hxxps://github[.]com/pankoza2-pl/malwaredatabase-old

Analysis

max time kernel
864s
max time network
866s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 04:58

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old

Score

10^/10

bootkit discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gdifuncs.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
3116	takeown.exe
3732	icacls.exe
3024	takeown.exe
3848	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	gdifuncs.exe

Executes dropped EXE 4 IoCs

pid	Process
656	Setup.exe
2092	mbr.exe
4420	MainWindow.exe
2868	gdifuncs.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3116	takeown.exe
3732	icacls.exe
3024	takeown.exe
3848	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
80	raw.githubusercontent.com
81	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
656	Setup.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File created	C:\windows\WinAttr.gci	gdifuncs.exe
File opened for modification	\??\c:\windows\WinAttr.gci	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpongebobNoSleep2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MainWindow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdifuncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
376	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2400	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 649612.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
4436	msedge.exe
4436	msedge.exe
2904	identity_helper.exe
2904	identity_helper.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
2604	msedge.exe
2604	msedge.exe
2848	msedge.exe
2848	msedge.exe
656	Setup.exe
656	Setup.exe
3420	msedge.exe
3420	msedge.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe
2868	gdifuncs.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3692	OpenWith.exe
1440	OpenWith.exe
1252	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2008	7zG.exe
Token: 35	2008	7zG.exe
Token: SeSecurityPrivilege	2008	7zG.exe
Token: SeSecurityPrivilege	2008	7zG.exe
Token: SeRestorePrivilege	4276	7zG.exe
Token: 35	4276	7zG.exe
Token: SeSecurityPrivilege	4276	7zG.exe
Token: SeSecurityPrivilege	4276	7zG.exe
Token: SeRestorePrivilege	1252	7zFM.exe
Token: 35	1252	7zFM.exe
Token: SeSecurityPrivilege	1252	7zFM.exe
Token: 33	184	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	184	AUDIODG.EXE
Token: SeDebugPrivilege	2868	gdifuncs.exe
Token: SeDebugPrivilege	2868	gdifuncs.exe
Token: SeTakeOwnershipPrivilege	3116	takeown.exe
Token: SeTakeOwnershipPrivilege	3024	takeown.exe
Token: SeDebugPrivilege	2400	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
2008	7zG.exe
4276	7zG.exe
1252	7zFM.exe
1252	7zFM.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
1440	OpenWith.exe
4208	SpongebobNoSleep2.exe
4420	MainWindow.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 3224	4436	msedge.exe	83
PID 4436 wrote to memory of 3224	4436	msedge.exe	83
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 4596	4436	msedge.exe	84
PID 4436 wrote to memory of 5060	4436	msedge.exe	85
PID 4436 wrote to memory of 5060	4436	msedge.exe	85
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86
PID 4436 wrote to memory of 3976	4436	msedge.exe	86

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff88fe46f8,0x7fff88fe4708,0x7fff88fe4718
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5756 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2604
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\avast.vbs"
  2⤵
  PID:3140
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\avast.vbs"
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,15513324232769003616,6949765648109283159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3428

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap5878:128:7zEvent23879
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2008

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2133:128:7zEvent14249
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Fake Nvidia installer (pass 1234).rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1252
- C:\Users\Admin\AppData\Local\Temp\7zO4E40B7DF\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4E40B7DF\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:656

C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5).zip\SpongebobNoSleep2.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_SpongeBobNoSleep2 (HorrorBob5).zip\SpongebobNoSleep2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4208
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\A5A6.tmp\A5A7.vbs //Nologo
  2⤵
  - Checks computer location settings
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\tools.cmd" "
    3⤵
    - Drops file in Windows directory
    PID:3128
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1360
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1768
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1272
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4904
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2348
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4516
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4216
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3708
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1412
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:440
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2720
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3280
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4004
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:768
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3608
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1592
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5096
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1724
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:940
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2944
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4560
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2624
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1536
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4980
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2220
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3448
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4724
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1612
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2248
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4392
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:764
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1800
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2504
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3556
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3988
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:4912
- - C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\MainWindow.exe
    "C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\MainWindow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4420
- - C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\gdifuncs.exe
    "C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\gdifuncs.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2868
  - - C:\windows\SysWOW64\takeown.exe
      "C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3116
  - - C:\windows\SysWOW64\icacls.exe
      "C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65&copy "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3612
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f LogonUI.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls LogonUI.exe /granted "Admin":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:3848
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "tobi0a0c.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x3c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\36f967d0-230f-4e88-98c8-8c34c1371791.tmp

Filesize
5KB

MD5
6cd09c3087f29feb08c1d38abb3bb711

SHA1
cfde7798640b1dbfb16b436f9b075f4a045e33d6

SHA256
543d58e5d2906bc886c8fe30cfeb144d7b50079698403bfb22a07e0b7d4acc57

SHA512
df498a9fc6b236b7b3a27ca84d93e99aee11a9c24c98cc4072adc085a2f6993de9ca1baaae3216c64c8d85796cf9c2aa7e8dce95ab1ea664671718c4385021e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2e59da9a8bd74b14bcab476061403d65

SHA1
82afd2a2a0c61349e47b06505ebf7bc96b4645af

SHA256
0329f67e4416de2e5c091aef7c1018f95701ff06b187c81458ae7819abf5ea22

SHA512
a114182bdcbf0cc18b1788d0c738839b2b6bb349b2ca0c9462cccf19e32d24d7e0fde89333e3edaf809d2a5425a82315fe50e0bdf4bd3de709f843077f66ed3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
96c10c3641608501b3f32e4fe07109ca

SHA1
261fd353be09813a86b27c7081ee7da377a70f47

SHA256
988f25daf76b04901ff551dab1a7ed82bbefe74e55e0db0f1c70591d29dd0588

SHA512
5ac2c6b1d6346a7e1e1c3727c8f8119e5d996dd05f9e2802329897973fd5f9f175103819b6f99e33cc182e143e371b42fa04bd2251930d3138555f5125ec5857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
f5efb2cf9219179700770c056a06e17b

SHA1
f821ce0477c2d948f59e90d4e75db6900b1f5f23

SHA256
159439d953aaa2a0e3226ddb534e5d7c96cf304d4b8e92e62e3c91354526ccdf

SHA512
c8a717e42bd30e0fb9b2cdaca6142f7e048fb8133b0168d0f53748bb60cca6ed5ee6b1d26939f7206b033e307bc000e521a5e399aeee1017d8e5ea7856897a52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bac0aa1c73e7857bb04e98605df2a3f7

SHA1
966c10d212b5aa053e9525ea5e20d99d11dda37e

SHA256
e659bacc04476198c3173c41f32adc791fd5789c86d64be7b81cc879f26b31e5

SHA512
43fb6d54c2615b20b2864a36c47e8d8d917111939a4d34317833322b18c380025d7a45286ead27d9fe4c52b9b1f878a72dc6857bfa6fc3cd5a5fd91f99fa289f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
090d233ddd2f1eb574a75454bc3aae59

SHA1
d34eea0c11547dc8ad1954a36350305f7c3653ad

SHA256
331f7d0091b3e659e0f67c30de287ae815e53cb4017220da2d017c855353ed85

SHA512
577b4ff2337b3ebe6a9afb0224a8f631de2eaff10eada6209110a587134b6c6ee7b1d3e6ecb2a811292d795aaaedad1eaba6aabc3109a235b72d01bde39abbb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4d58b9606365720bcf55a503557c1f0

SHA1
e787a3a4b86008115776b3113c0f3ee1379b1692

SHA256
a823aa58192ccc1d1b34151045e0e54d34fa0136e0fa5696a55194e4d0b1dd48

SHA512
61798ea44e81dc43917c75d3080c6efa4613f38b2cf53bbbc0cb5ae8a0559109b7d3feed3da633206c398ce03c34d72e404726628e239eba2112b138937c2329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e4549416cf046cc274ac5c792c403a27

SHA1
86daf94a603f05f876a46a565ed2c7ab39ad2169

SHA256
a327fe2bf59f0bb974e193f4d5aebcb3dd461ebb06b6abfb2aeb931407bac2b6

SHA512
591187d58241db77565758a6b4152a4da9ad30c0476c9afd3876b50eb9364055756545ddee4997b50c39d843426ffabfa90cc86399a7eb911185d4a91e518bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
866B

MD5
0d3efdb4056b0a90cb417edeb2b2c4c7

SHA1
6305bd02bf0f4b84c354995ff33a07b45565671b

SHA256
d2a61bb505006463ddeaaf5c4f54b316293fffbddb7ecae61f2755fb1b496c73

SHA512
066a772353d7a95ff0dd7bf15f264f0aab2f960595423c7fe76ea215fbf8396f5a80186c99555def09156b7f9f5109031275de860b5a10a062827440209df043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5d7d55d5b3ab0ef2496a7a5a91deae35

SHA1
0c103ba1648a0fa817304e8918826664f8ae559e

SHA256
52b0352cef2e6e1ceaaa2beb0da3a957a19ce0547f17b42ca180b9319f1aa884

SHA512
1d7da4ad15ad4450fefd9640bb97d57744f5029afc9729d5c721c640fb77cfe95eb6c18370938a11dc76ccf4ef51d3daab877159ffc0d609023c106cef68a95a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6c6d6b587050523c82e9cb54b4e47471

SHA1
9d10f9ba5d3add7a6791a719ca32fdc4757e72e3

SHA256
e70306458f7e1a5d189a868eee4290f1603bbe209cdfb6e24f5123a4ba751324

SHA512
b2c8ec15145847accd4689b776c08d78185a80e96d295c1446d51752e7d4a157bdc50dc67d3df4d5d7b28f1507e94cbd5b3524e87c1b9e41128be32e74576cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6c0e4c1ed99c86a243e1d9e0ab62a54d

SHA1
aff74b65f467c3e08344c7633632215b7a9ce6a5

SHA256
3b90fcefeba21ab30debd7d7a12c128b653800b36318791159ae363cf656c6a8

SHA512
6390615af971d7e69837e8503d75110dc586304b970d860280a3959f1c0dbeb653a8b939e170ccb6ee7827dfea1bf8b84e3354d0978d76c9249964f434cbdd86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f5a63b6fa7a38c03cbdd664089a5319d

SHA1
eabc6d4006d64f9ddad71921dccaaf306e717d43

SHA256
208a18e5d41acf87dabc2c8e87ddca8ee5ac6be9e26201c69e056bbce3635a28

SHA512
e73b97376ec1ef94e496c038fabed5ddd8cb00bbb335852243ad0dcf6930532eb881caed3bd1367c0650273b51bffe2d7b2afc9a58381fcb35f407595e57a582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c1c50f771fdde438c358285149f7f454

SHA1
a2830c28b9982676064e70a61356a90472b03e80

SHA256
ec5bfcd0a0806574e5ac687ec2e7a9a03b360ac19354811f1fe404b8670f2ba7

SHA512
4b845222144b2ed3174b769444183fea998c56cbd76d03e0f0876284b9d415454381486ca22da13bd366b9f463c6842a637a4334e6b1d023954d9ab87591fd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
81220f22ad8feba1a18d2f6e3d8861d5

SHA1
7ce74bd1f391abf5ce56e4a664c47a1325b731aa

SHA256
a37aacae0c852f9c31123b01eb9c793f43d1de054d662c2f95b85cef80cd8472

SHA512
b213f560694fc9e122fdee7ff7180cb95361e1570546f0f72ba9dd75d3777f8b5337805e57aedbff04d1492d2045ada1fc76f4ca1efe41e0ab87666d4ddd3f63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59ed54.TMP

Filesize
874B

MD5
13a92d2eaa7ba4859a23b53e72922a0e

SHA1
c06bc22c5675559e1800eca84c270f73d366dc21

SHA256
98624a4e82a1247f377cc06c31d7c2ea6828719953a6f4134b72f2255ba5b277

SHA512
ccae30e963f83592099ea6551fd6cb102ee07fc8b55e1c35127f2cd8c162f1b182f680c9fbe41e94051df6cb19796fd3a5b267a2a75550f865779248ac26c641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
61f93ee650ff9539338b0544787f23da

SHA1
1b83703f0b04eb5399f4c3937ce090b571f8a6a3

SHA256
c3f49a1c060605cc00cd69316eafad9881756ea3e3634d53b7f9ab92abcdceaa

SHA512
b5f4886dee9d943c96587711052ca3549ca0a3c36ae570556457dbdfaefb17a29c36fdfac3bba495f32db1db2d08a395f878868e9ac87fad1948f47787873771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ddc6873668922df98ab9e9e58af1db2b

SHA1
104e750332eec2857c557d068a48afba7d7eb7a7

SHA256
ee480f2e0b8341a764f309233e11ce4a4c9413822f809c5e3e7937b6d466031e

SHA512
a8a307370735d7e12047424b7fedd49efbec256409ec796b9bed552ed4372524215648aab363575c78f771a2f5e6798a1c504f8a5c18506363b85d234d480073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7004535d967afa5cce7cfae872bf19ac

SHA1
ad87160a0f3757e8c1f07a71a8dce018826d4897

SHA256
4a8289e0e7392d7b7dfd81129a36868c615005c0e8cc8d638014d412a6f091b7

SHA512
10533a8d41e728c229b978e5b947e650d466bdb1f3f27cfae249b273c64a21e860271af81dcddecbbd758af133e97701be9c439cfbc194085b28652acda149f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92a6b4b0a7a9e3104971a5362a51465e

