Malware Analysis Report

2024-11-13 16:15

Sample ID 240411-p2pllsbg88
Target http://cod2master.activision.com
Tags
agilenet evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://cod2master.activision.com was found to be: Known bad.

Malicious Activity Summary

agilenet evasion trojan

UAC bypass

Disables Task Manager via registry modification

Checks computer location settings

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies registry class

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 12:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 12:49

Reported

2024-04-11 13:10

Platform

win10v2004-20240319-en

Max time kernel

1209s

Max time network

1204s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://cod2master.activision.com

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E94D.tmp\eulascr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E94D.tmp\eulascr.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Desktop\robloxcheat.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Desktop\robloxcheat.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{EAACD7CE-B43E-420A-8DAD-95666F84F6E3} C:\Users\Admin\Desktop\robloxcheat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 5a003100000000008b583c66100053797374656d33320000420009000400efbe874f77488b583c662e000000b90c000000000100000000000000000000000000000028ad7f00530079007300740065006d0033003200000018000000 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "11" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{201C79E5-17A4-45A9-9D1C-A8A5F7EDFA06} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{6805A83A-6713-402B-A51F-538847E8FC73} C:\Users\Admin\Desktop\robloxcheat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 560031000000000073583797100057696e646f777300400009000400efbe874f77488b583d662e000000000600000000010000000000000000000000000000001eeff800570069006e0064006f0077007300000016000000 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259} C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E94D.tmp\eulascr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E94D.tmp\eulascr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\robloxcheat.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3824 wrote to memory of 1516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1516 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1748 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 1044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3824 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://cod2master.activision.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb01249758,0x7ffb01249768,0x7ffb01249778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1916,i,5942310968674367189,4725254239566581859,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1916,i,5942310968674367189,4725254239566581859,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=1916,i,5942310968674367189,4725254239566581859,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1916,i,5942310968674367189,4725254239566581859,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1916,i,5942310968674367189,4725254239566581859,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4076 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4244 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5820 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5460 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5624 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5936 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5308 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5976 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5252 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4652 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=5436 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6236 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=5480 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6264 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=6584 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=7092 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6328 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=6216 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7084 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=7152 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=7528 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=7476 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=7232 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=6320 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=7312 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5648 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=6252 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6664 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\robloxcheat.exe

"C:\Users\Admin\Desktop\robloxcheat.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x48c 0x2ec

C:\Users\Admin\Desktop\robloxcheat.exe

"C:\Users\Admin\Desktop\robloxcheat.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6580 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Desktop\Hydra.exe

"C:\Users\Admin\Desktop\Hydra.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\rickroll.exe

"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\rickroll.exe"

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe

"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Curfun.exe

"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Curfun.exe"

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Launcher.exe"

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Flasher.exe

"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Flasher.exe"

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Curfun.exe

"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Curfun.exe"

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe

"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\E94D.tmp\E94E.tmp\E94F.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\E94D.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\E94D.tmp\eulascr.exe"

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe

"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\rogues\SpySheriff.exe

"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\rogues\SpySheriff.exe"

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\CrazyNCS.exe

"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\CrazyNCS.exe"

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Trololo.exe

"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Trololo.exe"

C:\Windows\system32\taskkill.exe

taskkill.exe /f /im explorer.exe

C:\Windows\system32\taskkill.exe

taskkill.exe /f /im taskmgr.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x48c 0x2ec

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 cod2master.activision.com udp
IE 185.34.107.159:80 cod2master.activision.com tcp
IE 185.34.107.159:80 cod2master.activision.com tcp
IE 185.34.107.159:80 cod2master.activision.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 242.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 104.96.197.170:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 23.73.139.27:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 170.197.96.104.in-addr.arpa udp
US 8.8.8.8:53 27.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
IE 94.245.104.56:443 tcp
BE 88.221.83.192:443 www.bing.com tcp
GB 172.165.69.228:443 tcp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
BE 88.221.83.192:443 www.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
BE 2.17.107.121:443 r.bing.com tcp
BE 2.17.107.121:443 r.bing.com tcp
BE 2.17.107.113:443 th.bing.com tcp
BE 2.17.107.113:443 th.bing.com tcp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 121.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 113.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
BE 2.17.107.121:443 r.bing.com udp
BE 2.17.107.121:443 r.bing.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
FR 20.190.177.147:443 login.microsoftonline.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 services.bingapis.com udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 172.64.154.167:443 www2.bing.com tcp
US 8.8.8.8:53 167.154.64.172.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.112.22:443 collector.github.com tcp
US 140.82.112.22:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.22:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 22.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 codeload.github.com udp
US 8.8.8.8:53 codeload.github.com udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
BE 2.17.107.113:443 th.bing.com udp
BE 2.17.107.113:443 th.bing.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com udp
US 8.8.8.8:53 assets-global.website-files.com udp
US 8.8.8.8:53 assets-global.website-files.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 global.localizecdn.com udp
US 8.8.8.8:53 global.localizecdn.com udp
DE 18.173.187.32:443 assets-global.website-files.com tcp
US 104.18.4.175:443 global.localizecdn.com udp
DE 18.173.187.32:443 assets-global.website-files.com tcp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
DE 108.138.34.60:443 d3e54v103j8qbb.cloudfront.net tcp
US 8.8.8.8:53 assets.website-files.com udp
US 8.8.8.8:53 assets.website-files.com udp
DE 18.173.187.125:443 assets.website-files.com tcp
DE 18.173.187.125:443 assets.website-files.com tcp
DE 18.173.187.125:443 assets.website-files.com tcp
DE 18.173.187.125:443 assets.website-files.com tcp
DE 18.173.187.125:443 assets.website-files.com tcp
DE 18.173.187.125:443 assets.website-files.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 175.4.18.104.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 32.187.173.18.in-addr.arpa udp
US 8.8.8.8:53 60.34.138.108.in-addr.arpa udp
US 8.8.8.8:53 125.187.173.18.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 8.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 119.155.64.172.in-addr.arpa udp
GB 172.217.169.14:443 www.youtube.com tcp
DE 18.173.187.125:443 assets.website-files.com tcp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 162.159.136.232:443 discord.com udp
US 104.18.4.175:443 global.localizecdn.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
BE 88.221.83.201:443 www.bing.com udp
US 8.8.8.8:53 201.83.221.88.in-addr.arpa udp

Files

\??\pipe\crashpad_3824_OWDKAZGYJKVFWDDU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c0f85fa619318ab1c9ac5ed7b9782428
SHA1 a6dc40d2df2447ccb6aff707336cd7df7d86c7b2
SHA256 e49228f483be143c726e309088f5627b81cc13dfca4f876dfab61e2f9872a12f
SHA512 09f28a063a38461afb5a835b85d1626b6eeda52a5cd8402de5447c8e62c40e91dddfc7d36031d7e2c8f28e9cb792339e8124a2fe55d7926164cc9ed128622bc3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 264494f45339bc5382627defb0f94d62
SHA1 a0f7116148a3a9c2d1c4c18917b42ff5b387ec5d
SHA256 77c4ac44150ee280fbb930a32f0212082f337a156d71287cf5731e19d9c5e922
SHA512 e18c26126659805911e1ff9533264b132f9a7d6cd412b735ebf6b11b1100db9fdf1aca663721677390eb92cb2347e188ef9ad760aac9f86ca02a51407a13b92d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f4164c422a47d9a7ce97e356c0c07c5a
SHA1 7d14926a6c78b24074fe63ed95a7cadde20f21ee
SHA256 e04fb993c30b83c2560bf22d01d573e3baec4b9d7d3767b07d0c9dd091783fe2
SHA512 aa82ae7dbee2cc7b2e69cddc8aaa1c58994e2333fb74853808613d73ccce4fc417062e8c91e83a86a3c6bda88bffaa7a47d95690316c9e677ba15ddb3b8806ee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b83acae9a5426caaaf3dd5cfa33ddd50
SHA1 3b8c558ed20615458e07c6e8269de180689487d8
SHA256 fcdf559f706f1ee68e71eed08973e29ffaad380c104acd3f6792a15d221691b2
SHA512 382b8885d13e20c0e7b078adffaebedddbbf5351ca7f2492e2fbcba4a4b25bfc1a2cf02a4489d3141907023499b8c816ed20a76372e2e4361990e9603c39a9b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/3052-84-0x0000000000BD0000-0x0000000001034000-memory.dmp

memory/3052-85-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

memory/3052-86-0x000000001BC30000-0x000000001BC40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

memory/3052-97-0x000000001BC30000-0x000000001BC40000-memory.dmp

memory/3052-99-0x000000001C400000-0x000000001C408000-memory.dmp

memory/3052-100-0x000000001BC30000-0x000000001BC40000-memory.dmp

memory/3052-101-0x000000001C490000-0x000000001C4C8000-memory.dmp

memory/3052-102-0x000000001C460000-0x000000001C46E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 1713cb02734720b44e1771c032f3228c
SHA1 e27543b66d880715faa3fa91c7da45a74c3876da
SHA256 bb69b3f4db654cb07ad3162e9a350e15cd59f56eb0075abab5fc0dd1a5ecec3e
SHA512 511440736967a3b16f3a0b6ee1040880f94e7a63e492ff01e3613b2805ea0ef1b5daba49dcc469cd85851dfc9f6825802f77d4899a99f8c6b51c5642c158e620

C:\Users\Admin\Desktop\chilledwindows.mp4

MD5 698ddcaec1edcf1245807627884edf9c
SHA1 c7fcbeaa2aadffaf807c096c51fb14c47003ac20
SHA256 cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b
SHA512 a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

memory/3052-120-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

memory/3052-121-0x000000001BC30000-0x000000001BC40000-memory.dmp

memory/3052-122-0x000000001BC30000-0x000000001BC40000-memory.dmp

memory/3052-136-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\robloxcheat.exe.log

MD5 6d1fdaa0eab80613585a67eddff3c32d
SHA1 f270d9d29c067a7b03d381e52c922ad20a594de5
SHA256 8e4e4153f0340300a69b3f25bfbc9ac720e7595783d683ccfbf7982267e0af1e
SHA512 97ac919b5203bc5d26b57be5173cc22f98e6a19eca7822d7e99eed7011d653bbbce64bf4d5e3c35cfc7ed8214d4efe54923819ff41fda95aaa40d485068c54d7

memory/6076-138-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

memory/6076-139-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

memory/6076-140-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 2454898bbdda301d19a5d8de50026d35
SHA1 b0158fd443a6e786e8d161d20e044edb69c184a4
SHA256 41f70743650e3566fed60722fcdcd481443d129afef435b1603e8c1d7beaa673
SHA512 018e21e5610485e943791dd1aaa7cb41e0044c0fb1f9f27cfa7441a9a468c201e489de5f9007a9b872b01c9554c3d7d07a1b8096b0f7bbcb5cc098ae037ce63c

memory/6076-148-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

memory/6076-149-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

memory/6076-150-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

memory/6076-153-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

memory/6076-155-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

memory/5696-156-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/5696-157-0x0000000000110000-0x0000000000120000-memory.dmp

memory/5696-158-0x0000000004FD0000-0x0000000005574000-memory.dmp

memory/5696-159-0x0000000004B00000-0x0000000004B92000-memory.dmp

memory/5696-160-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/5696-161-0x0000000004BB0000-0x0000000004BBA000-memory.dmp

memory/5696-162-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/3704-163-0x000002105D140000-0x000002105D141000-memory.dmp

memory/3704-164-0x000002105D140000-0x000002105D141000-memory.dmp

memory/3704-165-0x000002105D140000-0x000002105D141000-memory.dmp

memory/3704-169-0x000002105D140000-0x000002105D141000-memory.dmp

memory/3704-170-0x000002105D140000-0x000002105D141000-memory.dmp

memory/3704-171-0x000002105D140000-0x000002105D141000-memory.dmp

memory/3704-172-0x000002105D140000-0x000002105D141000-memory.dmp

memory/3704-174-0x000002105D140000-0x000002105D141000-memory.dmp

memory/3704-173-0x000002105D140000-0x000002105D141000-memory.dmp

memory/3704-175-0x000002105D140000-0x000002105D141000-memory.dmp

memory/5696-176-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/5696-177-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/5696-178-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/5696-179-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/5356-180-0x0000000000400000-0x00000000006BC000-memory.dmp

memory/5356-181-0x0000000000400000-0x00000000006BC000-memory.dmp

memory/5356-182-0x0000000000890000-0x0000000000891000-memory.dmp

memory/5356-183-0x0000000000400000-0x00000000006BC000-memory.dmp

memory/5356-185-0x0000000000890000-0x0000000000891000-memory.dmp

memory/4332-189-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3708-194-0x00007FFAFEE70000-0x00007FFAFF811000-memory.dmp

memory/3708-195-0x000000001C120000-0x000000001C5EE000-memory.dmp

memory/3708-193-0x000000001BBA0000-0x000000001BC46000-memory.dmp

memory/3708-196-0x00007FFAFEE70000-0x00007FFAFF811000-memory.dmp

memory/3708-197-0x0000000001480000-0x0000000001490000-memory.dmp

memory/3708-198-0x000000001C6D0000-0x000000001C76C000-memory.dmp

memory/3708-199-0x0000000001460000-0x0000000001468000-memory.dmp

memory/3708-200-0x000000001C980000-0x000000001C9CC000-memory.dmp

memory/3708-202-0x0000000001480000-0x0000000001490000-memory.dmp

memory/4532-205-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

memory/4532-206-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

memory/4532-207-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 6bd369f7c74a28194c991ed1404da30f
SHA1 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA512 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 d2fb266b97caff2086bf0fa74eddb6b2
SHA1 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256 b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512 c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

memory/4532-212-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

memory/4532-213-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

memory/4532-214-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

memory/4532-216-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

memory/4532-215-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

memory/4532-217-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

memory/3708-220-0x00007FFAFEE70000-0x00007FFAFF811000-memory.dmp

memory/3708-221-0x00007FFAFEE70000-0x00007FFAFF811000-memory.dmp

memory/5380-226-0x0000000000520000-0x0000000000521000-memory.dmp

memory/5380-228-0x0000000000400000-0x0000000000464000-memory.dmp

memory/3328-231-0x00000000020F0000-0x00000000020F1000-memory.dmp

memory/3328-233-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2352-236-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2352-239-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/3280-240-0x00000000021B0000-0x00000000021B1000-memory.dmp

memory/3280-245-0x0000000000400000-0x0000000000464000-memory.dmp

memory/3280-250-0x00000000021B0000-0x00000000021B1000-memory.dmp

memory/5356-251-0x0000000000400000-0x00000000006BC000-memory.dmp

memory/2352-256-0x0000000000400000-0x00000000004A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E94D.tmp\E94E.tmp\E94F.vbs

MD5 3b8696ecbb737aad2a763c4eaf62c247
SHA1 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256 ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

C:\Users\Admin\AppData\Local\Temp\E94D.tmp\eulascr.exe

MD5 8b1c352450e480d9320fce5e6f2c8713
SHA1 d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA256 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA512 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

memory/1608-315-0x000000001B1F0000-0x000000001B200000-memory.dmp

memory/1608-314-0x00007FFAFF570000-0x00007FFB00031000-memory.dmp

memory/1608-313-0x0000000000420000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

MD5 42b2c266e49a3acd346b91e3b0e638c0
SHA1 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256 adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

memory/1608-323-0x000000001B1F0000-0x000000001B200000-memory.dmp

memory/1608-324-0x000000001D720000-0x000000001D8E2000-memory.dmp

memory/1608-325-0x000000001DE20000-0x000000001E348000-memory.dmp

memory/1608-331-0x00007FFAFF570000-0x00007FFB00031000-memory.dmp

memory/5684-342-0x0000000002130000-0x0000000002131000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 e17b3915f93b9206a287b44d0efeb2be
SHA1 b0ffce1b60b1ee448e442ad716e56ce8b4dddce0
SHA256 1b84b451af51d88db6b84426e331db8b71d2d018c673039eb29f7756a6939e26
SHA512 37c8b0062a2368955020e35a74e939efe8d754464a67d783e7c044b467125e91b146685744e849f8002d5850647954e0db7ec14e653805a88e58b913d5097131

memory/5684-360-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3164-383-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3164-397-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1956-409-0x0000000000510000-0x0000000000511000-memory.dmp

memory/2404-418-0x00007FFAFEF30000-0x00007FFAFF8D1000-memory.dmp