xworm | 21829708b9a4864c95b5f388fb3e0e850c2f1e04e17f093e6e6bb7d7f383e913

Resubmissions

29-08-2024 18:55

240829-xk71maxhql 10

29-08-2024 18:52

240829-xh927swcmf 10

29-08-2024 18:50

240829-xhcrpsxgnp 6

29-08-2024 18:46

240829-xekyxawaqd 7

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SynapseDowngrader.exe
Size

600KB
MD5

8c48b5f9d5efc74bfb95390ea23f2db7
SHA1

76e3c2b597164b9009c65f421e87abfc3b3e412b
SHA256

21829708b9a4864c95b5f388fb3e0e850c2f1e04e17f093e6e6bb7d7f383e913
SHA512

de80367169c7862ec66505c84c42be1134c16c9c19a8f1344d6ed9dd1d7510fe993cc249b077c2e61c2f3cdd2555930eef50f44e287fb42ef11b00593229a28f
SSDEEP

12288:Egby/bP2s/c9DO3LOBCjey8al5+mAIG+dGRqCW77UZh:Egby/bP2sIDULOBCjlvWI7GRk2

Score

10^/10

xworm bootkit discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

la-michael.gl.at.ply.gg:65463

Mutex

641UIwoUJK0Mht9q

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023584-375.dat	family_xworm
behavioral1/memory/220-412-0x0000000000CD0000-0x0000000000CDE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	geometry dash auto speedhack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	geometry dash auto speedhack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk	Solarabootstrapper.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk	Solarabootstrapper.exe

Executes dropped EXE 17 IoCs

pid	Process
220	Solarabootstrapper.exe
4764	Solarabootstrapper.exe
5292	Solarabootstrapper.exe
5976	MEMZ.exe
5720	geometry dash auto speedhack.exe
5444	geometry dash auto speedhack.exe
1292	geometry dash auto speedhack.exe
5392	geometry dash auto speedhack.exe
3624	geometry dash auto speedhack.exe
5368	geometry dash auto speedhack.exe
1744	geometry dash auto speedhack.exe
3428	MEMZ.exe
4312	MEMZ.exe
5612	MEMZ.exe
3380	MEMZ.exe
5492	MEMZ.exe
3636	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	geometry dash auto speedhack.exe
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{76CC4AE5-118D-4EBE-951C-5744D1425830}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 912795.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4988	msedge.exe
4988	msedge.exe
2280	msedge.exe
2280	msedge.exe
960	identity_helper.exe
960	identity_helper.exe
6132	msedge.exe
6132	msedge.exe
5536	msedge.exe
5536	msedge.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
4536	msedge.exe
4536	msedge.exe
5524	taskmgr.exe
5524	taskmgr.exe
3820	msedge.exe
3820	msedge.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5524	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	Solarabootstrapper.exe
Token: SeDebugPrivilege	5524	taskmgr.exe
Token: SeSystemProfilePrivilege	5524	taskmgr.exe
Token: SeCreateGlobalPrivilege	5524	taskmgr.exe
Token: SeDebugPrivilege	4764	Solarabootstrapper.exe
Token: SeDebugPrivilege	5292	Solarabootstrapper.exe
Token: SeRestorePrivilege	432	7zG.exe
Token: 35	432	7zG.exe
Token: SeSecurityPrivilege	432	7zG.exe
Token: SeSecurityPrivilege	432	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe
5524	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5720	geometry dash auto speedhack.exe
5444	geometry dash auto speedhack.exe
1292	geometry dash auto speedhack.exe
5392	geometry dash auto speedhack.exe
3624	geometry dash auto speedhack.exe
5368	geometry dash auto speedhack.exe
1744	geometry dash auto speedhack.exe
3636	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 468	2988	SynapseDowngrader.exe	84
PID 2988 wrote to memory of 468	2988	SynapseDowngrader.exe	84
PID 2280 wrote to memory of 4964	2280	msedge.exe	95
PID 2280 wrote to memory of 4964	2280	msedge.exe	95
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4084	2280	msedge.exe	96
PID 2280 wrote to memory of 4988	2280	msedge.exe	97
PID 2280 wrote to memory of 4988	2280	msedge.exe	97
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98
PID 2280 wrote to memory of 4112	2280	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\SynapseDowngrader.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseDowngrader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause > nul
  2⤵
  PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff66f546f8,0x7fff66f54708,0x7fff66f54718
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4268 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3596 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:8
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5536
- C:\Users\Admin\Downloads\Solarabootstrapper.exe
  "C:\Users\Admin\Downloads\Solarabootstrapper.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Users\Admin\Downloads\Solarabootstrapper.exe
  "C:\Users\Admin\Downloads\Solarabootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Users\Admin\Downloads\Solarabootstrapper.exe
  "C:\Users\Admin\Downloads\Solarabootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=244 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6912 /prefetch:2
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7008840533978040536,17509287460529224667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2644

