hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

13/01/2025, 20:24

250113-y6snhawqew 6

13/01/2025, 19:46

250113-yg4z8svrey 7

13/01/2025, 19:26

250113-x5jhrsxjdr 10

13/01/2025, 19:19

250113-x1vegawqer 10

Analysis

max time kernel
246s
max time network
250s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13/01/2025, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4828	NavaShield.exe
3940	NavaBridge.exe
5060	NavaDebugger.exe
1452	NavaBridge.exe

Loads dropped DLL 17 IoCs

pid	Process
4828	NavaShield.exe
4828	NavaShield.exe
4828	NavaShield.exe
4828	NavaShield.exe
4828	NavaShield.exe
4828	NavaShield.exe
3940	NavaBridge.exe
3940	NavaBridge.exe
3940	NavaBridge.exe
3940	NavaBridge.exe
3940	NavaBridge.exe
5060	NavaDebugger.exe
1452	NavaBridge.exe
1452	NavaBridge.exe
1452	NavaBridge.exe
1452	NavaBridge.exe
1452	NavaBridge.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\NavaShield = "c:\\Nava Labs\\Nava Shield\\navashield.exe"	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
13	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NavaShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NavaBridge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NavaDebugger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NavaBridge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NavaShield.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NavaShield.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Win7Recovery (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NavaShield.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NavaShield (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Win7Recovery.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3496	msedge.exe
3496	msedge.exe
1604	msedge.exe
1604	msedge.exe
5116	identity_helper.exe
5116	identity_helper.exe
2700	msedge.exe
2700	msedge.exe
2312	msedge.exe
2312	msedge.exe
4028	msedge.exe
4028	msedge.exe
2004	msedge.exe
2004	msedge.exe
1512	msedge.exe
1512	msedge.exe
4640	msedge.exe
4640	msedge.exe
4676	msedge.exe
4676	msedge.exe
4676	msedge.exe
4676	msedge.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4828	NavaShield.exe
1540	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	4468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4468	AUDIODG.EXE
Token: SeDebugPrivilege	1540	taskmgr.exe
Token: SeSystemProfilePrivilege	1540	taskmgr.exe
Token: SeCreateGlobalPrivilege	1540	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
4828	NavaShield.exe
4828	NavaShield.exe
4828	NavaShield.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe
1540	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3148	[email protected]
4828	NavaShield.exe
3940	NavaBridge.exe
5060	NavaDebugger.exe
1452	NavaBridge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 4664	1604	msedge.exe	78
PID 1604 wrote to memory of 4664	1604	msedge.exe	78
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 4532	1604	msedge.exe	79
PID 1604 wrote to memory of 3496	1604	msedge.exe	80
PID 1604 wrote to memory of 3496	1604	msedge.exe	80
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81
PID 1604 wrote to memory of 2680	1604	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff800953cb8,0x7ff800953cc8,0x7ff800953cd8
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,2430817771304261595,16446867947186501664,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4088 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2512

C:\Users\Admin\Downloads\NavaShield (1)\[email protected]
"C:\Users\Admin\Downloads\NavaShield (1)\[email protected]"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3148
- C:\Nava Labs\Nava Shield\NavaShield.exe
  "C:\Nava Labs\Nava Shield\NavaShield.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4828
- - C:\Nava Labs\Nava Shield\NavaBridge.exe
    "C:\Nava Labs\Nava Shield\NavaBridge.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3940
- - C:\Nava Labs\Nava Shield\NavaDebugger.exe
    "C:\Nava Labs\Nava Shield\NavaDebugger.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5060
- - C:\Nava Labs\Nava Shield\NavaBridge.exe
    "C:\Nava Labs\Nava Shield\NavaBridge.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1452

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Nava Labs\Nava Shield\NavaBridge Libs\Browser Plugin.dll

Filesize
96KB

MD5
912924f628e277be9cc28a5f2a990cb9

SHA1
13c0166469a271497043a2f13e9a6a610dc2b336

SHA256
bd474c5aafcaa12f20da5ecb29e17555b953eca46b4f56588a72672a36d4a8eb

SHA512
b33b430254f9ec32ecd6224124db69af93de3cbfbaf422a0045641f7961834a67cba1b9fd97f4e0e903e27e3360301c5dba214a6b9156c4cdf8a25115b860c39