SHA1
7c615689b7997e5846f18c7cd60860d66cae040d

SHA256
9fd518ab72b1d6e04af3920b7bfae579998a8dfd470f6ad43c443ada0463fa2e

SHA512
0454969b642c5dae167ce187a7732083728ce2ec329f2644d0909974027ea2e4cc9fe935433e03f52cd97ac81e6ac453fd4cc3aec2054c155ccdedbc02f5e863

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\A5A6.tmp\A5A7.vbs

Filesize
2KB

MD5
b893c34dd666c3c4acef2e2974834a10

SHA1
2664e328e76c324fd53fb9f9cb64c24308472e82

SHA256
984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc

SHA512
98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\MainWindow.exe

Filesize
92KB

MD5
7c92316762d584133b9cabf31ab6709b

SHA1
7ad040508cef1c0fa5edf45812b7b9cd16259474

SHA256
01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298

SHA512
f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\bg.bmp

Filesize
2.6MB

MD5
ce45a70d3cc2941a147c09264fc1cda5

SHA1
44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9

SHA256
eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac

SHA512
d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\gdifuncs.exe

Filesize
120KB

MD5
e254e9598ee638c01e5ccc40e604938b

SHA1
541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d

SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63

SHA512
92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\mainbgtheme.wav

Filesize
19.0MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\mbr.exe

Filesize
1.3MB

MD5
33bd7d68378c2e3aa4e06a6a85879f63

SHA1
00914180e1add12a7f6d03de29c69ad6da67f081

SHA256
6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05

SHA512
b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5A5.tmp\tools.cmd

Filesize
2KB

MD5
397c1a185b596e4d6a4a36c4bdcbd3b2

SHA1
054819dae87cee9b1783b09940a52433b63f01ae

SHA256
56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f

SHA512
c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_2BFFED3E1DE847D29594E29D95EFED71.dat

Filesize
940B

MD5
2391af3ca16afff4506d8b5fbe313f11

SHA1
402943e0d1c788f282505a29d87312cbbdf77b93

SHA256
45252f4643509fba7932e3da8a0cfebabf6728a75dce73235cf225d660bfe45b

SHA512
8e3c75898d9620526ac66f9f1eeea778be8e6cca8fae757e0170291710fae2e38a87cef14b1f24e0935dbf310c3b5d0fc219ca3fbd1259cd72173a34aaea3516

Download Submit
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt

Filesize
26B

MD5
bb6d68d7181108015cd381c28360dfc4

SHA1
192c34b9cba6f9c4b742f2b70d9731b8ba2ac764

SHA256
aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317

SHA512
e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

Download Submit
C:\Users\Admin\Downloads\Fake Nvidia installer (pass 1234).rar

Filesize
3.5MB

MD5
294ecd0652df2f3eeab38dec90c0b1b1

SHA1
f4a588257e422994821302136513f51e04cb74d0

SHA256
42ae555c1f9357f22efa16f56dc0c6df92b0ad981a5bce17dbf8aeac2089bfc2

SHA512
3df2c26a8ab8796f55be81c471751d33a7ba91ee287631f428d458bf1e0b02ec10e9be0a8c79272f8a049ef9a2269d2e6396c9061b49a486a240015d62c78581

Download Submit
C:\Users\Admin\Downloads\SpongeBobNoSleep2 (HorrorBob5).zip

Filesize
9.7MB

MD5
914fadaee197d1f71082a7bd95e042e6

SHA1
3356ffc83b5edb82940a04ce067d9e7ae7fd248c

SHA256
07bb2b15e3e6a2711ab2290c1f4a10f89ce193657e64f4e92190b7139ffec6ac

SHA512
b9aa1390283b3003b264531ed50edeeae1922f25dca5fce0bcbfd5b72815ef7040fa8c024276e234286b76f46a4c69292b45b8250679f686f329ed9edb042026

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 649612.crdownload

Filesize
41B

MD5
b15b1be9bc8bfb2cd4a09cd1071c0160

SHA1
1be852ad7e1159742815c55a92ab54ef544eaa17

SHA256
17e40f4a0e4b75951e565625fce4aae70d5595b4a0000652f6223e75172af79c

SHA512
bb49e3b42cf581ad43882d78d579d6c846f18c51ccdfd8dfacff450a1d5109df755d7531eabca61e44343a23e46cfbc62fa11d96b3e0c7cd4a9a4c78d70c5eb9

Download Submit
memory/656-507-0x0000000076F50000-0x0000000076FE6000-memory.dmp

Filesize
600KB

Download
memory/656-520-0x0000000000540000-0x000000000093A000-memory.dmp

Filesize
4.0MB

Download
memory/656-506-0x0000000076450000-0x00000000766D1000-memory.dmp

Filesize
2.5MB

Download
memory/656-501-0x0000000075920000-0x0000000075965000-memory.dmp

Filesize
276KB

Download
memory/656-504-0x0000000077300000-0x0000000077420000-memory.dmp

Filesize
1.1MB

Download
memory/656-503-0x0000000075830000-0x00000000758AB000-memory.dmp

Filesize
492KB

Download
memory/656-497-0x0000000000540000-0x000000000093A000-memory.dmp

Filesize
4.0MB

Download
memory/656-500-0x0000000075D00000-0x0000000075DBF000-memory.dmp

Filesize
764KB

Download
memory/656-499-0x0000000076E90000-0x0000000076F4F000-memory.dmp

Filesize
764KB

Download
memory/656-498-0x0000000075530000-0x0000000075745000-memory.dmp

Filesize
2.1MB

Download
memory/656-510-0x0000000074A10000-0x0000000074A62000-memory.dmp

Filesize
328KB

Download
memory/656-509-0x0000000075060000-0x0000000075068000-memory.dmp

Filesize
32KB

Download
memory/656-512-0x0000000074310000-0x000000007431F000-memory.dmp

Filesize
60KB

Download
memory/656-511-0x0000000074320000-0x00000000743AD000-memory.dmp

Filesize
564KB

Download
memory/656-515-0x0000000073AB0000-0x0000000073B5B000-memory.dmp

Filesize
684KB

Download
memory/656-517-0x0000000077240000-0x0000000077259000-memory.dmp

Filesize
100KB

Download
memory/656-519-0x00000000705E0000-0x00000000706E5000-memory.dmp

Filesize
1.0MB

Download
memory/656-518-0x00000000758B0000-0x0000000075913000-memory.dmp

Filesize
396KB

Download
memory/656-516-0x00000000725F0000-0x0000000072679000-memory.dmp

Filesize
548KB

Download
memory/656-513-0x0000000073B60000-0x0000000074310000-memory.dmp

Filesize
7.7MB

Download
memory/656-514-0x0000000073A90000-0x0000000073AA4000-memory.dmp

Filesize
80KB

Download
memory/656-502-0x0000000075CD0000-0x0000000075CF4000-memory.dmp

Filesize
144KB

Download
memory/656-521-0x0000000000540000-0x000000000093A000-memory.dmp

Filesize
4.0MB

Download
memory/656-537-0x0000000073B60000-0x0000000074310000-memory.dmp

Filesize
7.7MB

Download
memory/656-544-0x0000000000540000-0x000000000093A000-memory.dmp

Filesize
4.0MB

Download
memory/656-496-0x0000000005790000-0x00000000057DC000-memory.dmp

Filesize
304KB

Download
memory/656-495-0x0000000075DC0000-0x0000000076373000-memory.dmp

Filesize
5.7MB

Download
memory/656-494-0x0000000005750000-0x000000000578C000-memory.dmp

Filesize
240KB

Download
memory/656-493-0x0000000005900000-0x0000000005A0A000-memory.dmp

Filesize
1.0MB

Download
memory/656-492-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/656-491-0x0000000005E10000-0x0000000006428000-memory.dmp

Filesize
6.1MB

Download
memory/656-490-0x00000000725F0000-0x0000000072679000-memory.dmp

Filesize
548KB

Download
memory/656-489-0x0000000000540000-0x000000000093A000-memory.dmp

Filesize
4.0MB

Download
memory/656-488-0x0000000075BE0000-0x0000000075CC3000-memory.dmp

Filesize
908KB

Download
memory/656-487-0x0000000076450000-0x00000000766D1000-memory.dmp

Filesize
2.5MB

Download
memory/656-486-0x0000000075530000-0x0000000075745000-memory.dmp

Filesize
2.1MB

Download
memory/656-485-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/656-483-0x0000000000540000-0x000000000093A000-memory.dmp

Filesize
4.0MB

Download
memory/656-484-0x0000000002CA0000-0x0000000002CE5000-memory.dmp

Filesize
276KB

Download
memory/656-481-0x0000000000540000-0x000000000093A000-memory.dmp

Filesize
4.0MB

Download
memory/2868-1168-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/2868-1169-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/2868-1173-0x0000000005EE0000-0x0000000005EEA000-memory.dmp

Filesize
40KB

Download
memory/2868-1167-0x0000000000BA0000-0x0000000000BC2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads