaShield.exe
3632	NavaShield.exe
2804	NavaBridge.exe
2804	NavaBridge.exe
2804	NavaBridge.exe
2804	NavaBridge.exe
2804	NavaBridge.exe
396	NavaDebugger.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Endermanch@NavaShield.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	Endermanch@NavaShield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NavaShield = "c:\\Nava Labs\\Nava Shield\\navashield.exe"	Endermanch@NavaShield.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exeNavaShield.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NavaShield.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NavaShield.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

Processes:

firefox.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\NavaShield.zip:Zone.Identifier firefox.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

2880 msedge.exe
2880 msedge.exe
4232 msedge.exe
4232 msedge.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NavaShield.exe

pid process

3632 NavaShield.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4232 msedge.exe
4232 msedge.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\NavaShield.zip:Zone.Identifier	firefox.exe

pid	process
2880	msedge.exe
2880	msedge.exe
4232	msedge.exe
4232	msedge.exe

pid	process
4232	msedge.exe
4232	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

firefox.exe7zG.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1880	firefox.exe
Token: SeDebugPrivilege	1880	firefox.exe
Token: SeDebugPrivilege	1880	firefox.exe
Token: SeRestorePrivilege	3664	7zG.exe
Token: 35	3664	7zG.exe
Token: SeSecurityPrivilege	3664	7zG.exe
Token: SeSecurityPrivilege	3664	7zG.exe
Token: 33	3300	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3300	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

firefox.exe7zG.exeNavaShield.exemsedge.exe

pid	process
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
3664	7zG.exe
3632	NavaShield.exe
3632	NavaShield.exe
3632	NavaShield.exe
4232	msedge.exe
4232	msedge.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

firefox.exeNavaShield.exe

pid process

1880 firefox.exe
1880 firefox.exe
1880 firefox.exe
1880 firefox.exe
1880 firefox.exe
3632 NavaShield.exe
3632 NavaShield.exe
3632 NavaShield.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

firefox.exeEndermanch@NavaShield.exeNavaShield.exeNavaBridge.exeNavaDebugger.exe

pid	process
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
3212	Endermanch@NavaShield.exe
3632	NavaShield.exe
2804	NavaBridge.exe
396	NavaDebugger.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3924 wrote to memory of 1880	3924	firefox.exe	firefox.exe
PID 3924 wrote to memory of 1880	3924	firefox.exe	firefox.exe
PID 3924 wrote to memory of 1880	3924	firefox.exe	firefox.exe
PID 3924 wrote to memory of 1880	3924	firefox.exe	firefox.exe
PID 3924 wrote to memory of 1880	3924	firefox.exe	firefox.exe
PID 3924 wrote to memory of 1880	3924	firefox.exe	firefox.exe
PID 3924 wrote to memory of 1880	3924	firefox.exe	firefox.exe
PID 3924 wrote to memory of 1880	3924	firefox.exe	firefox.exe
PID 3924 wrote to memory of 1880	3924	firefox.exe	firefox.exe
PID 3924 wrote to memory of 1880	3924	firefox.exe	firefox.exe
PID 3924 wrote to memory of 1880	3924	firefox.exe	firefox.exe
PID 1880 wrote to memory of 3448	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 3448	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 1420	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 4528	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 4528	1880	firefox.exe	firefox.exe
PID 1880 wrote to memory of 4528	1880	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/NavaShield.zip
1⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/NavaShield.zip
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.0.1334119015\829308851" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1768 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6e9c1f7-fdba-4273-bd98-7df1d93ca93f} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 1948 26dc3216858 gpu
3⤵
PID:3448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.1.491312928\1924364942" -parentBuildID 20221007134813 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee8f6604-4175-40e7-9a79-fac1f9521ac8} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 2440 26dade72558 socket
3⤵
PID:1420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.2.1204987381\1891843166" -childID 1 -isForBrowser -prefsHandle 3272 -prefMapHandle 2992 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fa6ec8d-ba2d-405f-b466-f9485cdab69b} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 2960 26dc600f958 tab
3⤵
PID:4528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.3.262217811\1193499582" -childID 2 -isForBrowser -prefsHandle 4016 -prefMapHandle 4012 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44524ba0-8293-495d-b0bb-e6d2691fa76e} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 4020 26dc765c258 tab
3⤵
PID:2840

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.4.2117174965\1076597314" -childID 3 -isForBrowser -prefsHandle 4676 -prefMapHandle 4144 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cb94b80-fe53-4293-b7be-bcd77ac2f32f} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 4664 26dc7128b58 tab
3⤵
PID:3592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.5.2126110361\1821592229" -childID 4 -isForBrowser -prefsHandle 4816 -prefMapHandle 4660 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00219ec8-8652-446a-b394-51e7488389d3} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 4896 26dc7128858 tab
3⤵
PID:1356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.6.2008092280\1372711483" -childID 5 -isForBrowser -prefsHandle 4868 -prefMapHandle 4876 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eed0c521-ff21-405f-ae65-f829b67848e2} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 4932 26dc7ff9458 tab
3⤵
PID:4492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5044

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap4256:78:7zEvent26253
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3664

C:\Users\Admin\Desktop\Endermanch@NavaShield.exe
"C:\Users\Admin\Desktop\Endermanch@NavaShield.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3212

C:\Nava Labs\Nava Shield\NavaShield.exe
"C:\Nava Labs\Nava Shield\NavaShield.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Nava Labs\Nava Shield\NavaBridge.exe
"C:\Nava Labs\Nava Shield\NavaBridge.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Nava Labs\Nava Shield\NavaDebugger.exe
"C:\Nava Labs\Nava Shield\NavaDebugger.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://navashield.com/order/purchase?package=1&a=TNEQ7W7U4W&reid=NEUATK2000&license=hcR138jkUkCddqL0q9bCeg==
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffba8c446f8,0x7ffba8c44708,0x7ffba8c44718
4⤵
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6836636895206707089,14231174298460549222,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
4⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6836636895206707089,14231174298460549222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6836636895206707089,14231174298460549222,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 /prefetch:8
4⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6836636895206707089,14231174298460549222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
4⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6836636895206707089,14231174298460549222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
4⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6836636895206707089,14231174298460549222,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
4⤵
PID:5456

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Nava Labs\Nava Shield\NavaBridge Libs\Browser Plugin.dll
Filesize
96KB

MD5
912924f628e277be9cc28a5f2a990cb9

SHA1
13c0166469a271497043a2f13e9a6a610dc2b336

SHA256
bd474c5aafcaa12f20da5ecb29e17555b953eca46b4f56588a72672a36d4a8eb

SHA512
b33b430254f9ec32ecd6224124db69af93de3cbfbaf422a0045641f7961834a67cba1b9fd97f4e0e903e27e3360301c5dba214a6b9156c4cdf8a25115b860c39

Download Submit
C:\Nava Labs\Nava Shield\NavaBridge Libs\Browser Plugin.dll
Filesize
96KB

MD5
912924f628e277be9cc28a5f2a990cb9

SHA1
13c0166469a271497043a2f13e9a6a610dc2b336

SHA256
bd474c5aafcaa12f20da5ecb29e17555b953eca46b4f56588a72672a36d4a8eb

SHA512
b33b430254f9ec32ecd6224124db69af93de3cbfbaf422a0045641f7961834a67cba1b9fd97f4e0e903e27e3360301c5dba214a6b9156c4cdf8a25115b860c39

Download Submit
C:\Nava Labs\Nava Shield\NavaBridge Libs\Internet Encodings.dll
Filesize
72KB

MD5
de5eefa1b686e3d32e3ae265392492bd

SHA1
7b37b0ac1061366bf1a7f267392ebc0d606bb3db

SHA256
a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744

SHA512
c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508

Download Submit
C:\Nava Labs\Nava Shield\NavaBridge Libs\Internet Encodings.dll
Filesize
72KB

MD5
de5eefa1b686e3d32e3ae265392492bd

SHA1
7b37b0ac1061366bf1a7f267392ebc0d606bb3db

SHA256
a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744

SHA512
c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508

Download Submit
C:\Nava Labs\Nava Shield\NavaBridge Libs\Internet Encodings.dll
Filesize
72KB

MD5
de5eefa1b686e3d32e3ae265392492bd

SHA1
7b37b0ac1061366bf1a7f267392ebc0d606bb3db

SHA256
a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744

SHA512
c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508

Download Submit
C:\Nava Labs\Nava Shield\NavaBridge Libs\MD5.dll
Filesize
92KB

MD5
831295342c47b770bf7cc591a6916fa7

SHA1
2c9063fbf3f3363526abdc241bf90618b82446d1

SHA256
8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656

SHA512
01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

Download Submit
C:\Nava Labs\Nava Shield\NavaBridge Libs\MD5.dll
Filesize
92KB

MD5
831295342c47b770bf7cc591a6916fa7

SHA1
2c9063fbf3f3363526abdc241bf90618b82446d1

SHA256
8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656

SHA512
01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

Download Submit
C:\Nava Labs\Nava Shield\NavaBridge Libs\MD5.dll
Filesize
92KB

MD5
831295342c47b770bf7cc591a6916fa7

SHA1
2c9063fbf3f3363526abdc241bf90618b82446d1

SHA256
8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656

SHA512
01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

Download Submit
C:\Nava Labs\Nava Shield\NavaBridge.exe
Filesize
4.0MB

MD5
6f89df4cde193c0636c3d497cf1a17bf

SHA1
9faaa0100195e3e81fdade11e7a476a1fd1b23c8

SHA256
e7f05380e90dfb15b91b8bbc2ae48a04ba84d573b3c9f7d81bcc12f814215929

SHA512
c31848b1dceb8f8351991051b389a38b2ca0ae7ee98ebf626576245ca1588f1f6ee14e3eff7b165ecf9879e7e11ab77888e297cc4ccbb405b0ed64ebcda304b2

Download Submit
C:\Nava Labs\Nava Shield\NavaBridge.exe
Filesize
4.0MB

MD5
6f89df4cde193c0636c3d497cf1a17bf

SHA1
9faaa0100195e3e81fdade11e7a476a1fd1b23c8

SHA256
e7f05380e90dfb15b91b8bbc2ae48a04ba84d573b3c9f7d81bcc12f814215929

SHA512
c31848b1dceb8f8351991051b389a38b2ca0ae7ee98ebf626576245ca1588f1f6ee14e3eff7b165ecf9879e7e11ab77888e297cc4ccbb405b0ed64ebcda304b2

Download Submit
C:\Nava Labs\Nava Shield\NavaDebugger Libs\MD5.dll
Filesize
92KB

MD5
831295342c47b770bf7cc591a6916fa7

SHA1
2c9063fbf3f3363526abdc241bf90618b82446d1

SHA256
8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656

SHA512
01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

Download Submit
C:\Nava Labs\Nava Shield\NavaDebugger Libs\MD5.dll
Filesize
92KB

MD5
831295342c47b770bf7cc591a6916fa7

SHA1
2c9063fbf3f3363526abdc241bf90618b82446d1

SHA256
8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656

SHA512
01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

Download Submit
C:\Nava Labs\Nava Shield\NavaDebugger Libs\MD5.dll
Filesize
92KB

MD5
831295342c47b770bf7cc591a6916fa7

SHA1
2c9063fbf3f3363526abdc241bf90618b82446d1

SHA256
8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656

SHA512
01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

Download Submit
C:\Nava Labs\Nava Shield\NavaDebugger.exe
Filesize
10.0MB

MD5
47ef848562a159b2ce98d527ec968db2

SHA1
56b34310e8ede0437c422531bb89b2255a03cb3d

SHA256
7d899d2d33bde1c7f55ba0fcd4630b817e42e5cd1ceb8739511a990455275f90

SHA512
ac05354eacab4252e57151e98b8845d142b258590269ef92a724818623f2912b48341555ccc604a810e89ced3178ffc896ba116805ec3d129d9f6932296d935a

Download Submit
C:\Nava Labs\Nava Shield\NavaDebugger.exe
Filesize
10.0MB

MD5
47ef848562a159b2ce98d527ec968db2

SHA1
56b34310e8ede0437c422531bb89b2255a03cb3d

SHA256
7d899d2d33bde1c7f55ba0fcd4630b817e42e5cd1ceb8739511a990455275f90

SHA512
ac05354eacab4252e57151e98b8845d142b258590269ef92a724818623f2912b48341555ccc604a810e89ced3178ffc896ba116805ec3d129d9f6932296d935a

Download Submit
C:\Nava Labs\Nava Shield\NavaDebugger.exe
Filesize
10.0MB

MD5
47ef848562a159b2ce98d527ec968db2

SHA1
56b34310e8ede0437c422531bb89b2255a03cb3d

SHA256
7d899d2d33bde1c7f55ba0fcd4630b817e42e5cd1ceb8739511a990455275f90

SHA512
ac05354eacab4252e57151e98b8845d142b258590269ef92a724818623f2912b48341555ccc604a810e89ced3178ffc896ba116805ec3d129d9f6932296d935a

Download Submit
C:\Nava Labs\Nava Shield\NavaMod.dll
Filesize
5KB

MD5
3d7f80fb0534d24f95ee377c40b72fb3

SHA1
11b443ed953dae35d9c9905b5bbeb309049f3d36

SHA256
abd84867d63a5449101b7171b1cc3907c44d7d327ea97d45b22a1015cc3af4dc

SHA512
7fc741bbce281873134b9f4d68b74ae04daf943ea4c0c26e7e44579f2d51883c635972a405dd81cee63079a5ba9d09328a1e26e7878547590569806d219d83c7

Download Submit
C:\Nava Labs\Nava Shield\NavaMod.dll
Filesize
5KB

MD5
3d7f80fb0534d24f95ee377c40b72fb3

SHA1
11b443ed953dae35d9c9905b5bbeb309049f3d36

SHA256
abd84867d63a5449101b7171b1cc3907c44d7d327ea97d45b22a1015cc3af4dc

SHA512
7fc741bbce281873134b9f4d68b74ae04daf943ea4c0c26e7e44579f2d51883c635972a405dd81cee63079a5ba9d09328a1e26e7878547590569806d219d83c7

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\Appearance Pak.dll
Filesize
136KB

MD5
fcf3ac25f11ba7e8b31c4baf1910f7a6

SHA1
fb470541f0b6b8f3ce69dcaa239ca9a7d7e91d72

SHA256
e5b3249fbeea8395fd56c20511bfcfdb2b2632d3c8d517b943466a4e47f97b5c

SHA512
47c467924d64af4a48a6e640778aca1dce379d16b06bf3f60a44025034c15ce1498ef307b63cb04e5c0cbb6c2ac58022acdb0d6efb1109c5ea31f842a320aa40

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\Appearance Pak.dll
Filesize
136KB

MD5
fcf3ac25f11ba7e8b31c4baf1910f7a6

SHA1
fb470541f0b6b8f3ce69dcaa239ca9a7d7e91d72

SHA256
e5b3249fbeea8395fd56c20511bfcfdb2b2632d3c8d517b943466a4e47f97b5c

SHA512
47c467924d64af4a48a6e640778aca1dce379d16b06bf3f60a44025034c15ce1498ef307b63cb04e5c0cbb6c2ac58022acdb0d6efb1109c5ea31f842a320aa40

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\Internet Encodings.dll
Filesize
72KB

MD5
de5eefa1b686e3d32e3ae265392492bd

SHA1
7b37b0ac1061366bf1a7f267392ebc0d606bb3db

SHA256
a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744

SHA512
c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\Internet Encodings.dll
Filesize
72KB

MD5
de5eefa1b686e3d32e3ae265392492bd

SHA1
7b37b0ac1061366bf1a7f267392ebc0d606bb3db

SHA256
a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744

SHA512
c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\Internet Encodings.dll
Filesize
72KB

MD5
de5eefa1b686e3d32e3ae265392492bd

SHA1
7b37b0ac1061366bf1a7f267392ebc0d606bb3db

SHA256
a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744

SHA512
c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\Internet Encodings.dll
Filesize
72KB

MD5
de5eefa1b686e3d32e3ae265392492bd

SHA1
7b37b0ac1061366bf1a7f267392ebc0d606bb3db

SHA256
a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744

SHA512
c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\MD5.dll
Filesize
92KB

MD5
831295342c47b770bf7cc591a6916fa7

SHA1
2c9063fbf3f3363526abdc241bf90618b82446d1

SHA256
8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656

SHA512
01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\MD5.dll
Filesize
92KB

MD5
831295342c47b770bf7cc591a6916fa7

SHA1
2c9063fbf3f3363526abdc241bf90618b82446d1

SHA256
8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656

SHA512
01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\MD5.dll
Filesize
92KB

MD5
831295342c47b770bf7cc591a6916fa7

SHA1
2c9063fbf3f3363526abdc241bf90618b82446d1

SHA256
8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656

SHA512
01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

Download Submit
C:\Nava Labs\Nava Shield\NavaShield.exe
Filesize
23.8MB

MD5
9d299e41bae269641af28a6c02b80ef6

SHA1
66114e20ddf19e657d29aa2d1ac56ea93c62d130

SHA256
fce1bc05fbe2de83ee535e5ce0ceee94f2b4f917cdcbe1f1f649f44be25d4ec8

SHA512
26e01252b6caea9122734485654848d31c7f3dd06cf7fcc2806ba2b0705cb914b6b7b4e38ff1f23a5c373277e23d64320844e9882bef4ed27eb68d7ecce5de28

Download Submit
C:\Nava Labs\Nava Shield\NavaShield.exe
Filesize
23.8MB

MD5
9d299e41bae269641af28a6c02b80ef6

SHA1
66114e20ddf19e657d29aa2d1ac56ea93c62d130

SHA256
fce1bc05fbe2de83ee535e5ce0ceee94f2b4f917cdcbe1f1f649f44be25d4ec8

SHA512
26e01252b6caea9122734485654848d31c7f3dd06cf7fcc2806ba2b0705cb914b6b7b4e38ff1f23a5c373277e23d64320844e9882bef4ed27eb68d7ecce5de28

Download Submit
C:\Nava Labs\Nava Shield\bridge.dat
Filesize
176B

MD5
e66f1107f995d52bcd90421b3cdc0dde

SHA1
245acafa2f3dab3f2b7f183d34267dcd976199c0

SHA256
45fa6eacea58e682c2ef2bb9e888cb6bf396c37b957fd144ca73c95699ad3c74

SHA512
0500f9dec5cfdfb80bc5763943deb3111ccde4b35f19ac124df2e5abde2681154977f160a42e9ef50698b0ea0cc26fc09361a3917534038f141dd047f0287c1f

Download Submit
C:\Nava Labs\Nava Shield\config.dat
Filesize
4KB

MD5
4bf28fcfb3b4aae4abeaab08823c38c1

SHA1
760c2dd3066bddbd1766a4adeac3e0bc5dc66a27

SHA256
a1f46a221fb1123bdee32a4d8dbadb5daae491ed0b684bc87236fd51aa7420cd

SHA512
4b12e3cea83c3eb7748c834b65728873bd94b525b12c9dc77d7dff777c313ba6f20ab4c79b444d0c37a0233fca4e86df6e049ebdbf1344241a3945041852ce26

Download Submit
C:\Nava Labs\Nava Shield\config.dat
Filesize
4KB

MD5
fc85dc30a82dcf8f19a23b201d130a88

SHA1
9674aa8b3c26ee0d3db01f155342118e3e6576d8

SHA256
1696a38f6e6f104a435cb9e0df2a55e75f46b2ec3a92d0bc740f99c63874d0db

SHA512
2164fa5645e829082a6b645c4f35191b2ef908bdc2c551dac3be1169e94988489290c4ca310bf93c24350177abb4be7dcbe0fa0fcee3a5902396064a1478d910

Download Submit
C:\Nava Labs\Nava Shield\navig.dat
Filesize
255B

MD5
0bf850cb9d0aa0f4c778cc515b79bd13

SHA1
c0cb8a58cba046d2c7539025a39c8a1af81c3914

SHA256
9c4723ecb77e39e58eda9c60f532724aa3bf69de30047cc7b6522534cd423f00

SHA512
649c13f9f4fccc03ebd6cb2c3752434c69b5a8d7e9b94cac80cd98a7624bfd00648949b18cd720faf89fae050f6b523221db589a550c6ce4513e76ff0895da5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aaeb1f5e097ab38083674077b84b8ed6

SHA1
7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

SHA256
1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

SHA512
130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
3e60df493ab3a213529ed8686cade5eb

SHA1
1a9a69dc64908ba952d42a402d2dfe9a67ac1e3e

SHA256
37a6018ee29ca5b01fa8601b15858d428acb98a9e4442a875e85ac5e08aa5111

SHA512
60fb8ab8e33e56d9b58751e1d0a55e09a0e93741807bb246b6c0ba800a72e08d48662daf0fea4ac90b11125eb7d217ed80393d8a3f10eb666abee51ca7497e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
bcd280e36cb3a927b25c6fb91179a664

SHA1
59ce2c4f05974b63dfec3e141f0a998093b49599

SHA256
183abe26e4b8c0692cc669e118a49baf5089e393cf049cf5d2c5fffd36ac5ccf

SHA512
d6c0b378722807693494e343580a6f197462342c5b15062929c6dc80a04653cdce24b0e7046974f3c6788a569ec9e747fd3c6d5b8d2c4c9d02515ced90026335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
47e94a96372e6f095b8a3fd7edc48ec0

SHA1
377b68f34e5964ca8be1b1b0c1507dd7f0e5f005

SHA256
15c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e

SHA512
5bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp
Filesize
148KB

MD5
fa83dd152bd7ef17ccf6c225474c337d

SHA1
1319d5b6111c30c8554ed278c779ebae057d1040

SHA256
76758435aead087687cfd93d1edfffd68c5fa09524a8c56d4881757dff1f69c9

SHA512
bb60132b014407087755868c9bc4f3d14068e30843be0798120386980e7f5db5b1b134eb65e4831467ffc97b3722b6a8acf278560e62a22bd3eb80a91c20da96

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
Filesize
1.2MB

MD5
f96faa6ec671eaabc66ef44d5a715db2

SHA1
71b08ba07e5cea3490daeb4b75b4262b1e8a9821

SHA256
6beae61ac55708892f869336fbf24f5987b433d3abe54f00bb69a098715caa1f

SHA512
ab02f785eb412004de71337a016861e790c643bffb7b1ff87d3c7f62e9ebe139fb13b04c4605ff8f069e9e0eb032427e864a6d98af5b8e25fef770bb84272838

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
47d8bad67e7c8a12853d529f4225c321

SHA1
78b1bfda5aafb408480538343653bb77bc94dadf

SHA256
48e8af104fa45f232488b47ea721025568a62db5a8bcd1160bd72f87948e076d

SHA512
b08257cae0f98afda8e226111ee54abc460d726da84e1886809be08b44f84fd26321c3506f8874eb03acf204af744365528a206aee4011294688f66e70a3a9b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
10eaf70c4c3a935f9aaff3c8e5edd919

SHA1
4f78c9eacff8540a4e876126918abb461fe62df5

SHA256
fdd9d27c9c573f29e0f441877707cee6c8de092601aa20f26cb4431dc96f3e0a

SHA512
742b5f092e1e469ced3b0ef693a4932801b93430baadeef6d29de00c8e91b1110d8accc238623ff8a95fb8e65967b10d7fd870a61625ddedabb80e4d0f959f8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
771839addb8b873496749f9e41010147

SHA1
c89611c84c64b3ea9dfa5e6a27a0cc1107c91e7a

SHA256
d423ac755df770b6f80a9472ac20b3a4d66f67c13361d4d39738989ae7ae908b

SHA512
8114b9ea1b1519acbc6243b78af42a5710802b52e7e3279aa13d5a7b91ade4cf6b415809b4c09d1e2c69d11b06e65fe196d900dbf4838ed6366c2e460db50956

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
6f33aff27003597b30d2bd0310fcaba5

SHA1
48a4dd99e320d7d81ea0a6cc1ee853d3072c2292

SHA256
33873135e4553be2a9522b080cd4e7151bec68e828ee6742bf29eaaa81c2fdbe

SHA512
923b60981ba454919c0bbd6e92b0b03276a923db18acd3f7e8881ea0fbd638db3d34c1f2832aa30db4b53582b81fe946ace8f40a39be652835e205191ce83181

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js
Filesize
6KB

MD5
108b97b1ff7efbdb1aecce96d55ff2e5

SHA1
bb72b2e0c3d859fe5e821632307a32df331b55e1

SHA256
c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

SHA512
e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
4cebe12c454428972ed0d5eb5fe60045

SHA1
35b72b557798d9318b55ef8f14a8467b23a550c2

SHA256
91f6fda6e1eaca6b1bb3585868c735ef89bdc93dfc3ec717927cf6cf3460835d

SHA512
c13052b85bd9b25633881565e5563bc99de0a807bc522a0c607a6fb9ea2f90c2fa75035a7eee6f93bc1c59b3858f5bb4038f93283a0ef33e499ee553f453779b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
c0c2d3051d6c27533033a094d4275c72

SHA1
f512426ba5b7dc50984efc832cd5e06e69694da2

SHA256
c34524453293e45a7ae7c5aa7ea6ad2e726d45d16f7c263be4a829e24a1cd94b

SHA512
1f1d1cac5b12be8e84fa483cdc26125afeb228db6838510281cfa8df57b39ea9438808e8d0c557a82de36ff69ff35701b3948a456a3fced28ed9192d9d3d025b

Download Submit
C:\Users\Admin\Desktop\Endermanch@NavaShield.exe
Filesize
9.7MB

MD5
1f13396fa59d38ebe76ccc587ccb11bb

SHA1
867adb3076c0d335b9bfa64594ef37a7e2c951ff

SHA256
83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

SHA512
82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

Download Submit
C:\Users\Admin\Desktop\Endermanch@NavaShield.exe
Filesize
9.7MB

MD5
1f13396fa59d38ebe76ccc587ccb11bb

SHA1
867adb3076c0d335b9bfa64594ef37a7e2c951ff

SHA256
83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

SHA512
82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

Download Submit
C:\Users\Admin\Desktop\NavaShield.zip
Filesize
9.3MB

MD5
b05e1b131299f3d57323bdca54b00570

SHA1
82ebeb46687e7b285f588c056e52ccaab87e464d

SHA256
3adb8147e461a11add25101d78205b61b54b6993022c8014b9a55b3197ca39c9

SHA512
35580e1580cc2dc5a50afdb1e3453517fa3955f7737c177a83bf2bbb9d000a7a5f060b032200e0440c4478400ac8b1788e018fc7c88ed150b96282146e2f2457

Download Submit
C:\Users\Admin\Downloads\NavaShield.xrG0yvJ-.zip.part
Filesize
9.3MB

MD5
b05e1b131299f3d57323bdca54b00570

SHA1
82ebeb46687e7b285f588c056e52ccaab87e464d

SHA256
3adb8147e461a11add25101d78205b61b54b6993022c8014b9a55b3197ca39c9

SHA512
35580e1580cc2dc5a50afdb1e3453517fa3955f7737c177a83bf2bbb9d000a7a5f060b032200e0440c4478400ac8b1788e018fc7c88ed150b96282146e2f2457

Download Submit
\??\pipe\LOCAL\crashpad_4232_BIODVBPXSPTGZQEC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/396-1030-0x00000000026E0000-0x0000000002867000-memory.dmp

Filesize
1.5MB

Download
memory/2804-1029-0x00000000027A0000-0x000000000292B000-memory.dmp

Filesize
1.5MB

Download
memory/2804-1015-0x0000000000BC0000-0x0000000000BDA000-memory.dmp

Filesize
104KB

Download
memory/2804-1011-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/3212-928-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3212-903-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3632-1026-0x0000000069F80000-0x0000000069F88000-memory.dmp

Filesize
32KB

Download
memory/3632-901-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/3632-907-0x0000000002750000-0x0000000002A6B000-memory.dmp

Filesize
3.1MB

Download
memory/3632-906-0x00000000026D0000-0x00000000026EA000-memory.dmp

Filesize
104KB

Download