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5400

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\memz.by.iTzDrK_\" -ad -an -ai#7zMap23215:92:7zEvent7875
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\memz.by.iTzDrK_\Geometry dash auto speedhack.bat" "
1⤵
PID:3856
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  PID:712
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5976
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:3428
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:4312
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:5612
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:3380
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:5492
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3636
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:5532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz
      4⤵
      PID:3388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff66f546f8,0x7fff66f54708,0x7fff66f54718
        5⤵
        
        PID:5376

C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe
"C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5720
- C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5444
- C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1292
- C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5392
- C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3624
- C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5368
- C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\memz.by.iTzDrK_\geometry dash auto speedhack.exe" /main
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1744
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus.exe
    3⤵
    PID:912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff66f546f8,0x7fff66f54708,0x7fff66f54718
      4⤵
      PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solarabootstrapper.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
f3d0a156d6ecb39d1805d60a28c8501d

SHA1
d26dd641e0b9d7c52b19bc9e89b53b291fb1915c

SHA256
e8be4436fcedf9737ea35d21ec0dcc36c30a1f41e02b3d40aa0bfa2be223a4a3

SHA512
076acfd19e4a43538f347ab460aa0b340a2b60d33f8be5f9b0ef939ef4e9f365277c4ff886d62b7edb20a299aacf50976321f9f90baba8ccd97bc5ac24a580bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
540af416cc54fd550dcdd8d00b632572

SHA1
644a9d1dfcf928c1e4ed007cd50c2f480a8b7528

SHA256
e4e53d750c57e4d92ab9de185bb37f5d2cc5c4fcc6a2be97386af78082115cbb

SHA512
7692e046e49fcde9c29c7d6ea06ed4f16216ec9fb7ea621d3cc4493364743c03925e74244785588d1a4bfc2bedd32b41e7e66e244990d4076e781d7f4bbb270f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
dc09c510496509e3981af522b77086cf

SHA1
b4eee3a725a749156d668c4aac4632e4085ca034

SHA256
a4180bc0eda75b7ce6a521f045d3fd64bb6825fa3b33f2bc4b09ab0cf545439a

SHA512
77812be3f298444f85d79c8ba8c8e0a2822f8ab2d89fb0de1e1179d09d3b850b7aaecf1b2cc21be9b83538314505a9a961b9be3cc13f04a019c0e456253eed8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b36a567041c474ad2309166bd8564f32

SHA1
ff5bc81947ced7bd3e649239c5143d264c0e8d62

SHA256
aa7f856091069101f5bd5c1300496d18448e546825b4017978573380d91e0576

SHA512
7ce6e3e9ae4cd0bc077e586f57321bb73656891c5a20cb8607aa54f1183ea22f867e9022230d0348db610268a8f670b996dd747e7c02d649dd536d2422a5b728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
aa308bdfb5f80efc8a6831e3ef9cd676

SHA1
f3caef6b019e330793ffcb990fdfbdabd025bf20

SHA256
e4dd7833bb5aa77f85745c4a26821ee53b76d505316b698b771b54fe166e24db

SHA512
31214e92f69b5db31e9fdc87e86b88cfbce320093dc3090c181f0a8d23547cd23f4918503d8144f925d5a8d331d9ea0cdcd0ba1ec0ee5984940dc35fb11343fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
18638ab74f50a9df5d6139efb065355c

SHA1
9fd99374fab90523d154ab46250b4a631e454b83

SHA256
5c0137137d76081463f20f11780825942ef820d07a4c9c8589c2d6b9b3d0eabb

SHA512
677adc164867516b8554df8ad0295697a0d34d866704949b22d376e99ace074907a236714a6cf9c9f49f86eb505f34870d48a89cc6cd6cf4c6868b3f3d9834af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9968ffefbf80c162bab198671d1bbe6f

SHA1
ed0d4a531f803813f1ecf7e83ec90c497b40e3b9

SHA256
ebbaf93a3aa84d64efb8ce877857eb643d39cb6447dae21b63d356f64f6a7202

SHA512
ee0bb9db3be90c204863c8c7e6bd81f555c7640cfa0314710d37c599e7adbffb99f70453e7eead6a59a920d590c1a7dc95feff110a5a15b8630344929a7075de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
385b76332d4ad075f052a92b3a9356f8

SHA1
7de7f70412761e11d6b1289d176ce7671329ba2c

SHA256
c0357853aadcfdfdea302ca5f1bef8cc4156d232ae3af4112c7663ddff9bd17d

SHA512
4b434513d28f9a4f81f5cd9222b44f44c3cc4776090504fd3e82fda544530152f7dbd97de3fb81ee778635ff9bd7d869ee908f86e88372a31c7b627357e73db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8d9008137126914b07152646f127adf9

SHA1
bc3f17d65906e64ce3b1054b64aea3b45853f34e

SHA256
27abc158c14f245b30f458ead2db75cba6dc61a2a68b776c4b9245c3fd5a97a2

SHA512
7add1791626ed150fd017084c206f61702ed449488107bed54e3e2bc22707fc9f87ff8edee9428d96a1c3c262208bcabee12f88501461519a432a93cd1a290fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
50d26d105d674e6c060175942f1c106a

SHA1
fe3239f6c826237fee9fbf4f8103c0d3eb6a0db2

SHA256
292d04ef15614490dcc8595decbb758e9259d1c4c48a49199bcf318aa3a48231

SHA512
94470bccb67680917d780a2769f525384cf22b43db50655d3936dcb6629fc50d3df73db2bdf25dd87869042f35b9c837dd4611eb7cc08c1dcb54f54b87423d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7cca3e6e3741eb00cfe2be5b7a2aa75a

SHA1
76cb324ff29553db727d61dcc3460772301fbf0d

SHA256
c5341553d79c57240efb68b5584b60497034a8f4148502c6a65da08fc071a3b7

SHA512
d3cf89acab9300b0dc85b802f07f98836fdebb752b4b63f7c7522a34b6f549504bc2c0f0f745bc7a7608dcba8d9be412cf2313e72607629895caf13641f508b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e6e40b49e2182b32d805133da303a394

SHA1
ad92f4eac30426cf64dd02d475e32fb2e8e3ea87

SHA256
827a5e8e6ed878c1982a6595a37525f8235e826168b04813fa572f7339daccfd

SHA512
24cb2a746a2a607648538f3fc0db3e19972305fd55104d9c7ff80212baaad2a910250b4208d6bfb7e0d5128df9a2f8701d1ceb465593b707f5a173c13bea08b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6621a23a4b6e30fa97d56f784960df00

SHA1
33f974e60f390e44bce228de138ebb77c53b0ba1

SHA256
ed0775e83c4025d1606120ca26404bb79655bd4c9e9595579d3967b2dee805e2

SHA512
735976767905a07ddee17456756fab6b2ebc06f9d4481a25da405c0027a07b6cca44d3db021785313037222cf6bf2332e50cb5aeef4a3d8efb182eaa4aed12c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dc6b8af1d6ddbcf8d37102958bad8c8f

SHA1
a0ed9cd15655a2a8eb9945dea8dd2433cb923b52

SHA256
f5acdd52af0b36b16e924b9f8ea3415c04540df479fbb986bbd0660a2fcdb38a

SHA512
6a1e438003dae6d8a8b6d3fe499e3ba7c1491fc94c616607cc87129926f24c2a5353068ae333c75a92a3fc2ad51a3bdb88aecaca843c880473468f78ab53c854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a3ba09c5e084f6f815842e9401ffe7b

SHA1
52971123027554efe680d0c79c3c2cf6fd81a7d2

SHA256
5cf714d9aad1ee660729f762def5fd5aea3c44bab2545c5c5e313c313a3d9110

SHA512
a904f30a858d03b7d01ef674703b9c3d080ede45b81d0132573bbe9861e64ad2732f81bb3d2b8fed81794709508707efe1e4b47476a3faf3812a955539b783ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fd1b69c0e78fa9817fb59c9a9fa5f90a

SHA1
e0ca9ec1557bc55c4ef08a36175c967a7d78f870

SHA256
bba246836d7a92cfacb3e2400d82a78d011154bf55964e4fed95cdafb9eec31d

SHA512
386679ae00047142d5e28d254302bf8e65f37fd6c432e23bd2aa1daa68327ea0357bc76ffd138683adc8d1727a3c7a563457be4629c0b189a987c8c2e82b46c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2ad47c416b453970df66f54d48f7a25e

SHA1
fa4891a5d8f1ff82f7b9f9af6489b31b89779b67

SHA256
81968fceddbe5e349b6489c49d4a07a459ae74176e556699b801aa81bc42a557

SHA512
3bd8aa8a038b4fcff007a621debdbe5d4a820339bcb6f00a5024b898654e6d84f03a17226ffccb33d092402ae6e5fba219ae4aad9e7d0904bca81f5a95be9608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5829e9.TMP

Filesize
873B

MD5
abfdfd44071560057ba6fcfa9a0462af

SHA1
6f15d2ff65ceda6c1a26f56be813f4dc1badca2e

SHA256
a2a7c77008d68a1af5265ae5704d8fd8abf80ff15019f1446110ee6b20ff2739

SHA512
acdb08e0ed0ceb5c6d8cfc04d5f9de7cf8b7a90257828bad128e6297f19acbf1597dddb5f1e0c207d59976fd6d2ee9212e2fc74175f538cbdacc9525558dfbdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
403570aa777fb05b2450addba2196909

SHA1
614f81bc6b0730bad1016f6ca2f2725457475752

SHA256
4b20c391bffd164d98438a311eef836041ff6555f5efe39ee71c0600689c20da

SHA512
a7299b162517087c835c4f72cbab36ae4f8cecb769eaaaf719ce726674a974f39150b98a0e4d74e869665659877256327f8dc39b36be3cf0dcddb8bab21bd407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92ea22e6520684ad0a969802dbde0280

SHA1
5d1e4337a6032f31f22979d428462b00635818a2

SHA256
445f8166cd3196047037727577906ca780eb4cf487c9205ee8ef30b75ebb8e6a

SHA512
b7c65b646db8673388330a79010bead7d3d251013f3c44962a7f944b3c25e887529deeb753d3e2dfde6e5c9528a147dfa7df712a7405bcee2e71a36a9fe68bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5da2d099cdececadbd99ed62d95f3388

SHA1
c9bc384b387f0a61accd5d032b960db688fe2e4e

SHA256
56cfea59d54b9fdd0a09b4e8997a63ba908673a80e85806625243eb0768ade8f

SHA512
896371b519feac39e710ff814de2406e17fb27b357c245af48b3bd0eb7f866b62f3b7ca5790be66bbd298eb7ac6c0c6ae0fa338b416de56cdd554872cb389db8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
459feee08891e9074bc8585a52f328c2

SHA1
d4675b68edcbaacf863b4768a7618f9135198150

SHA256
ae3ee570c4114184e5369a3a6b5568e1b3641a12213ebcf1a8f36e2668f39d98

SHA512
371e3a1728433ee8169b41c6ebb6fdc7d6655cea972c5d5fe023bb67303e5c1d6a01d6e796af7e3d1a0e196028ae2c956817b7eab2adc12d1946fee514a28761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
456f631a734681e2097bf149a0adb055

SHA1
2887515216689d1be205ee05bdc35d639dc18116

SHA256
1b2fc690595caafb67f30025377c70aaf0ee1dba7deaa422368ce050bf038a2f

SHA512
a19dd9aba64687017971759d1bcd5686e549d62df16f384ff065e19ffc952b02559ae72f81380341a22ff05386e6c84256f6607e5174f2985189c38c7f8fa81e

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk

Filesize
794B

MD5
dd86dbdb676959d0f29e40735e594b66

SHA1
a07c01eff858643b320614aeeef9f4bd45941752

SHA256
82096305744461366f1d56a2bc5c5b0ee64986c0706afe693ae072862abd6ce9

SHA512
ff7f0effda454fa6ee8a61107e794966f44892fdb696bf2b4e3155aacd695c013e888406a65b267c127ba84ea868c6d0b4cc235d72b39ebf1fb4cf45714c2e50

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 912795.crdownload

Filesize
34KB

MD5
51d03d9a1fc6d52b74e2fa53438dee20

SHA1
a193c629a250170988d2a1725f7126db0ac2469b

SHA256
97f556113766e66bd5b5ca123a9b0b4aa56aa273ceac9202a9de3d77ffdec287

SHA512
5302d3b1cd8610a20194f8ce8b2e8fb858b5f5fdcebfd1f9504eba399e368395e805e684a43afc71cbe29b259ff8451e6f03ad0024ee9818b0b9d0a4e3bec5e8

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar

Filesize
17KB

MD5
352c9d71fa5ab9e8771ce9e1937d88e9

SHA1
7ef6ee09896dd5867cff056c58b889bb33706913

SHA256
3d5d9bc94be3d1b7566a652155b0b37006583868311f20ef00283c30314b5c61

SHA512
6c133aa0c0834bf3dbb3a4fb7ff163e3b17ae2500782d6bba72812b4e703fb3a4f939a799eeb17436ea24f225386479d3aa3b81fdf35975c4f104914f895ff23

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_\Geometry dash auto speedhack.bat

Filesize
13KB

MD5
4e2a7f369378a76d1df4d8c448f712af

SHA1
1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49

SHA256
5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad

SHA512
90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_\x

Filesize
4KB

MD5
214f98cb6a54654a4ca5c456f16aed0a

SHA1
2229090d2f6a1814ba648e5b5a5ae26389cba5a0

SHA256
45f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037

SHA512
5f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/220-412-0x0000000000CD0000-0x0000000000CDE000-memory.dmp

Filesize
56KB

Download
memory/5524-446-0x000001F3C4210000-0x000001F3C4211000-memory.dmp

Filesize
4KB

Download
memory/5524-440-0x000001F3C4210000-0x000001F3C4211000-memory.dmp

Filesize
4KB

Download
memory/5524-442-0x000001F3C4210000-0x000001F3C4211000-memory.dmp

Filesize
4KB

Download
memory/5524-435-0x000001F3C4210000-0x000001F3C4211000-memory.dmp

Filesize
4KB

Download
memory/5524-445-0x000001F3C4210000-0x000001F3C4211000-memory.dmp

Filesize
4KB

Download
memory/5524-436-0x000001F3C4210000-0x000001F3C4211000-memory.dmp

Filesize
4KB

Download
memory/5524-444-0x000001F3C4210000-0x000001F3C4211000-memory.dmp

Filesize
4KB

Download
memory/5524-443-0x000001F3C4210000-0x000001F3C4211000-memory.dmp

Filesize
4KB

Download
memory/5524-441-0x000001F3C4210000-0x000001F3C4211000-memory.dmp

Filesize
4KB

Download
memory/5524-434-0x000001F3C4210000-0x000001F3C4211000-memory.dmp

Filesize
4KB

Download