4b1aa26e12d9f06ba494ad2e2223466c8ddc5bc61b5f189630dffea54f3d93ce

Resubmissions

10-04-2024 19:40

240410-ydkgescg9z 1

10-04-2024 19:27

10-04-2024 19:16

10-04-2024 19:04

10-04-2024 18:56

10-04-2024 18:54

10-04-2024 18:49

10-04-2024 18:41

Analysis

max time kernel
112s
max time network
118s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10-04-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

467KB
MD5

12b9d6652e7d1689ed510c50c53bd38c
SHA1

013a1cc01a97a97d9b18dfbafcfec91a57e6232a
SHA256

4b1aa26e12d9f06ba494ad2e2223466c8ddc5bc61b5f189630dffea54f3d93ce
SHA512

0ce40b9a4d137d99330f7bc2776734d121d485d3f1e3af23ede4bbebead330c30de2c4568029303259812d591ef7bbc52bd1f16d8912dd5ea006523008346e7c
SSDEEP

6144:DFoiM/iMTiMkiMriM2iMSiMliMziMViMuMt:D2iciiiViQibiRimiIiOiXMt

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

geometry dash auto speedhack.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exe

pid	process
5076	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
3948	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
780	geometry dash auto speedhack.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

geometry dash auto speedhack.exe

description ioc process

File opened for modification \??\PhysicalDrive0 geometry dash auto speedhack.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	geometry dash auto speedhack.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{635E71BA-A081-458E-ACE0-AE18EA351D02}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

Processes:

msedge.exe7zFM.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe:Zone.Identifier	7zFM.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exegeometry dash auto speedhack.exe

pid	process
764	msedge.exe
764	msedge.exe
3624	msedge.exe
3624	msedge.exe
3440	msedge.exe
3440	msedge.exe
4748	identity_helper.exe
4748	identity_helper.exe
1824	msedge.exe
1824	msedge.exe
4788	msedge.exe
4788	msedge.exe
1508	msedge.exe
1508	msedge.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

428 7zFM.exe

pid	process
428	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exe

description	pid	process
Token: SeRestorePrivilege	428	7zFM.exe
Token: 35	428	7zFM.exe
Token: SeSecurityPrivilege	428	7zFM.exe
Token: SeShutdownPrivilege	2116	geometry dash auto speedhack.exe
Token: SeShutdownPrivilege	4616	geometry dash auto speedhack.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

msedge.exe7zFM.exe

pid	process
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
428	7zFM.exe
428	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe

Suspicious use of SetWindowsHookEx 60 IoCs

Processes:

geometry dash auto speedhack.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exe

pid	process
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe
2116	geometry dash auto speedhack.exe
4616	geometry dash auto speedhack.exe
2364	geometry dash auto speedhack.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3624 wrote to memory of 3172	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3172	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2768	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 764	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 764	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2232	3624	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce3dd3cb8,0x7ffce3dd3cc8,0x7ffce3dd3cd8
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3524 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,6020996944858488859,17469135460147707915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar"
  2⤵
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:428
- - C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe"
    3⤵
    - Executes dropped EXE
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe" /watchdog
      4⤵
      Executes dropped EXE
      PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4616
  - - C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe" /watchdog
      4⤵
      Executes dropped EXE
      PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe" /main
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      PID:780
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\System32\notepad.exe" \note.txt
        5⤵
        
        PID:2676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC
1⤵
PID:412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
35KB

MD5
a053b626552864ee4e93f684617be84c

SHA1
977f090d070e793072bfb7dce69812dc41883d4e

SHA256
25b3ad881a0a88c6228e12688078638fe0b96210d0f0e20721e3c911a5b37dd4

SHA512
f7b444b1a1c465a4614cd1b9bd678875251f44e227abaaaf1fa6b35bb67bb25932b9b11cc8fabd19d2d5d6e80c6ad0b15149869e6e41f6345db3d49f08683e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
1.1MB

MD5
d404b61450122b2ad393c3ece0597317

SHA1
d18809185baef8ec6bbbaca300a2fdb4b76a1f56

SHA256
03551254e2231ecd9c7ee816b488ecbde5d899009cd9abbe44351d98fbf2f5fb

SHA512
cb1a2867cc53733dc72cd294d1b549fa571a041d72de0fa4d7d9195bcac9f8245c2095e6a6f1ece0e55279fa26337cdcc82d4c269e1dd186cbbd2b974e2d6a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
89d48b2001ffec2f873d546cae13b787

SHA1
f3ecf420307aaff12eaf7b57d2499a654208236c

SHA256
c39b26068dbd52949db2919b5e7e8318fb45a765ca88f0482968b67763598844

SHA512
52b0a7582b08b1c98f3197e012ce029efe02c46147b9a90552809b39bf14d1754e892a5c25be73bf35066328226e975d8c868954a4d92ebe3ff9d3c6fdff26e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5e7668d31030471cdaebdb93b1ff83e1

SHA1
001c77594a97b83b73756da9f01e7be17d2c9985

SHA256
57f39097004555c4eb3b4e191d0a734d780876814b027902f4cefde5abe306f1

SHA512
0d5d165765e3661a1b32fa56f0176f30426104566b2bf7ccf2245734bdea15092c910db6f2c6312b3bd7c6e47234dd16364864200ac35de2e75224853df08358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1e7672d7f33ec2536b177f2b70929fee

SHA1
40b28aa15f6917aed0ccffb061761b93c027afbc

SHA256
0fc1e45cca697e32e4bd08e6802fd99d37a7c403f584654c41035660ac2e150e

SHA512
c9659faca62213eb51952f779923eabe0510460d240b100d927b629b84ab874955be43bcdfc63b2f593c1abda114d796829090224f38882e3053a27f230cc3de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d6f5115463d3ef0237ad18c158792d32

SHA1
b39961dceaba881f553798b326d4337a7d4d4226

SHA256
09fc74b84792e696d2ecff27d3ad0a7916e098218ac066277fefec242ae6302a

SHA512
297041113ad876bb3fb4be7ee052d7bbca81be60dd0a5bacb976a60a0480fa96b86b17a86f6c1c3a98b5580e09554bc78cf9daeac7a55b31be6986da42322a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
268cfc43c46cc2a7a9ef7520ee715af6

SHA1
dfb031a2a30dff6962e9c1ddc352f1709817264b

SHA256
21aacfc84027a9996fbf788bedeb215cad52445357d26ace1d91081ea4d1d013

SHA512
15f1e459d92014ebe29a99b1f0e98a02ac17fdd6522dd49e6224210d8d8fcedeb28c9eebe970e93ebe00b2fb486a40e1a6ea304dbc9e2e9f26694e638d2880f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db8dafa6cd708ade251efc44c8b13a24

SHA1
d0539e9c471a8380850017bf76645df308a75d44

SHA256
767b123fa2a605fdfd1ea0d9d22aa0b3a7a60cb8ddd7fd35e5498ec4656341d9

SHA512
7f2533efc6854b719496add70b60aa0b4e707b7fdc5bfed3fb679f25fc915befe88f5900a423608a50795f4dcd1c0f833277de874fbe534375be39070777fa8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd2519c83fa7a77fd74d9a4eccf44734

SHA1
fb23e7f3aa37b939d4923ce80e054852ea0e34b5

SHA256
10e5a6901de806550c82818c02e7238875a7d4326c6193cfef6781b357051425

SHA512
006ab1b9a4d09175272776974af9c9701c5d76df1912a4a0768ebe9b83a129ba4a9eb6a63ad02e70ff1235af69d17aeca918a1238ea356739d4aacc1c12d66c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2e7221948f5e3225ec08d53c14bea175

SHA1
5bf83fbc59bf9c2c28e0f826968d41a654c66af1

SHA256
8d2afdd59ff554937e51909a4ee80ac5fc33fe214d0561bd8b4b93192d4a9249

SHA512
92456bc3460aeb420c65a784e48f8bda7edaad3dfea2ed61befd1b3a9bf09a84f3fe3f7d49598c2b34430f11734dd56461cd7dac7fd4f02b6d2bf0ba25f8a597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
8d2b2c79c5373d0461decc62ce01aa9e

SHA1
0757d578d930980ba5bc4c7f868b809e50599bf0

SHA256
6f4c923b94557a70626eed13b7572852651db25663f74980f00b8c20029f8c35

SHA512
93dfe5b23ff1fb0f0fc3fd0ad0291dd01896e5284b699983901148082fb50219fb48e830aaaeabeb901e3ee395bf68e20e58284a9329d5abc49c21b9a105582f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
47ef37fd25c85f93333c1f98f4172fb9

SHA1
52a42b31a552e1e846d42db98d0c5707ab520fd8

SHA256
d9d8165808a6da989c161270da94ad385bc7836e5bb47b593a60b7c5503d3599

SHA512
ddfdd3c438088806d0abb416917aacd1ee00e5ae7304fca0bcf7214609d87e76cbc6dbbd34c14201ce4ab532afa9b403f5f24c4446d9bf2b8fc406f6a607dc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e639.TMP

Filesize
538B

MD5
a5056998958fb20274b0532ff3bbf57b

SHA1
d15ff849fe15677a2ea0562f21d1d64d5d7e8c97

SHA256
527dab75d70a7d502f2e6cf9c340d10b858b5dffa10244cadba2fa0bd915e525

SHA512
c075c348279d2aefd960938381ad86e1e483f4240dcdba36ae488de9a3f398bc7465d39262dc7cdfd116cf672c738fec6b61f6584e31f0105488eaf91a5650aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
693be4a64f20f4cd691966152fe1c182

SHA1
dcaeb0a22e6e09aa1f189c0e41ee8c125f746646

SHA256
32639f0e9a48f7a1e52052d894c06e600077b8d0c9f96a47aa7cd07bd8b59fca

SHA512
7cfbf03f10e38d8abaec90feb1b4f824aeac2d674993c0b0834d40820ebd6edd2d7edc338ea5189d3c50d47796b04a308e458e8a780f3499ed5c7b1275da1c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ecb46a7cc83900e4013d7c5fab011e58

SHA1
a604d338bcf6e16fa906ffb83d632b67e637abf8

SHA256
1895e5ac05ad3d1afc6110d302b98814201767370245a62212366df7190f8ec0

SHA512
d78bb994bed375af09285ec6701716e25e3a5721d03f9ba5fc38221b5c05f15eda52ff913332a9632fdfc90b0c40d0803a3b28f1119e4539acb5a0b4e690d1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1e7e9f90d99a24199e39984b5336ba36

SHA1
a058b5dab2e1780e7f7ee06528ceff2600e606e1

SHA256
cdfab08b0b9657b146aa7fe2a6990ca982324144b0f00c4c013cdcee8fd89fa7

SHA512
86784a503d2f338f05f13f368d7bee3e483962c818017b5ef86d94c33de30f0e873bd063b11ceb3e3816af55aa836ce571c6d5aec053d7f69d280ea8a921e5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae1894dd13648eecd3d0e30db6ac169e

SHA1
dd8fc95f0385408e9935de78532549e17e487161

SHA256
1cfa52164f27c4de2256d1b7b2d56729ee3664feca1bea5c7ab785ca68199b11

SHA512
f09e42032d17f30dcbf7b216acfef49dc0235420ce6c3acbc3ec9394fe2243f78ff86e0ab2ba6a687cce350472499f3c4f5c72b4d0c26c7195e8256e00f341b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCA1CD3D8\geometry dash auto speedhack.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip

Filesize
12KB

MD5
8ce8fc61248ec439225bdd3a71ad4be9

SHA1
881d4c3f400b74fdde172df440a2eddb22eb90f6

SHA256
15ef265d305f4a1eac11fc0e65515b94b115cf6cbb498597125fa3a8a1af44f5

SHA512
fe66db34bde67304091281872510354c8381f2d1cf053b91dcd2ff16839e6e58969b2c4cb8f70544f5ddef2e7898af18aaaacb074fb2d51883687034ec18cdd9

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier

Filesize
650B

MD5
d81099bb79b0e02f185fe50866c96d90

SHA1
72afe60d830d61ba691c446b90e4471aae2f1699

SHA256
2d4084dd35fae9393dab8f1ca478afe66dc265683b55fc7b6222d15d24995f25

SHA512
98d5467b5bfeaa463ca838ad2a462a695ffc78b34aba8eb585d225a15d02f43d6c6db27f5c327c4e1c3775c641fbe29bf82c73132984aa7d35d2f966062a70c5

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar

Filesize
17KB

MD5
352c9d71fa5ab9e8771ce9e1937d88e9

SHA1
7ef6ee09896dd5867cff056c58b889bb33706913

SHA256
3d5d9bc94be3d1b7566a652155b0b37006583868311f20ef00283c30314b5c61

SHA512
6c133aa0c0834bf3dbb3a4fb7ff163e3b17ae2500782d6bba72812b4e703fb3a4f939a799eeb17436ea24f225386479d3aa3b81fdf35975c4f104914f895ff23

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar:Zone.Identifier

Filesize
651B

MD5
81b30d164d7034f60f7ea0fe57a10fc1

SHA1
6a4e419c8c439fdc3487f9e9753b926d406c0723

SHA256
499edc20f27cc4ed4fa8e23d3e2e49baaa860663e9ff926a14a7d6f0d602d6fa

SHA512
ab0db338cda81dac4cccd768871b6febd222b23cfd5702febc89d81d2fa3a2f0ad612176d47a99d8ae94e27b616b2b9b1308cea3ae8e2168bb7214f0c9084853

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_3624_KDQHUJTYCUHFCPQI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit