afc3ff71d364c14eecc12918e7c00a435943005fc86dafa53da529f0a9c95285

Resubmissions

05/02/2025, 09:34

250205-lj3hzaskdm 1

02/02/2025, 14:19

02/02/2025, 14:17

02/02/2025, 00:22

02/02/2025, 00:12

02/02/2025, 00:08

02/02/2025, 00:04

Analysis

max time kernel
223s
max time network
224s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02/02/2025, 00:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

b231263f-0b92-4f02-9e71-3d6a05534490.jpg
Size

26KB
MD5

99cfb36285d82796d745c8a199f6acff
SHA1

ab990d5b00d7878178a6e77553152149ce4f56c3
SHA256

afc3ff71d364c14eecc12918e7c00a435943005fc86dafa53da529f0a9c95285
SHA512

3a9558a9e628aac5af58f98a9e7056fe5a2741517067f0f9ebac9a800d6bd564433ab0b3910746f99e82573d2ba176241ce3d3b25961a6c27ae828c0d4defd26
SSDEEP

768:Z3Bt4w6U03dxH1/ARsjefQIbwTj5pW0JPfmXkD+lakhXOsX0:Z3BtNZAdxHdARkef7bQ5I8POEqY

Score

10^/10

defense_evasion discovery trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	UltraDefenderSetup.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
88	5572	msedge.exe
88	5572	msedge.exe
88	5572	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-556946243-3021397321-2334405592-1000\Control Panel\International\Geo\Nation	DesktopGoose v0.3.exe

Executes dropped EXE 5 IoCs

pid	Process
1828	DesktopGoose v0.3.exe
5980	GooseDesktop.exe
4260	ytdownloadersetup.exe
5144	ytdownloadersetup.exe
4760	UltraDefenderSetup.exe

Loads dropped DLL 5 IoCs

pid	Process
5980	GooseDesktop.exe
5980	GooseDesktop.exe
4760	UltraDefenderSetup.exe
4760	UltraDefenderSetup.exe
4760	UltraDefenderSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UltraDefenderSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	UltraDefenderSetup.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
88	raw.githubusercontent.com
87	raw.githubusercontent.com

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000027e7b-958.dat	upx
behavioral1/memory/4260-1053-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/4260-1074-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/4260-1076-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/5144-1101-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\Assets\Text\NotepadMessages\hard to type.txt	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\bin\Release\DefaultMod.pdb	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\obj\Release\DefaultMod.pdb	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\GooseDance.gif	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\Meme1.png	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\Meme5.png	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\Honk3.mp3	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\Assets\Text\NotepadMessages\am goose.txt	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\ModMain.cs	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Mods\RainbowStrobe\RainbowStrobe.dll	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\Ultra Defender\Ultra Defender.exe.config	UltraDefenderSetup.exe
File opened for modification	C:\Program Files (x86)\Ultra Defender\Ultra Defender.exe.config	UltraDefenderSetup.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\Meme3.png	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Text\NotepadMessages\hard to type.txt	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\ModMain.cs	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\Ultra Defender\Ultra Defender.exe	UltraDefenderSetup.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.pdb	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\MMQ.dll	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.dll	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\123904190-a7518900-d9a2-11eb-884c-fe067c99a086.png	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\123906418-bcc8b200-d9a6-11eb-9b4e-f7cd82fe336a.png	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\obj\Release\DefaultMod.csproj.FileListAbsolute.txt	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\bin\Release\GooseModdingAPI.dll	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\TemporaryGeneratedFile_036C0B5B-1481-4323-8D20-8F5ADCB23D92.cs	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\Assets\Text\NotepadMessages\gooseASCII1.txt	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\OtherGfx\heart.png	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\MudSquith.mp3	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Text\NotepadMessages\gooseASCII1.txt	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\TaskDemo_FollowLowAccel.cs	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\GooseDance.gif	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\Meme6.png	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\OtherGfx\DonatePage.png	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.csprojResolveAssemblyReference.cache	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Text\NotepadMessages\good work.txt	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\.vs\GooseMod\v14\.suo	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\obj\Release\DesignTimeResolveAssemblyReferencesInput.cache	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.csprojResolveAssemblyReference.cache	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\.vs\GooseModdingAPI	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\obj	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\obj\Release\TemporaryGeneratedFile_5937a670-0e60-4077-877b-f7221da3dda1.cs	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\Honk2.mp3	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\2047.jpg	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Close Goose.bat	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\.vs\GooseModdingAPI\v14\.suo	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\changelog.txt	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\bin\Release\GooseModdingAPI.pdb	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\Properties\AssemblyInfo.cs	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\.vs\GooseMod	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\bin\Release	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\123901226-2774f000-d99d-11eb-9e8f-a92f9db3eb15.png	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\Meme7.png	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\BITE.mp3	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\Honk3.mp3	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\Honk4.mp3	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\Assets\Mods\RainbowStrobe	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\bin\Release	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\Properties	DesktopGoose v0.3.exe
File opened for modification	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\TemporaryGeneratedFile_5937a670-0e60-4077-877b-f7221da3dda1.cs	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\What is this.txt	DesktopGoose v0.3.exe
File created	C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\bin\Release\GooseModdingAPI.dll	DesktopGoose v0.3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytdownloadersetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopGoose v0.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GooseDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytdownloadersetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UltraDefenderSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3752	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "187"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556946243-3021397321-2334405592-1000\{653A73B9-9F2A-419B-81DF-6DC6E33F01AE}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 879289.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3752	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3776	mspaint.exe
3776	mspaint.exe
5572	msedge.exe
5572	msedge.exe
1980	msedge.exe
1980	msedge.exe
3240	identity_helper.exe
3240	identity_helper.exe
2844	msedge.exe
2844	msedge.exe
4252	msedge.exe
4252	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
4040	msedge.exe
4040	msedge.exe
876	msedge.exe
876	msedge.exe
4760	UltraDefenderSetup.exe
4760	UltraDefenderSetup.exe
4760	UltraDefenderSetup.exe
4760	UltraDefenderSetup.exe
4760	UltraDefenderSetup.exe
4760	UltraDefenderSetup.exe
4760	UltraDefenderSetup.exe
4760	UltraDefenderSetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5980	GooseDesktop.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	2644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2644	AUDIODG.EXE
Token: SeDebugPrivilege	4760	UltraDefenderSetup.exe
Token: SeDebugPrivilege	4760	UltraDefenderSetup.exe
Token: SeShutdownPrivilege	4760	UltraDefenderSetup.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1828	DesktopGoose v0.3.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
5980	GooseDesktop.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
4760	UltraDefenderSetup.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3776	mspaint.exe
3776	mspaint.exe
3776	mspaint.exe
3776	mspaint.exe
4832	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3736	1980	msedge.exe	94
PID 1980 wrote to memory of 3736	1980	msedge.exe	94
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 2140	1980	msedge.exe	95
PID 1980 wrote to memory of 5572	1980	msedge.exe	96
PID 1980 wrote to memory of 5572	1980	msedge.exe	96
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97
PID 1980 wrote to memory of 4336	1980	msedge.exe	97

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	UltraDefenderSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	UltraDefenderSetup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\b231263f-0b92-4f02-9e71-3d6a05534490.jpg"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4216

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffa1b7d46f8,0x7ffa1b7d4708,0x7ffa1b7d4718
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3164 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:1592
- C:\Users\Admin\Downloads\DesktopGoose v0.3.exe
  "C:\Users\Admin\Downloads\DesktopGoose v0.3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1828
- - C:\Program Files (x86)\DesktopGoose0.3\GooseDesktop.exe
    "C:\Program Files (x86)\DesktopGoose0.3\GooseDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7200 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7212 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4976 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7264 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7300 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4040
- C:\Users\Admin\Downloads\ytdownloadersetup.exe
  "C:\Users\Admin\Downloads\ytdownloadersetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:4960
- C:\Users\Admin\Downloads\ytdownloadersetup.exe
  "C:\Users\Admin\Downloads\ytdownloadersetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:1
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,4509355754780440274,9866799757957438879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:876
- C:\Users\Admin\Downloads\UltraDefenderSetup.exe
  "C:\Users\Admin\Downloads\UltraDefenderSetup.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - System policy modification
  PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c UltraDefenderSetupd.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c deldll.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c deldll.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5284
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 -w 1000 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x13c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3fd9055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DesktopGoose0.3\Assets\Images\Memes\Meme4.png

Filesize
234KB

MD5
af4bef7b9f4f37ac62e782b5b59d02aa

SHA1
c5d73aba3040410351758c5ecb1662fde8105ad4

SHA256
9fcc9a9adcd231656e848b9b42bab449ea5a083cbf3a7a987c2e52963d9cf6d0

SHA512
602a153d2b1bcc4c5c4caf596ce8431618a1ff53d102b9180d2211001162644807103385e36fc1837d12fbb0e29313827210d99b54bf9b12fb86754b61a37571

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\BITE.mp3

Filesize
4KB

MD5
5436e6aebabf071c1d832071a01b8bcd

SHA1
c7b19e1afcaaea7cc2db55d4ef74f25c0f3603e2

SHA256
2bf822b86e4adabce83a796de15fbbfeb75ff82c3bc1ed2a0f5286962915d362

SHA512
dd1851bb2d6ea5217f59974270ed59b0d7c758c862a333dcf455d43e03ba4c4484a86596c4a7b1ed46c3c671da5ede356ff5c4f7f9d93746d119f4d4332fd204

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\Honk1.mp3

Filesize
5KB

MD5
db2b7cf36003b2b653df6f3ca986e007

SHA1
d61a94c7b965dec3daa6351d849fa22f646edf8b

SHA256
56a240ddfbb494a6cb5c02a1271b5cc9a79217c53b481d9d3240b4973808d65b

SHA512
3c5ba0484567bd520334837c54df160b26d3a3be952474aedf23a946369bada58241dc43a471d8e9e652e0b682599f1c5dbd03e39fe8c1f6182b806b6939eef3

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\Honk2.mp3

Filesize
11KB

MD5
3b86bf25cd702a3a071590f088fabf64

SHA1
31b279bca59916ba8202b029e7b7b808981a52be

SHA256
7c8864e0b63969e2469c2d80cd855648044cd15fd89dbabd275954efb7ef6879

SHA512
b63b24259b6a2acb01f7d066fa10c5ddf4237b0deebab4e4389a40ee677ffb232baa0f3029f47e388eb1f6fbcf97f4a640e41b594ce9f0c41a841b97e471e214

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\Honk3.mp3

Filesize
5KB

MD5
bcd1908ce864cb01a222b5cc791d7758

SHA1
fd1f938c0497cf8cf81832843a58db3ae13eb4d9

SHA256
e4b86c31838511199dac9eb6e0507736ee461b0edaa4bf9351142c534f2c2e8e

SHA512
8e883b8d54f9461d1f9dfae64cab391c17b405b6ce351648aa420f0a589def8a4f6d135f3bfb12158aa66df67d4d7b056f0ff3d80c052bf8dc0e1b31a670f759

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\Honk4.mp3

Filesize
3KB

MD5
9b24558524e7f3ec1dd7d123d10541fc

SHA1
d373cc754817870f18d640c6fa04627c74e8f518

SHA256
46aea3ca7321989695db5b15f7997802a6266512d6fe298a26dee9dd6a98ba87

SHA512
e6e0c4e77143e778599b4952c0e0741b8cd092d08179c4b4f1b63698562ec3bcf362888585e253cb53113d3c51b6225d8d4e43cd95b7122c7c2881828d392397

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\Assets\Sound\NotEmbedded\MudSquith.mp3

Filesize
13KB

MD5
b2354d238829d09c54e272d8b4f60189

SHA1
5a2731c04c50903d41f65d9fe5528a66cbefa289

SHA256
d5281ba99731fe3c443b6b2d18960a49e74b5b407956d3e1a3cde360f86573ba

SHA512
aafbc687b5eac32fe1b4d838ab1ac88103d7f59d0b5f51519845abdd9ae37147e73143e6039719c3d06915107397e3e0a666d0cb1677cdbe05bccebea69ecaf9

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\Assets\Text\NotepadMessages\i cause problems.txt

Filesize
30B

MD5
f2703993f83add3a0f08e784a32685da

SHA1
954a8e37f791fddaea3f5d6a156d04d2074e4112

SHA256
47b629fe5b76f824b8640819323c26aa4a6e49f126a189833f30ce477eb7062f

SHA512
1bd6c465df5de3c311a4d5b40e544b67eadc5d6d69fd639b097e1e7d6561ade30961159144d0189839e9cd5cc3a73f671d1e5ace492d3d8b7a1992ee1217dcd0

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.dll

Filesize
16KB

MD5
6f6c8f80d6c36739147b38016bd4b469

SHA1
bf0f81a00ccc595242620b15ade2a0661424d9e3

SHA256
fba607ccfd47e2b6ba04d449f1de10e3b66ba35b7d0e96f71e7c61d0c10486f4

SHA512
1b3d6da8eedc140f3836c60eadc5251870d01db99e72d33ec0b2a585e2e4b2f7e643e2a12ad42f8e6d8704e8af67ca1df728acdbe18c614a1b8f6746d0c3fbc6

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.pdb

Filesize
25KB

MD5
5e0ccb3bd78be9cd539fef6e4005e47a

SHA1
9a28756dffdef59d36bf42cb9cc8e02e454026d2

SHA256
4e4eb668831c91756eb030045d118ebd069fda0b0e0065ee2467c4c1c382cdd8

SHA512
4c58e1d9d77c42500c3d91314257f563a6b3af627ae0d5ec257b38a8b8008b47ad10b8b3a0661bc72a12bdaf549a33453a971802542f5c719fc979fa9f6c1372

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\GooseDesktop.exe

Filesize
221KB

MD5
bc8dc78f2c81ec0b9b20725ab46edefa

SHA1
117c516c1bb6fb85442170345854f896b023a088

SHA256
90aee2294e68cb4771dddf2c303845c61fb344743e5a3d2322bf81002a7500db

SHA512
21a407e52a754b8fe1960bdd12606b9165f7ae6c911f42bfa16e7d0248272d7aef90e076e4f443cdec4d3925cb52e841c5659fc0244831b2790d83c470932def

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\GooseModdingAPI.dll

Filesize
16KB

MD5
9eb11041f2f11d939074e26b4b554088

SHA1
50deec7591fcc5db40939543fc9bf92109f2df05

SHA256
efa31df7ab1394092395365805f913dd023cdcd21796603f133641524fb9ad79

SHA512
2d07f40f56ae0dcaba51bc65e4617a0bfd67be13be5156fd7c2850645a461f87b97e46b2c596c21752df2aa488f6e6c329534a523bd7f88234be956b8af13bd1

Download Submit
C:\Program Files (x86)\DesktopGoose0.3\config.ini

Filesize
286B

MD5
0288c130074a043df404ac331b9842b3

SHA1
196355e0ac857082a32e36c4938fe22794b8c55b

SHA256
db74de308ed6c409c5460ba10ddb590ed1f5b5281a61e10934d004feba454ee9

SHA512
52af081fbf93803ab11b4ebc219371662613a9ca05980a045c6af258ea631f2462d6f932959f9d98777e18644a608e884757c5886e00bbbdaa138b3f8afeb07c

Download Submit
C:\Program Files (x86)\Ultra Defender\Ultra Defender.exe

Filesize
423KB

MD5
698b1ffc40125c9096471e1cf71bba2b

SHA1
adbccf41fd145c0dbe2d0454c6281172a7e9f977

SHA256
88c1146982b65b9fbfb801e2d6cf667e048a5269d5c1970cac4827fe918c499b

SHA512
41cf430833762f4e236d9bc074a0b6288a0b9d8aba2ea8059f6b73cf0ab9c9179026a00564f685cdde6cfeafde5e5d57318e6bb7cac7883c9096636775ea4f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5b5e2938c3325c161401499ee96a0ba

SHA1
4621f00616454afa54547878b77908eac4612f23

SHA256
5a952ea083a3e7e7ef51e71fb771d3338756facf386a7c1f80737404b2a17e6f

SHA512
5250a4e074bafa437ae406ac91c7b9e448b1695430caa55676ef7562cd7ceb7af37144094caaf9155c5c0210b53badc5d0009017c12119ab41f40a66dd14005c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
70KB

MD5
3b06aa689e8bf1aed00d923a55cfdd49

SHA1
ca186701396ba24d747438e6de95397ed5014361

SHA256
cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c

SHA512
0422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
21KB

MD5
6ff1a4dbde24234c02a746915c7d8b8d

SHA1
3a97be8e446af5cac8b5eaccd2f238d5173b3cb3

SHA256
2faaca6a253d69be3efb96620ba30e53ecb3de12d5285b83ecdba8cbc36e7311

SHA512
f117b822aeb0a434a0750c44cbf4cdf627bfebc0d59e266993a4fcb17a7a0519659e13b3bcf8706eed7d80d0ce33b0ce5915afe5872c37c010a401dd6bb1187b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
01d8c930c07fc96de1a43e8761439c13

SHA1
d528a266fa5d566c8e4b5b785f3a435e0ce84d42

SHA256
5cafd765a73d0c1b3a4d385328dbbacae09f978f29e4169bd6dd5ac6a8d22486

SHA512
2b0fe68a801836a197fa3869a1bf73919ffba89001e3015716c490b883f90ba96eb818bb40f22361830c016633b7af2eeacb00ccd4b9aaa6f45b42143c85f1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
937B

MD5
d8571379b93a4f03846592fa92b74189

SHA1
9d51fa9db269b3ef742f16bd47d6d8f9ecb841e1

SHA256
93f33910d39e67fa9d3211009bcf11352005065f223b8a70ef2dfcb1c3fbd512

SHA512
f4600c36df0fc3826a95f3e7e536f19b9d3d97d7bde8134f4a54b361c4d1f3b7efea018c235efd71a77634c05a21240e36e5df2963ebe8cab037843599ce45f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63369d8b5bdfcac897e931d679f6b7dc

SHA1
2009f52c442fa135c8fea80461875fd26ffaa90d

SHA256
f2576e54a5950245d1066287d9ff18db36842037af5cb2098a91a9c8bdd3153f

SHA512
d4155785557278f877824fc98c6281073b24b61d03ae99a1979949bac7f074ed55db379e86cb4f067f52b612050e99e5b68f12ebb090a318ccca931c10db47a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ffd7c0be72fbb25af9f1223b293e4d84

SHA1
a4fd89112a81c0687c3105e867044e28988f8db2

SHA256
5726d01f0b6ac4d3b6c54eef1f530132784f29068db5076ddf3d13cdbbd7f544

SHA512
845308483c61809ef7282e47d7484911689772a407afd117c3ccdafa1fec2b54238a47daebfd3aee92e025319cf527e1344acd1372194896ff767a23e820a9df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82c3567f2c3e230af12a3fbe99a41156

SHA1
d52f459e585d7da446ed9769485ef3e545ed8689

SHA256
1e40940ad7e4da2e19fbd0ee60c9b1db65f189088126f2d5a60ca610a7cf11d9

SHA512
a1d6fe3f5b948ec6d89d709c46efe64cd79adabf1393eb0f95eca6df5186476d794b8c297fb64bc16993ab1a9ec2959889b4d6f9cd806a9d828f9de4d0702224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
060632a4193edfbbf5c057add749a862

SHA1
062eedcddbf18d83150c89ca98d312df82e056b4

SHA256
3e78ce45038712b584d83ada0d42efe5a547b814610d770f907d6f27f560aaf0

SHA512
c5d94fbfd5dadc5c8401e3a42f28af2d036d30a6d8945c0727a61ba2191fd5d6388b6042adebf1e855a1673b8eb4ca515fc45f5f4813ddd57e376391c8018f39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
861b20e01296cabec333c978b8042ae7

SHA1
b94ca95d48f09c89cc4399216282c1f55f6d672f

SHA256
b63299bbb92adb55f4cf3c1c009b16272038649403bea84b2d22751c078a1bf0

SHA512
0585a9eb578f072c11085e5b34ac4dfc3a46a3383d3994c18f1a03b2b6bde4d8aff56e8a2fe5d86b241216c57f541597705cc4348ee33da59d81c9e408356874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e50710d551aabab2b2f0ef30ef31b976

SHA1
46d4404789a01371bd5eb9534b470abbd7bf653b

SHA256
d13609cb406dacbb40f547b7dd6752fc81e2fc7f6d49888646c5bd1ab2d92d0e

SHA512
54eb8bc5b10dfc482267f4823047c3d2b0610c03a9c82ebeace837fd5cf445c171c3665b42a19509a2032507a4497247bbf185edb1fb679e572a8b23c647f14e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fc4fde15c51d50ef16ac81ffc6da5286

SHA1
58d33dddbc186451b6b667d6474d66eda395b90b

SHA256
775f062d4848b9b8e98c5068b841bbd3cd13a569eaf91dae29cdfd979909c5b0

SHA512
aefba50b0f18543d55c2707bf57f5829df93d3eec526562d896af42b93dc24610751c4d02f908afa0836072f58a5c01b6bd2bfec2b4e8128eefe66c3c24a9d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6bfa555475021c42b17c670ab02cee63

SHA1
908a27d7dfe92517b8cd1c67db2b2d65632e2704

SHA256
525296f882732ba9d65944396fa93d84e3a3a1c2ee3d48ef88ce2720fd112ec8

SHA512
88e0d2342d8f5eeb7bcdb93f52f2f6a9317408288be6db7b0bfc05cabe7601f05ea694a01aef0333d13756b46f66d16c343e8fdada5fb16a95c96631da33582b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c42278f1413698161f067bcd83a23160

SHA1
14683b60ff1e3633458004fa32e0f0f4c0db4f50

SHA256
e31dd695a4ad1a2ce057263dd2b8781aff823dd9c0052e2b3408731ccab0ca4d

SHA512
e2149d9ad2c70e0d908147f952293830d3f7b439ec4a0fa3ac6aa57c8a34c5c7414208dd0e8c3985f1ddb8b4fc19e0edda3e9db9b5fe1befd7c985be656c369f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
77e8568f4c0bb0fc24e36cc1f6ffabce

SHA1
c9dfcf6b69eb02eeeec6d0c7425d00fc2ae74a6a

SHA256
c0d3c1591612d7fd50decad4bb0efa52d514a949195b1e8382d03bfe48f49a55

SHA512
4ba8196a27e59af159bbb15d0d41674b9478b1f05efe8af171d24d5d062d71c27a2460a68e1538458caaba876b147bcaa93dbcb5dc00f664a656abcd507812fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
718926487377739285aee7ea960cee04

SHA1
d6e381772150ab4ac07085420ef25abd7fc7fbb5

SHA256
d6f8e7db56e8a54c74d6f03d60cde8032a451f9b2212015ecdd577b8387716e8

SHA512
6599e3f89d15e8a0e852290fe4e5c256958827cac6c5eee41a771c8ca451ef893114d0c9c1e2378df21c055770ea48694994f1aeb67083b6280d051d5e1d8498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4598a40ace36e50e7a2ed24d1aaf8c5b

SHA1
02500794f3ef8be971626cd8fc60ec0a235e1741

SHA256
eaff9b564c81168509d639d418c803cc13ed03968fb442f02fdcb7578b0a26f4

SHA512
1b35c4c8b392eec13a4b10ad0e7a99705078ef56d4bca5866a79cc2f97846d44c5693360e0d4a05d4e2acda2ad7b1a966df915b6c6d17ff2397a4b52dd6b491b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
144d6bc27554ece74fc1e006e8f70fb9

SHA1
6a9a529c930f1445af6d5874361296a95805adaa

SHA256
081fcf5c9eb67fc3edde60ce1da4ef749edaaf07c624f09da0625131ae50fabb

SHA512
12f6b0ced75e3f59a76655e8795913985987c09710aac78912ebbd9efaa62ebfb0d258bec20a214d24bc3ab1c4f2520a452430ba52e45a57927dfe5e83095d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0a2d5489069b10af56e8fc1561423f27

SHA1
56875d2c6ac66faa0a9481a3a62d74e543ec2e72

SHA256
77ff54584022fa3c548bcc9039421de533634663a29997f200378faa8c240f5e

SHA512
32fbd9474eb6474afc0c8b06462a1fa4b973eb056bd353e7bd574e03c04a5dda67ee1f92ac06cbd68e8f74d00bd420ac3b72a11e3c2264b93c1d2e25b75019f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3a6ccebe8747db96aace62f1878ad6cc

SHA1
6ee4afc8f01df86117b3e7501988164820ace7d8

SHA256
9afa8aec7791dca5961c42efddc70095c7143e30f11b2646855275f4dc1e9944

SHA512
f51d76f0431aa2becafccdf714e4d3c72cee03ae47e26df5201abf10e34112c0ab8f1a16208743800b91f4d93cf2e85c90e8339ecf32af606cc63731486348b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
46fa5e0427ffa683eff8b1cf5b1f9599

SHA1
d90ed842fdf933226bde1404bbc98a5f1635c25b

SHA256
5afd38a6fa343b1c94d8e5f1d07811fa428de8acc74c7814cc79621655b0eaa5

SHA512
c90c250fc5017321eab202d173dbf43004a1ac330a5960a0be6a11601cc61ddb3ce71916d40f65a4beaf723cb4b8616dcecd27d4f23833b9d55d244e5e7a3cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589ac4.TMP

Filesize
1KB

MD5
a999ce9d7a8db9c37943713277a4f110

SHA1
c6d27d22bc2f46844c54d7a877b9c09d3178a4d9

SHA256
71038b4193301d4c51c6b086ebf0844fd8b05d94cbffd0f8c2ae1ba0277a4d53

SHA512
fc11715b643647dee0251219b80f132dd9e76f8819ca6168f8cc6b2fa2a5d1f103eff684d9d259ad63d77aa3aa5e8ba14e97d62b9cf1d53bd1f64e96ef067cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b573058b343d1b566d52291e4ca456b6

SHA1
8b2fae83b0ee00eb2986cf3818c3a028304135a1

SHA256
b11af2ff753d201588137202a658d29140f20ec967fb8b4dbf8e7aae78860c93

SHA512
bcefaa2e4861af290988bf6014900353a2a379b0bb782e651348e544acaac411b019546f67c88b3b5407b30ba82b3c32f853b8aa142aa5ec708c9e7244576217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dd02001b308ac007fff40d4e3d679ef6

SHA1
82e18c69fc2e0ee6911bb09a80108e7b238b070c

SHA256
cde19291b05170ba0037f868aa79789651791c7132014c7eaddbf101999539d6

SHA512
7949b6c0f71926132b8eaa28879c484e52c21b1cd590bdf7b6a8f66245eef29c618d0b24bad0ee1a13fc3094438a9ffbdf2e66b842dc7da224b7b1ea1e8966ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ebf4a29b29943705639c7b3141df8de9

SHA1
de66d2bbcdd48d771f57147b9f04caf1a181e6a1

SHA256
168b1c3a996d18449740bf69f539516c6272e4e35c946dbfccd4c824823922f7

SHA512
09dc97659d0451a69452796019bfd259478f3bd2b7eef649efd3bd1c3c56f8b8545126a7f731cb82681f795b99ce5201b557036d669fe78e16e6d7cf1eba0bdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eb816f0c82747addb50bb94d5c107491

SHA1
cdd9edebefe9e76b76c0d5051fbb078cbdb09cc7

SHA256
32783a5eb436df22d188e9ee145426466c59ac4d23a484397bff045f5317db1c

SHA512
a93151168700733bf66e0099c2c7104e03adbf22ad01676741bfc402bcb23fc8fdd33294100ce135a51acf217496288c2bd212e9998caa6326da9c1dd116ef1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bd8162219d5ad299991d4284c91b24cb