Download Submit
C:\Nava Labs\Nava Shield\NavaBridge.exe

Filesize
4.0MB

MD5
6f89df4cde193c0636c3d497cf1a17bf

SHA1
9faaa0100195e3e81fdade11e7a476a1fd1b23c8

SHA256
e7f05380e90dfb15b91b8bbc2ae48a04ba84d573b3c9f7d81bcc12f814215929

SHA512
c31848b1dceb8f8351991051b389a38b2ca0ae7ee98ebf626576245ca1588f1f6ee14e3eff7b165ecf9879e7e11ab77888e297cc4ccbb405b0ed64ebcda304b2

Download Submit
C:\Nava Labs\Nava Shield\NavaDebugger Libs\MD5.dll

Filesize
92KB

MD5
831295342c47b770bf7cc591a6916fa7

SHA1
2c9063fbf3f3363526abdc241bf90618b82446d1

SHA256
8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656

SHA512
01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

Download Submit
C:\Nava Labs\Nava Shield\NavaDebugger.exe

Filesize
10.0MB

MD5
47ef848562a159b2ce98d527ec968db2

SHA1
56b34310e8ede0437c422531bb89b2255a03cb3d

SHA256
7d899d2d33bde1c7f55ba0fcd4630b817e42e5cd1ceb8739511a990455275f90

SHA512
ac05354eacab4252e57151e98b8845d142b258590269ef92a724818623f2912b48341555ccc604a810e89ced3178ffc896ba116805ec3d129d9f6932296d935a

Download Submit
C:\Nava Labs\Nava Shield\NavaMod.dll

Filesize
5KB

MD5
3d7f80fb0534d24f95ee377c40b72fb3

SHA1
11b443ed953dae35d9c9905b5bbeb309049f3d36

SHA256
abd84867d63a5449101b7171b1cc3907c44d7d327ea97d45b22a1015cc3af4dc

SHA512
7fc741bbce281873134b9f4d68b74ae04daf943ea4c0c26e7e44579f2d51883c635972a405dd81cee63079a5ba9d09328a1e26e7878547590569806d219d83c7

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\Appearance Pak.dll

Filesize
136KB

MD5
fcf3ac25f11ba7e8b31c4baf1910f7a6

SHA1
fb470541f0b6b8f3ce69dcaa239ca9a7d7e91d72

SHA256
e5b3249fbeea8395fd56c20511bfcfdb2b2632d3c8d517b943466a4e47f97b5c

SHA512
47c467924d64af4a48a6e640778aca1dce379d16b06bf3f60a44025034c15ce1498ef307b63cb04e5c0cbb6c2ac58022acdb0d6efb1109c5ea31f842a320aa40

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\Internet Encodings.dll

Filesize
72KB

MD5
de5eefa1b686e3d32e3ae265392492bd

SHA1
7b37b0ac1061366bf1a7f267392ebc0d606bb3db

SHA256
a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744

SHA512
c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508

Download Submit
C:\Nava Labs\Nava Shield\NavaShield.exe

Filesize
23.8MB

MD5
9d299e41bae269641af28a6c02b80ef6

SHA1
66114e20ddf19e657d29aa2d1ac56ea93c62d130

SHA256
fce1bc05fbe2de83ee535e5ce0ceee94f2b4f917cdcbe1f1f649f44be25d4ec8

SHA512
26e01252b6caea9122734485654848d31c7f3dd06cf7fcc2806ba2b0705cb914b6b7b4e38ff1f23a5c373277e23d64320844e9882bef4ed27eb68d7ecce5de28

Download Submit
C:\Nava Labs\Nava Shield\bridge.dat

Filesize
176B

MD5
e66f1107f995d52bcd90421b3cdc0dde

SHA1
245acafa2f3dab3f2b7f183d34267dcd976199c0

SHA256
45fa6eacea58e682c2ef2bb9e888cb6bf396c37b957fd144ca73c95699ad3c74

SHA512
0500f9dec5cfdfb80bc5763943deb3111ccde4b35f19ac124df2e5abde2681154977f160a42e9ef50698b0ea0cc26fc09361a3917534038f141dd047f0287c1f

Download Submit
C:\Nava Labs\Nava Shield\config.dat

Filesize
4KB

MD5
120ff3772aca24f51d66c811ace844d1

SHA1
a9022e61a8ca530a334594e933b81c6821ec6bef

SHA256
c783d2893e4e6f53b95a3d7c8743eb9de8c40ba9519e8628de896f2268e948fb

SHA512
866a9b7136dadcd708222d2b3ffc6657a69104a78641dbd140c3cde126c5de3f151bddb796ddb69fad56487f6a2d096949a833f030147ce3f07520b0dd22ae54

Download Submit
C:\Nava Labs\Nava Shield\config.dat

Filesize
4KB

MD5
477e979b4058d08a001740c4abae65aa

SHA1
5650e01f53400a4e629e0a830d8e1f559badca84

SHA256
26aba2911d9f7d7d7be9e5032e06a8355f6c17fa0a23eff76b7955cedaf736a5

SHA512
081e2b2b7200395de9dd22aea2bc4597e007a212255ab64156e2fc21d2287b3280e5ae39c27a306c11b1c65a979aedf772b98295649927c696d5b524c0acbcd5

Download Submit
C:\Nava Labs\Nava Shield\navig.dat

Filesize
255B

MD5
0bf850cb9d0aa0f4c778cc515b79bd13

SHA1
c0cb8a58cba046d2c7539025a39c8a1af81c3914

SHA256
9c4723ecb77e39e58eda9c60f532724aa3bf69de30047cc7b6522534cd423f00

SHA512
649c13f9f4fccc03ebd6cb2c3752434c69b5a8d7e9b94cac80cd98a7624bfd00648949b18cd720faf89fae050f6b523221db589a550c6ce4513e76ff0895da5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
401KB

MD5
2877bb68fe0971fd721e426bd7650c4f

SHA1
d1cc4e0bb506d43f8f94e655ab66468feaaa7836

SHA256
dfbbc4d8e684ccbb14739ab8e6ddc8dde751dc8ce55fd50717d4c0e7353402c4

SHA512
68066729370b8475bc919404671fc8c63c234616137768ac8c25e504e8014f59d2fbc0ac96647f6cd1af18b8e37662f81b836e17da80dac1e2eca43d80a69363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d83d3642ce4e82c28d3f2f61302de3d1

SHA1
4c7e99556f5f9c5b89e307e732ea58c9088f3d49

SHA256
d92f96ff93468f151e01e0cc575a6ad57331b6ab76216ac156bb09439dc99c5a

SHA512
94f4ef389302720f0d1b41ad431a5a32a03257f666f384723b979ba3b3fd3667a8a06d5348fcc67a00d66c4224ba3fc910d87a30cd039bcff3614844d6f35ee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
678B

MD5
5e5f8da23b74c8f7d42874888a114b72

SHA1
6e83ea363ca755b096fb118d18928a7ccf8966cd

SHA256
54bfa30f3f0296ef653b75494f09cd3120edd8d21464627d6ff1f47a236665d7

SHA512
53ee64ca50c5a42407d64cace82c4534048e133de59286d93be7d18ceac335f3df19e0a809d3871f85c8d04f253f6f031f3d194ffab26e5372ab2ce52d0b7e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b6e7674d1097dc168eb74526fdc7d4d3

SHA1
734897618c1402b136df2baec329d1e869bc895b

SHA256
812be45f999af2548bce3b4039baa12f773ed9455d137a498cbf2d91f3312f50

SHA512
d000e0a18888856f315907dd6d0aa20cadb0d567b55125c649073bf588dd6b72048d73f331f7b5926366b67254f30b5fd62f04532edee69fa19929b69a7baae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ebb8628979edf856b12d12394e9c6c8

SHA1
1202fb6ccf0b0fc06d7f6fd30118ba1fefd8525c

SHA256
7730cb797ee511e68a8d52da22c4819f6a99b68cb86f84417d8feb01005a2b16

SHA512
e2e2814913dec1c70e57cbdf4d1941e47505c8568b2f1f493d8d073954c082874a020c80354fded4e8e973dd5460ef8c91abb6ce96b345b1a7245b317d374401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
60bed5acfe3cabadd651fbab16d8e642

SHA1
a736e0ac50472710ed55f045190956d433fe3dce

SHA256
e73e13ed21ce2b991342a417b16ba06274cec9c9e1e1d7c1ef83c97aa1cdd565

SHA512
767a76fe486ff9194f60efc3bbac0b7440562a13b646d1db08d717c7b3f0f44c97e28f9156165760e95ec0ef2686a6291758f3e9da3a1dda9bac947117b8997c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
97327860be0db705fe4ad90025a4620b

SHA1
b19061e0ca63f7c456794622b80664025b04b1a6

SHA256
0f31bac37f6037cca224b903474ae5c87365eda985b5bc0c2be21da1b3563869

SHA512
b00785843bf5343bab761eba92dfaf0a5cc8e7c7ca8f7afa9445d8d06d8392f6154c7e07e4e4d6a7a0d8642ad0659e6c198efa09499535166d1bdf9763f386c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8fe55452c2245db553407c02fc5bca21

SHA1
b3a10669d5cae5785d067337d8e4678fbef171bb

SHA256
1ce0a913f3df875e15d4e67adbecaeb4c9088c15195f3c4b176937086b9dca40

SHA512
383a8c58df2ab80920ebd069fe58b182a40e3dff5b24bda8c2c11f945327b4d33253f0285050d054324bfc461339a4fc94437f4515aee725b73918e82c1d9f3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2c015ef579845f90dcd02373d3e206b6

SHA1
e3779d22105665fc988544488fe9b63bb196d989

SHA256
46fcb6a4a57418c21199292eebc9c067b8b73c5535346f932d286dbb1e4d2528

SHA512
dfe78d95c56e5b1a1ff3ab2c02029e2b77ed14291733601fd9aa2c140d513b4ea9987e1982b98d42dc21f47a2a2d4094d1d372474f033f0d4dba170accc112f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fc2a58bb75a430617e4ac9e17015dd00

SHA1
5dc89b2016dd9043ce36ac5bcb0cb487d35f644d

SHA256
b7ec82403f03573247e9721e17994b930f763d0b0f079261cfff010f22388b71

SHA512
849482fa23f88ce279e84f3119e848196405e507d02eff033ddf81b4cf7326d45b020d276bbbff230126dd6ca4f09eb9c9f65321d901d0903ea9f31ae147fa3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fdb9.TMP

Filesize
1KB

MD5
5c58ec933fff0b122257fbf7df8aef90

SHA1
10bc3974fe5f8a08cd28114222804be7b3362dab

SHA256
137d8fdca4125010ca55ab007504258645d2a7cf611c24e8cef99766451610a8

SHA512
205593332e02035825d1b56e523507cf0e937997cefed344569cdc96e9567d7cc1c51b4469f40de9f1c1f8823e171f21589592b14ed817a0f410ff7fc11d27b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9587d092dffec370bdb9c1a86d0eb3d5

SHA1
38e866816414958d65861fadd898aa898baee50e

SHA256
226525ddc0241141a1b15cfc7c1337b262f26c37e6200d4bbfda0df87ab56f42

SHA512
9ea39ef90af50ec563804c80edaf8f421edef34d36dbacefe7ee2f3b5731ddd711ffa6392ddfad5cec66aff3b5e0e5bc305e4ab87a22ce9a7fa07525f7b94604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
59ed7659fd8e736380966eabe471d23e

SHA1
501a2ca72909be5bb450d60f25062f58a98c9b29

SHA256
969b02ea969f9187ceb805872a0c26d1e532198bc10cc015eaaeb8b3ee7185c3

SHA512
ac51de0e25430ba3f0b95efcaf46def43ace96a1df9e324883db6833b9a9dfa1629173ad45686fc9bb95e02e3cd2f661a5ab993b58ce533b75d93e2d0a7a6ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a91e96d8afa232b87b76562a03d9900e

SHA1
3f5d2a2ab579f806b76a0e3c74ca300ff424d3ae

SHA256
6540b4bba9b54d393e97582cc1743e6bd09711002a50e14c3f1f1d602e9758c2

SHA512
166cf1f5ca55419d2aa327584ed7d9ee08d9ad89b6b0ff8cde21456aba519431db6da35dc899c681146fd60de9a99198a326300c2f3b10d3bd5658edc94f43ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
1.2MB

MD5
f96faa6ec671eaabc66ef44d5a715db2

SHA1
71b08ba07e5cea3490daeb4b75b4262b1e8a9821

SHA256
6beae61ac55708892f869336fbf24f5987b433d3abe54f00bb69a098715caa1f

SHA512
ab02f785eb412004de71337a016861e790c643bffb7b1ff87d3c7f62e9ebe139fb13b04c4605ff8f069e9e0eb032427e864a6d98af5b8e25fef770bb84272838

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Nava Shield.lnk

Filesize
849B

MD5
e189cc38d507b86e5ff9bf4107bad685

SHA1
7df5c1ef39063fd74d90ea28df273efa5daf1bef

SHA256
4d3fb3f85100ae716e427494cdb22b8c75ee45720137141c46091aea70560f61

SHA512
f8ffede74a1c5bbf4c943b4b8dc2c245f9c53b78b3f3c2351850c30923df1188491b7bd3f1e8eab68734865f5263567c2e5a6815d36b18a232dcb8868f11ac30

Download Submit
C:\Users\Admin\Downloads\NavaShield.zip

Filesize
9.3MB

MD5
b05e1b131299f3d57323bdca54b00570

SHA1
82ebeb46687e7b285f588c056e52ccaab87e464d

SHA256
3adb8147e461a11add25101d78205b61b54b6993022c8014b9a55b3197ca39c9

SHA512
35580e1580cc2dc5a50afdb1e3453517fa3955f7737c177a83bf2bbb9d000a7a5f060b032200e0440c4478400ac8b1788e018fc7c88ed150b96282146e2f2457

Download Submit
C:\Users\Admin\Downloads\Win7Recovery (1).zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Win7Recovery.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/1452-696-0x0000000002480000-0x000000000249A000-memory.dmp

Filesize
104KB

Download
memory/1452-695-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/1540-632-0x00000228ADEE0000-0x00000228ADEE1000-memory.dmp

Filesize
4KB

Download
memory/1540-631-0x00000228ADEE0000-0x00000228ADEE1000-memory.dmp

Filesize
4KB

Download
memory/1540-629-0x00000228ADEE0000-0x00000228ADEE1000-memory.dmp

Filesize
4KB

Download
memory/1540-630-0x00000228ADEE0000-0x00000228ADEE1000-memory.dmp

Filesize
4KB

Download
memory/1540-623-0x00000228ADEE0000-0x00000228ADEE1000-memory.dmp

Filesize
4KB

Download
memory/1540-625-0x00000228ADEE0000-0x00000228ADEE1000-memory.dmp

Filesize
4KB

Download
memory/1540-624-0x00000228ADEE0000-0x00000228ADEE1000-memory.dmp

Filesize
4KB

Download
memory/1540-633-0x00000228ADEE0000-0x00000228ADEE1000-memory.dmp

Filesize
4KB

Download
memory/1540-634-0x00000228ADEE0000-0x00000228ADEE1000-memory.dmp

Filesize
4KB

Download
memory/1540-635-0x00000228ADEE0000-0x00000228ADEE1000-memory.dmp

Filesize
4KB

Download
memory/3148-538-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3940-586-0x0000000002590000-0x00000000025AA000-memory.dmp

Filesize
104KB

Download
memory/3940-582-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/4828-548-0x0000000003F20000-0x0000000003F3A000-memory.dmp

Filesize
104KB

Download
memory/4828-592-0x0000000069F80000-0x0000000069F88000-memory.dmp

Filesize
32KB

Download
memory/4828-544-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download