xenorat | hxxps://github[.]com/Mikeykorby/Educational-Purposes[.]

Analysis

max time kernel
155s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
15/03/2025, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Mikeykorby/Educational-Purposes.

Score

10^/10

xenorat defense_evasion discovery execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xenorat

found-politicians.gl.at.ply.gg

108.77.173.66

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
47806
startup_name
Sinkerboi

Signatures

Detect XenoRat Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002b49f-403.dat	family_xenorat
behavioral1/memory/2712-429-0x00000000009D0000-0x00000000009E2000-memory.dmp	family_xenorat
behavioral1/files/0x001a00000002b4a3-630.dat	family_xenorat
behavioral1/memory/4928-637-0x0000000000750000-0x0000000000762000-memory.dmp	family_xenorat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\System"	Client.exe

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5668	powershell.exe
5508	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 12 IoCs

pid	Process
2712	SKIBI TOLIET.exe
5348	SKIBI TOLIET.exe
1608	SKIBI TOLIET (1).exe
3124	SKIBI TOLIET (1).exe
4928	test2.exe
3884	test2.exe
1600	Bloxstrap (1).exe
444	Client.exe
4556	Bloxstrap (1).exe
4496	BootstrapperNew.exe
1672	BootstrapperNew.exe
3484	weqweqwe.exe

Loads dropped DLL 15 IoCs

pid	Process
2900	Process not Found
3452	Process not Found
1564	WmiApSrv.exe
5840	Process not Found
1672	BootstrapperNew.exe
3484	weqweqwe.exe
5900	Process not Found
2420	Process not Found
752	Process not Found
4884	Process not Found
5508	powershell.exe
4724	Process not Found
5668	powershell.exe
4704	Process not Found
1628	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Admin\\AppData\\Roaming\\Windows"	Client.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
93	raw.githubusercontent.com
94	raw.githubusercontent.com
95	raw.githubusercontent.com
91	raw.githubusercontent.com
92	raw.githubusercontent.com

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1107858922\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1107858922\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1107858922\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\product_page.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\shopping.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_889075687\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1195223607\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\edge_checkout_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\edge_confirmation_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\shopping.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1195223607\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_889075687\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_889075687\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\auto_open_controller.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\shopping_iframe_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1195223607\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1195223607\_platform_specific\win_x64\widevinecdm.dll	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_889075687\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\edge_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_889075687\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\shoppingfre.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\edge_tracking_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\shopping_fre.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1195223607\_platform_specific\win_x64\widevinecdm.dll.sig	msedge.exe
File created	C:\Windows\xdwd.dll	Client.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1195223607\_metadata\verified_contents.json	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BootstrapperNew.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SKIBI TOLIET.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SKIBI TOLIET (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\test2.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SKIBI TOLIET (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SKIBI TOLIET (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SKIBI TOLIET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SKIBI TOLIET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bloxstrap (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox	Bloxstrap (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox\shell	Bloxstrap (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox\shell\open	Bloxstrap (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" -player \"%1\""	Bloxstrap (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox-player\DefaultIcon	Bloxstrap (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox-player\shell	Bloxstrap (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox-player\shell\open	Bloxstrap (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox\DefaultIcon	Bloxstrap (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox\URL Protocol	Bloxstrap (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox-player	Bloxstrap (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" -player \"%1\""	Bloxstrap (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox\ = "URL: Roblox Protocol"	Bloxstrap (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox-player\shell\open\command	Bloxstrap (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	Bloxstrap (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox-player\URL Protocol	Bloxstrap (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{87988EBC-A566-48FB-B0D3-51C87C53D6E7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\roblox\shell\open\command	Bloxstrap (1).exe

NTFS ADS 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\XenoManager\SKIBI TOLIET.exe\:Zone.Identifier:$DATA	SKIBI TOLIET.exe
File created	C:\Users\Admin\AppData\Roaming\XenoManager\SKIBI TOLIET (1).exe\:Zone.Identifier:$DATA	SKIBI TOLIET (1).exe
File opened for modification	C:\Users\Admin\Downloads\test2.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BootstrapperNew.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SKIBI TOLIET.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SKIBI TOLIET (1).exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\XenoManager\test2.exe\:Zone.Identifier:$DATA	test2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
724	schtasks.exe
5156	schtasks.exe
4924	schtasks.exe
4072	schtasks.exe
6052	schtasks.exe
3596	schtasks.exe
4920	schtasks.exe
3404	schtasks.exe
2464	schtasks.exe
5384	schtasks.exe
2352	schtasks.exe
4572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
1564	WmiApSrv.exe
1564	WmiApSrv.exe
444	Client.exe
444	Client.exe
1672	BootstrapperNew.exe
1672	BootstrapperNew.exe
3484	weqweqwe.exe
3484	weqweqwe.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe
444	Client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	444	Client.exe
Token: SeDebugPrivilege	4556	Bloxstrap (1).exe
Token: SeDebugPrivilege	1672	BootstrapperNew.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeDebugPrivilege	5668	powershell.exe
Token: SeDebugPrivilege	3484	weqweqwe.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1660	448	msedge.exe	81
PID 448 wrote to memory of 1660	448	msedge.exe	81
PID 448 wrote to memory of 5404	448	msedge.exe	82
PID 448 wrote to memory of 5404	448	msedge.exe	82
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 1676	448	msedge.exe	83
PID 448 wrote to memory of 2364	448	msedge.exe	84
PID 448 wrote to memory of 2364	448	msedge.exe	84
PID 448 wrote to memory of 2364	448	msedge.exe	84
PID 448 wrote to memory of 2364	448	msedge.exe	84
PID 448 wrote to memory of 2364	448	msedge.exe	84
PID 448 wrote to memory of 2364	448	msedge.exe	84
PID 448 wrote to memory of 2364	448	msedge.exe	84
PID 448 wrote to memory of 2364	448	msedge.exe	84
PID 448 wrote to memory of 2364	448	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Mikeykorby/Educational-Purposes.
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffaabadf208,0x7ffaabadf214,0x7ffaabadf220
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1700,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:11
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2552,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=2576 /prefetch:13
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3412,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3420,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4896,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:14
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5264,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5232 /prefetch:14
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5224,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:14
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5840,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:14
  2⤵
  PID:3028
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1128
    3⤵
    PID:580
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5848,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5896 /prefetch:14
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5848,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5896 /prefetch:14
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6168,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:14
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4660,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:14
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=5884,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6608,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1816
- C:\Users\Admin\Downloads\SKIBI TOLIET.exe
  "C:\Users\Admin\Downloads\SKIBI TOLIET.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2712
- - C:\Users\Admin\AppData\Roaming\XenoManager\SKIBI TOLIET.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\SKIBI TOLIET.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5348
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Sinkerboi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA52.tmp" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6604,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=7048 /prefetch:14
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5844,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:14
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5988,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=6204 /prefetch:14
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6976,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5384,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5204,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5344 /prefetch:14
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6096,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:14
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=3576,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6152,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=4840 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2052
- C:\Users\Admin\Downloads\test2.exe
  "C:\Users\Admin\Downloads\test2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4928
- - C:\Users\Admin\AppData\Roaming\XenoManager\test2.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\test2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3884
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB699.tmp" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6752,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=7144 /prefetch:14
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=4416,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=6460,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7056,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=7192 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7288,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=7284 /prefetch:14
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=6140,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6456,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6576,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=7164 /prefetch:14
  2⤵
  PID:3600
- C:\Users\Admin\Downloads\Bloxstrap (1).exe
  "C:\Users\Admin\Downloads\Bloxstrap (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:444
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Users\Admin\AppData\Roaming\System" & exit
      4⤵
      PID:712
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Users\Admin\AppData\Roaming\System"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4924
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
      4⤵
      PID:6088
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4072
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Camtasia" /tr "C:\Users\Admin\AppData\Roaming\Windows" /RL HIGHEST & exit
      4⤵
      PID:2196
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Camtasia" /tr "C:\Users\Admin\AppData\Roaming\Windows" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2352
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
      4⤵
      PID:2652
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6052
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
      4⤵
      PID:2412
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3596
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
      4⤵
      PID:5704
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4572
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
      4⤵
      PID:4904
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4920
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
      4⤵
      PID:5188
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:724
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
      4⤵
      PID:2816
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5156
- - C:\Users\Admin\AppData\Local\Temp\Bloxstrap (1).exe
    "C:\Users\Admin\AppData\Local\Temp\Bloxstrap (1).exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5964,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=6532 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5680,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7060,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:408
- C:\Users\Admin\Downloads\BootstrapperNew.exe
  "C:\Users\Admin\Downloads\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Users\Admin\AppData\Local\Temp\weqweqwe.exe
    "C:\Users\Admin\AppData\Local\Temp\weqweqwe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "Get-MpPreference | Select-Object -ExpandProperty ExclusionPath"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:5508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Solara'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6548,i,14408854157782864120,2350353922055332908,262144 --variations-seed-version --mojo-platform-channel-handle=6664 /prefetch:14
  2⤵
  PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5360

C:\Users\Admin\Downloads\SKIBI TOLIET (1).exe
"C:\Users\Admin\Downloads\SKIBI TOLIET (1).exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:1608
- C:\Users\Admin\AppData\Roaming\XenoManager\SKIBI TOLIET (1).exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\SKIBI TOLIET (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3124
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Sinkerboi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F8E.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2464

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKIBI TOLIET.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
509e630f2aea0919b6158790ecedff06

SHA1
ba9a6adff6f624a938f6ac99ece90fdeadcb47e7

SHA256
067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b

SHA512
1cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
14ff9881a6e525f41a1bcc8c6a1d971b

SHA1
d33612b410a8b16c7e582443fd20bc43dfd81602

SHA256
75b1f527666c1ca34ea2237b0c6896aa191b57c9123ef6b3f79cdacc9dfb88b4

SHA512
bfac4282488ae319d90c54319f5782a1b0308a20b445659e6b96d4e878533f5cc3a63cd885cb6d2b0a9c1663779582e04384595dc43baf3ff15ae085b302c1c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57fcde.TMP

Filesize
4KB

MD5
e510fa2c6fd77f36870d8fdbd63dd12f

SHA1
b418650a28c28645fe0651f2a6c6761e73b35de0

SHA256
1f22ab718979e82ecfa4099abc3f2d345681c12f7da42a1b737b5f7d61100206

SHA512
41cee3193d0fbcb25f5bff8b830b705d7363793d89d84546bb5670492f1074c6794999821e43080000636f40233b94ad0ba611c3dce21226b1c2749c86053cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
818da65e61028b0a28ddf8f86de9f4ba

SHA1
ad1a3a1e61ac802ac0dc05e8341e0123e45752c3

SHA256
bd62981117b924f4c564dd1cb009fb401aad1ff17ad60e380186b070ac0fd460

SHA512
896f7820ad37d1d1fd94e01e1bb7c3cb09fe36b9a7c1f24a8090883f549290c8e33891a3a5da1ee3b0483edd3dd006f9ad3bd5e59d572cde5e5742488e27eee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cafafc513a24cd32fadd98eb4759c0d3

SHA1
e217ee5e54cf646559002df6631e8d266187b6bd

SHA256
bfdfbc07dc17f6e8ecdb03b6186664cedc55e954cc251249689de2b141a742c7

SHA512
f48665132d9d06d0ef0454e2f009c976953c876b678886995b8552bed956c3d68b8eb03e12145d3507e52a41a4615b2a99214391b7c45e960a7eaa034ed8426c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
412KB

MD5
761b31efe8dae3b7a6cdb97af25a8ad2

SHA1
c0c44b63ae47828307f236e48f9879097150d8fd

SHA256
d44189d581e12a919482c27220f6e5a2bb42137163ef9af4a98d4c915ef8dae8

SHA512
c42871b82a50a3cadf6395fff958f461f5a50123cd44c4058d86f33afe33e9e78ce3ef87b29822895532d987ce810536b38f52010c461a8a5604047f0242fc85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
413KB

MD5
c3792721821b83c0ba436441cdd1d0ea

SHA1
0bd7f2abf8862edc185bbb672c05262d49fefb48

SHA256
5723a311ddacb84b912ff15cd7c4cff4fbe335276b239a8ed332c1edd8a2d567

SHA512
5e29052bee5b971d1fcf939258c7be525a8f6a41cb9ed006c916927a0707cc9161b285f99a5c30b5ed14190e902174936d4930b5cecb8a0c1af30aa7199c76ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
412KB

MD5
8669310175de4fcd8dc789e57ffbc927

SHA1
22d2bf4e2b4add66a1d3875748e4fabe33abffb2

SHA256
47e96954e9bb01325ac3e91addb64b9394a8a0d4b8719ee1d9722c29fb8ec455

SHA512
9de68dedab6512e70c75248ef79c6f3e7f5c4efd615ef3d75e34482a38542423ef1cb0fcdfab55e7b5d43d7ff818174e7f47d9d12545a989687cd12a602970f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
412KB

MD5
2e188e7f2a545e26e21f431f4ea40066

SHA1
728ba811bf42e9ea2350433e7da56775e711303d

SHA256
e4452e9d95af8ff83dd109b27cf744e7039e46da9faa37149fbc80640ac47252

SHA512
223d00c3b5575690d457ec72b015b59973cf3c55312d1cbdef111c94cded3b0944b156c2fdc1337047fa682a785e6befaac06b14a62de0e7ff54a083593dbdc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
412KB

MD5
bf87222c1ebe85385b332bb73225041e

SHA1
cfa61269be76edeace33c48f774fb5379be21377

SHA256
6e0cb95d22814ed6bce06239328c95f5b293254d8c464b8725d73cd47ffacbb2

SHA512
741af7df0385c35bcc0e502bfca0744781340a30d5d27207b32c53c3031922c31a79e18c87dba6bc46946907760cffdeade0d62ad03ba188284d80b9d85f2af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
3b0017a907769075b20edfc95d810496

SHA1
bbf14f621c1212626b41c4bb35a138d5249eb31f

SHA256
e4c121a1c5a343cdb2a5da3a82d99576da4e797b55f5da3112f1ed9a1d37b470

SHA512
2287d783c9e46f3c99132df748bfd51a699cc6ee8309b24ef1bd0ed193ab2dad3bbcfc1ceaf643ce276332ed6e3f6d738dd0e029cd3dfbdb02635b4cf15c60c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
6ce288337cae886428ab3d81c37f7bba

SHA1
e661780c9d87c61b4ef552436cc5cbf0f9f88e8c

SHA256
8545fac4597894cfac6f64d8a9de4c3241049daa0c41b3d2b7589df9554630ce

SHA512
89be0bb1427f1b1a3f54109a43999ccf1be25e6dc0061bb286d979502cf0bc8f64ace78ea3dab374a793d55f7a5a36a75403d029e93c6e767e513eebf6790310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\61653b32-d880-4d11-b8ed-b939b37de6da\1

Filesize
6.5MB

MD5
e483e2d44963d269ed229bf28feafa45

SHA1
ce8a26d343fffeaf53acee17c66c46a5ce18e63b

SHA256
24832e776d6681e5706c2680bf52b89c9f85f98648736f57c36d34a7ed09c6b0

SHA512
48730b90eba52f524b53adb0502e5b4a32d61c174244d7a9523b4221bc681b97445a7d11bced2c2f3e94ac70e37006ebbbd4c308fa4bc6ce0d5e91cfa196589b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
464B

MD5
79792108f3607260209b1a61af9aaf35

SHA1
b418c813bb0ba30ef1420a89a13e346d93d5734b

SHA256
64f0b09c28535c9cad69470d5cd97fbbbd9d7ca244d7c5faa632c2a796efb63f

SHA512
8d726a9629c15da05716f37c9965f30a29d678f29d07e22f9d56e49d55d9bc95236d6dbfd57f3aae2a334ecc9bba8ed819f7c5a95be185b84101436a6cf4e016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
ff3fda944f8f00526094ea498a7139d1

SHA1
daea553f01789370b6366cdc5bce955582ec93d5

SHA256
f82e7be2059dd065b7d9b0dd496600812d28fa9afa6aa5808075232fca2ff1b6

SHA512
640ac2e4ebbea5e32f666ae69c1efeb0ee5a4e32276ecb0c40f3f07641b9bb3c9db93f6d575b72cee4e7bb686afd639da0460e2d7f0abae8d45ec00d66f7dfc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
54f044c340babc0f9a23652c11a07ee6

SHA1
4ed228dfceac627e2962cb73cf13ba853033b2b2

SHA256
a68a5deebea0469e028f768c0f172b02b957e06b21e3e5bdc2747ea84d7d14a5

SHA512
7c3b2a00fdace2a2d6a18ab5743a479176c27b2d57112bae2397833df52c3ff6a33ccad83dbd721d49959fe80f5a0cd964e2c411572942a939b83ac0c51b0561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
244ef2d292a6c82d669ea17855ab68a3

SHA1
c0c42584a9fcf45fe989320a672c0d83f9a37748

SHA256
dc69ed5f5784561f12f318897610fe99f18a04e86873d7e7457176722a28720b

SHA512
6ff8837071851113e438600c5b36c0eecbe27b5960c39cdb831ce26ac8d07ed8237da39e5156f1c5e4eb4a45bf5835e7ddec3283587256167db673a7ee381351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
4e7ff6e98e275be3249d7be5891def44

SHA1
07312524cff2d48a7f482de244a165374079e6d7

SHA256
8ed0f75539f6f5c15b5cda1d1e5ba12a2a0337b4d3ded1a194fbd8415a68e048

SHA512
986e8a90b868b5f23d0e0c2689226faf5516029bb717f911a11caf11794e19a4a30418e3799f5915626a5e5880ecc4554e05c83db0b44e815dda2aa34ed50a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
f6c6e63c5c0901c1c94c18eed0930760

SHA1
e49eb8da272b6d4a1a5ae1a7297905a4416c4269

SHA256
6ef6576c63be326f37f1ab88493e0e3b8021094b211bbeb5fa8620e3150287e7

SHA512
30ebc30c4cc19f674efe23aadb250df191a540d9f334991bea3f1c74d5c8d4b56458caf07f001355349ff8f544a0b25766abfd0efe77fcec4e35358fd8d109f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
440e1f3c2d90a2fa790d539cd6af6039

SHA1
37350f7a8ac6dce8c9a33add8b7076df096d4681

SHA256
86fe8d4e5f44029572a8667f5b145a22fed85ee9e3780c99fd937e093f9d6a92

SHA512
3d9a31d2cc24e958eb2189bbe54ab684c1742094f09966861f9f44bfa7c0b41d22cc8926f21d3c07955798f9e22ec2f8eb657a67d4f750116308b2064d959196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
f7dce05021c7e15be67ce72f158222c5

SHA1
06dc8399bc40c308df1b0c82e397348f75522597

SHA256
10cdfb94dc241ea2ecfdf3ef1943edb8d383f74683db6a09cd388a4873af2c10

SHA512
df438560335f39ccfa0bbd8ce5c79a1eab27784e72812d2a0c85122f2cc9db03f9136de60a6bf8ac3c558abf1ff6bea59a3fa1c643fceb3dcb1b23b2e8df6c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
61c8091337d2bc573f413f53ed10dd8e

SHA1
e0fa07a6027093e873eb9d32b8eedd4fca3f992b

SHA256
b6198244bcbc19fa5f53eb90dc7fceb7a1e662d1f7442037f1d4a7975824883a

SHA512
f8810951748762241e9b07d83fe603bcfbe1c35b7790e89e51391df4d6445ed93acad7246ae1cb310574ad425abd23319dc2b6034e64433521bce87d32b7f686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
a4f910df813dd02ad6fb3c7702366499

SHA1
6596a1e0958eb03fe836043c52d4856e2227a14e

SHA256
cb3b69f98744255a7834cc2d54bcd67f5d86b8f0c2edb2e81b1b0e2f7798159c

SHA512
5321dbe276536bdb3a55107b0d15e206e1b72fc5beba0526636e3ef8b161ca04d536988381ef6e125c4550d6144e1d694b7075f698bc85726d382d46b3604978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
e8ad1182e1d05b5e208f7040f52e46cb

SHA1
1bf1eaab982f41dd74d9d2a4bd7ca81e45eecff8

SHA256
049124dcf57707ecb895d6737d464a491427a171bf3c5874e6859b992b1a2704

SHA512
90da8cb6477de339eca517747d062b71e4aa7a8d201eddb6723bccb3b611aaf9c78dac313336dd640e3ae71bbac3e8edc18be1ec3d6854223937dc247d8c3dec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe58d8a8.TMP

Filesize
392B

MD5
d4b4d2e866d1bb91be5929b907e4ddf8

SHA1
b1ee302b16acac7c4cc8d13f34ce100dcfdf1521

SHA256
9fa67659eb510955f8f954b110612ccc95d73dce021a66aa0a0276314c1fb8e0

SHA512
355ad86a46b3045f9374e1e0890031220ef5c690bfd6f326373f204e58bf20594e145fe7a03c3f0ebf5aadd7608298b0e4786f5478a3c911f5ffa406c0fe22ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.15.1\typosquatting_list.pb

Filesize
631KB

MD5
ad013f0723d332e26a9101a81483661e

SHA1
a3db6536228681288dbf39d4a94d2d8f11e77d3f

SHA256
96fb259d4c8d3ed7d7c657b6aecc8ccd2b0730b11244a83499c0d8dab91087d5

SHA512
b2c700ac36657d288cbe0bdbbe7856299d6af24e00fce8f9d78434ac2f10fc82f9399b03cd5995817721a0d252976f99424062e5b79d0281d8163aa5af330f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bloxstrap (1).exe

Filesize
10.8MB

MD5
05fe4ab617fb8a0e6df903e14b3312c9

SHA1
04500479b9e6cdfbaf431634cfbfd496214c80ca

SHA256
b4e27af0caf72026adc98fa65d34d5fe22882b2c3b36291f39fb2c69b3183efc

SHA512
acff0e95ba628ed724ad331b1e5701f5cef343cb8ee5aa44aff0c5907453abaca68b874c7275a61d835d982ac18e0a1ffafa9289c7e72b9cc8b79c564b46c3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe

Filesize
568KB

MD5
6ee9edd9d8bc2ccd5353b0638873dfd3

SHA1
abba123115cf917af56a664127460df2f0b5e400

SHA256
1370f3806f222c0c3c839710b87706532827aec5d857daafc306b56d1995540c

SHA512
f5368bfd9f1a2f9ada105c23cd69b6aa1288615215f90c1ffd40ef97b131fae44230160621d36ab864f40d6114b1543547278848c9a5e59cade8d7c728905b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
662KB

MD5
e725727347aba1f8f0e08aad4efbdfbf

SHA1
4eafdd169e23f0b6f4cd4455d53b0be48acbb297

SHA256
c800ec67dccfc9adf1048a3cf5eb5df750bd094de7c35dc22532bb5a7a914a98

SHA512
b32ca48410abccd3fec6b501609da81bf6577ebc952cd7c522dff49ed0544e51c444e00afa3ef05a51098d61e91d4230bfc59ca74d24805326620f56cd2f2f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xklnjzuj.xvh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F8E.tmp

Filesize
1KB

MD5
23a52417c7174d9370bf677445a235b6

SHA1
43d7d3bdd68c9e0cfcf173f6731169c9bc7c23fb

SHA256
81a024cab76a5c76f19cf619c3a5c959f37f27e670ba3782eb10fe511f489f71

SHA512
ea5c798ec8e10c4d5541d34e56d3fccabf06c093a61defd1c7f7fcc85ae3dad1d1214d1c0a3594cc4ee03bc7a648ea07f2f079865755e24f1ca4036ba10ee29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB699.tmp

Filesize
1KB

MD5
a487f375d1dd4188cd1b92b00491a05e

SHA1
d5865b4d928ceb0e6c91a8c46028a7741c5c5e9c

SHA256
cfb054c08468f5b79352fc53f94a2268c6f27f1ce9d2c2f7e43a092a4b639381

SHA512
3ddc334f48ce18ae9c6942f810fa83ddaf6fd1a47f9900a2964a4c396fb1c45df56a930dfc5f86ab9d6854b149b780b07b75753ed3e8688d030a4db84447831a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA52.tmp

Filesize
1KB

MD5
9191618190f6d712fff6af9b022564cf

SHA1
28c8b007fa99d7324307ea8fae1c3e0957db874e

SHA256
8250a4762d61699f2cf9e4c4c31397a680759d58f9761d3b3825b1dd2e7cd9c3

SHA512
6678bf3d1866a57162795635dc65898b5b2eb21a37d673123a59bfa15754cd2187fef4a30c4e024227c336be18c21050b20167f3d1cfd72585dddc43bf7a4079

Download Submit
C:\Users\Admin\AppData\Local\Temp\weqweqwe.exe

Filesize
2.9MB

MD5
f227cdfd423b3cc03bb69c49babf4da3

SHA1
3db5a97d9b0f2545e7ba97026af6c28512200441

SHA256
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

SHA512
b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

Download Submit
C:\Users\Admin\Downloads\Bloxstrap.exe.crdownload

Filesize
11.5MB

MD5
81d3e2fc05949c2f39ad1e8270f5aa21

SHA1
ae504da7fc39d7509675c294dbfb447eb4b1ccf1

SHA256
e78b0c1627abbd320386fb1c790fdaaae74b1444ae5a986238ee9b81393f211d

SHA512
9ab183d86f87a6e9043fcc5f135699d293b634912a8b0eaff1885006840cc755a24cf9384357143a749d47e64c402723fb1a4391cb9198f990018b42cc780806

Download Submit
C:\Users\Admin\Downloads\Bloxstrap.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\BootstrapperNew.exe.crdownload

Filesize
3.4MB

MD5
c40916bf88f90d7b219445b574db4525

SHA1
31b82e3e61c4e06a2bd9f08c97f5569ee747e8c5

SHA256
f57a8361f3da23bb65b2498f4204cb6e22a129909bca742d8c2bb898590731b1

SHA512
af00103eca39bb936efe87f47f1fad0ad1e9c967f861460381db2061e1d3c8d0b59ee6eac0db1bf4bc1076a52253180912852e8cc4e38bb22377ad86b0b6a3cb

Download Submit
C:\Users\Admin\Downloads\SKIBI TOLIET.exe

Filesize
45KB

MD5
7190e8a17d3b610dd954e3bc85a76fae

SHA1
10683424e5bc52979d562aafe6e00953deaca45e

SHA256
2f3845685a5f0fbff420a7cf627f4172393012bdf8815e72c6975534d9bd718e

SHA512
5899f443cfd02d689f13043e7fd868e9486fd7b50f9d0514e917551d47c8e9897ec0b7c2d6c36532c6dffc94381c524ac6087c859780beca5aebdadb13b08d16

Download Submit
C:\Users\Admin\Downloads\SKIBI TOLIET.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\test2.exe

Filesize
50KB

MD5
d5fe60017b61d111aeea15aa8301e890

SHA1
78c36bbb06c1d22af46a5385ae87f920b975262d

SHA256
5f23cc691b16b3485b9c9a258508de067993c98e8c26917b1b03a09a81e530e6

SHA512
9af5ca80ca4906b1ae0e174382319a33e3351692a0ce9238be470137fb4c14810547c96235d4a214d1778f44c9c102c5f148b3794c1b7752b38558e8a1571ebf

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1107858922\manifest.json

Filesize
118B

MD5
56decbaf515f574521f86e481e880496

SHA1
cf86b7e930bccc9168458b7202ff89b50a41a8e3

SHA256
4aa32c5d74a694c56869211d6ff4a3d61334b9b61659dab631eb6c285416c608

SHA512
669804a28a9e1adde2e259c2a0442f2d8c054908fb1c382db27d6f08353f1d8e3ba495ac18ad4746aac4d19eeac67594f3b2b0789a607ceae70c445d07ba3196

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1184569553\manifest.json

Filesize
145B

MD5
0df2306638bd60162686e9c4bafbd505

SHA1
ef9e16bf867f7950d5a30172e1d34d38686b0e72

SHA256
fd7b554588c5e72506a0bfed89bc298911a5649b9f5168ad7c1804d1c75de42e

SHA512
73fca229097631104cf352061d62455b6c5520bf59777520165719d2368b0e77f3ce66f52873fec53ac60e35274bf397ba321bc62610f0b7b172a7c5c4975174

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_1195223607\manifest.json

Filesize
1003B

MD5
578c9dbc62724b9d481ec9484a347b37

SHA1
a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d

SHA256
005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0

SHA512
2060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_889075687\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping448_889075687\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/444-1020-0x000000001CBA0000-0x000000001CC16000-memory.dmp

Filesize
472KB

Download
memory/444-864-0x0000000000420000-0x00000000004CC000-memory.dmp

Filesize
688KB

Download
memory/444-1022-0x000000001BB30000-0x000000001BB4E000-memory.dmp

Filesize
120KB

Download
memory/444-1021-0x000000001B770000-0x000000001B77C000-memory.dmp

Filesize
48KB

Download
memory/1600-876-0x0000000000400000-0x0000000000F8D000-memory.dmp

Filesize
11.6MB

Download
memory/1672-1005-0x0000000000750000-0x00000000007E0000-memory.dmp

Filesize
576KB

Download
memory/2712-429-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/3484-1006-0x000001E76D260000-0x000001E76D542000-memory.dmp

Filesize
2.9MB

Download
memory/3484-1010-0x000001E76FCA0000-0x000001E76FCAE000-memory.dmp

Filesize
56KB

Download
memory/3484-1012-0x000001E76FCB0000-0x000001E76FCBA000-memory.dmp

Filesize
40KB

Download
memory/3484-1013-0x000001E774260000-0x000001E774286000-memory.dmp

Filesize
152KB

Download
memory/3484-1015-0x000001E7743F0000-0x000001E774406000-memory.dmp

Filesize
88KB

Download
memory/3484-1016-0x000001E7743D0000-0x000001E7743DA000-memory.dmp

Filesize
40KB

Download
memory/3484-1014-0x000001E7743E0000-0x000001E7743E8000-memory.dmp

Filesize
32KB

Download
memory/3484-1017-0x000001E774250000-0x000001E77425A000-memory.dmp

Filesize
40KB

Download
memory/3484-1018-0x000001E774420000-0x000001E774428000-memory.dmp

Filesize
32KB

Download
memory/3484-1011-0x000001E7742D0000-0x000001E7743D0000-memory.dmp

Filesize
1024KB

Download
memory/3484-1009-0x000001E774290000-0x000001E7742C8000-memory.dmp

Filesize
224KB

Download
memory/3484-1008-0x000001E76FC50000-0x000001E76FC58000-memory.dmp

Filesize
32KB

Download
memory/3484-1007-0x000001E76F250000-0x000001E76F260000-memory.dmp

Filesize
64KB

Download
memory/3484-1138-0x000001E74FA30000-0x000001E74FAE2000-memory.dmp

Filesize
712KB

Download
memory/4496-1004-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/4928-637-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/5508-1127-0x000002D7924E0000-0x000002D792502000-memory.dmp

Filesize
136KB

Download