SHA1
dee2ec2e8cef06f0bcc92f2df8b861ddd5cfa3d6

SHA256
8912bf134c4361d2a3056875a6efb4235f5bec7064d9a71d3fb249031e061cf4

SHA512
83b139a7f1e8c93e2d5b3bbee694d8cfb24678f27b2573b1551273a260a40f56ad0f16af26b5c232f772869a018055da969e565ee3c52b936e446f1ae1b8ea03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e67695fa522015698b0aebbdfe1dd1c0

SHA1
9f9adc96394a61d953ffce017222dd6775b80b67

SHA256
b0b8809e4c2c86f5165fe54098f8e881c47479cc249e934a57829fade7bda235

SHA512
f28ec3c01f38763144aa1eae76b8661da00d0b015c4e3a302bf23f884111d665c6ed872bee8340d105343fb7c8742f66cc16db09d9fd6535f57f29d66724001c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee7E\guig.dll

Filesize
20KB

MD5
d3f8c0334c19198a109e44d074dac5fd

SHA1
167716989a62b25e9fcf8e20d78e390a52e12077

SHA256
005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa

SHA512
9c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\genteert.dll

Filesize
60KB

MD5
6ce814fd1ad7ae07a9e462c26b3a0f69

SHA1
15f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7

SHA256
54c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831

SHA512
e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 445056.crdownload

Filesize
52KB

MD5
6f3e4b4cbc6c4a65110a82abe22b0738

SHA1
52a8212bc55d92d26015746b8a2eb737ed1b022b

SHA256
dabfb2d67b42b956cccceb6fa2058c526c1dcad4ebb7d50e171bae0e036d7e21

SHA512
073548c74961317f4f7342bb24ba83cb877f25ebee0de9b0fbf93f52cb7cb14c4a6bfdc3615375ea98166d4a3c664431f91d92cbc14128d62d7cbda727204f56

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 879289.crdownload

Filesize
6.0MB

MD5
1f2607914c8efd0f781f49ae1c20cf27

SHA1
18a8cfde08930a9a406533ce9523c232fdc769ae

SHA256
b3e3e9804bb6b1a09c5ec5a9301c064507ac6482f9f687a3a5104f4225e27fce

SHA512
a2e06b6334a32dbeb21050d43776485cc9cc9af350a7cc2209a994f9eff285006f9999bed6f26b3e58554444abdf4c5327d5e4b93993d28ea7a6591a239be316

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 986681.crdownload

Filesize
552KB

MD5
3a9fed5f3ef8da8cd60c173ab7f42e66

SHA1
9cbd625a4afc89a1763cb3ee80a5a38811061724

SHA256
ba1bc395496bfbcf1dfe66b442124407f7412b8ac704fc0b0a7385307c88781f

SHA512
b81603604f62c29e74cffccdffccddab6408aa03d3315568eac8de57e2291d1c5097319abf74c35acbb826863fafc1177dcefe433863073ff2f66b61cc1771df

Download Submit
memory/4260-1053-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4260-1074-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4260-1076-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5144-1101-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5980-786-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-907-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-840-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-837-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-839-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-832-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-856-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-857-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-859-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-858-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-860-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-863-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-864-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-866-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-865-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-867-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-868-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-869-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-870-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-871-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-872-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-830-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-874-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-877-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-876-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-875-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-878-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-879-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-880-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-882-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-881-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-883-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-828-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-904-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-906-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-838-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-905-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-908-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-829-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-827-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-826-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-815-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-814-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-813-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-989-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-992-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-991-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-990-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-993-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-994-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-996-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-997-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-995-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-812-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-811-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-809-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-798-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-799-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-797-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-796-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-794-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-789-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-790-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-788-0x0000000008540000-0x0000000008550000-memory.dmp

Filesize
64KB

Download
memory/5980-783-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/5980-779-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/5980-778-0x0000000005AE0000-0x0000000006086000-memory.dmp

Filesize
5.6MB

Download
memory/5980-777-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/5980-776-0x0000000000A60000-0x0000000000A9E000-memory.dmp

Filesize
248KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads