hxxps://github[.]com/TheDarkMythos/windows-malware

Resubmissions

25/03/2025, 19:55

250325-ym9gxa1yct 10

25/03/2025, 19:51

250325-yky86a1xh1 10

25/03/2025, 19:35

250325-ya1dgavm12 10

25/03/2025, 19:32

250325-x849msvmw6 8

Analysis

max time kernel
94s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 19:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/TheDarkMythos/windows-malware

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
155	864	msedge.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	geometry dash auto speedhack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	geometry dash auto speedhack.exe

Executes dropped EXE 8 IoCs

pid	Process
6000	geometry dash auto speedhack.exe
4548	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
5240	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
3660	geometry dash auto speedhack.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
153	raw.githubusercontent.com
154	raw.githubusercontent.com
155	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	geometry dash auto speedhack.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5248_848637668\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5248_848637668\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5248_848637668\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5248_848637668\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5248_848637668\LICENSE	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874049694529213"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-814918696-1585701690-3140955116-1000\{9F9F841A-0888-4C59-83D4-19F9A0E4637F}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3384	Taskmgr.exe
Token: SeSystemProfilePrivilege	3384	Taskmgr.exe
Token: SeCreateGlobalPrivilege	3384	Taskmgr.exe
Token: SeShutdownPrivilege	3964	geometry dash auto speedhack.exe
Token: SeShutdownPrivilege	1792	geometry dash auto speedhack.exe
Token: SeShutdownPrivilege	2024	geometry dash auto speedhack.exe
Token: SeShutdownPrivilege	2352	geometry dash auto speedhack.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe
3384	Taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
6000	geometry dash auto speedhack.exe
4548	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
3660	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
2352	geometry dash auto speedhack.exe
3964	geometry dash auto speedhack.exe
2024	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe
1792	geometry dash auto speedhack.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5248 wrote to memory of 5808	5248	msedge.exe	87
PID 5248 wrote to memory of 5808	5248	msedge.exe	87
PID 5248 wrote to memory of 864	5248	msedge.exe	88
PID 5248 wrote to memory of 864	5248	msedge.exe	88
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 4520	5248	msedge.exe	89
PID 5248 wrote to memory of 6092	5248	msedge.exe	90
PID 5248 wrote to memory of 6092	5248	msedge.exe	90
PID 5248 wrote to memory of 6092	5248	msedge.exe	90
PID 5248 wrote to memory of 6092	5248	msedge.exe	90
PID 5248 wrote to memory of 6092	5248	msedge.exe	90
PID 5248 wrote to memory of 6092	5248	msedge.exe	90
PID 5248 wrote to memory of 6092	5248	msedge.exe	90
PID 5248 wrote to memory of 6092	5248	msedge.exe	90
PID 5248 wrote to memory of 6092	5248	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/TheDarkMythos/windows-malware
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2b8,0x7fff425ef208,0x7fff425ef214,0x7fff425ef220
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1876,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2248,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2560,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3512,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3524,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5280,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5264,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5816,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6112,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4856,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5044,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=5788,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6184,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:1656
- C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6000
- C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4548
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2352
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3964
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5240
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1792
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2024
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3660
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:1584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed
      4⤵
      PID:5576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://google.co.ck/search?q=how+2+buy+weed
        5⤵
        
        PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3608,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6904,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=5488,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6228,i,14970629933948105776,5407167570731155284,262144 --variations-seed-version --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4060

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping5248_848637668\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5248_848637668\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
60d40d2b37759323c10800b75df359b8

SHA1
f5890e7d8fc1976fe036fea293832d2e9968c05c

SHA256
c3a2f26d5aef8b5ed1d23b59ed6fce952b48194bed69e108a48f78aec72126e0

SHA512
0c339563594cc9f930a64903281589886308d4412ee267e976520a58d86b2c339d7b2320e1b3fd6fbf81f092ff1735f0710c669af2986ea5b63d2c1e0a6df902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000082

Filesize
215KB

MD5
e8518e1e0da2abd8a5d7f28760858c87

SHA1
d29d89b8a11ed64e67cbf726e2207f58bc87eead

SHA256
8b2c561b597399246b97f4f8d602f0354a979cbe4eea435d9dc65539f49cea64

SHA512
1c15b65bd6b998254cc6f3cbef179c266663f7b1c842229f79ff31ba30043837c398d85296fb20d3a576d9331fee9483ca0cbd06270da2d6db009bc454aee0c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
158c14537d282464a2948b36c8c64a7f

SHA1
60ed780fb747c820d7f1c2c65b6dfc0ec0923960

SHA256
e45241e10206d321eca328ea6d1b849fdf71c09c34b1cae22ae76dcdbd339f42

SHA512
379834a43982c6065dace0353b0aa706055b13f581658262a9d17f3e3aac6ccbc4143a0ddd7ea243c54b77b07074224657060fc2848f08b20f048aa4e0980fb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe586ffb.TMP

Filesize
3KB

MD5
bd26613229333451a777083b42545731

SHA1
d5878212ea7e764cc905ab0dc83165a3b71643b2

SHA256
23513b81b895f9e956923ef04818abd0fc6e53548fa3471decd1ef3de5382e60

SHA512
a63e17c64348f36ac5ab95dc16c9db1daad4482762cfa21e8828d8c16c813d467e48c2100a46f3620e6a6194850bb08c3aa66765c602bd772ec26820b22930ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bfaf8d3391f0e9f0f3477f164f842660

SHA1
34c6e4c91b09c4ba8eb47d62536625adc4402d1e

SHA256
8c8c74c49aff82350934c3bb2594f79fe8d78bc7fba4a6c483cd6cc9ab46d03e

SHA512
c0089edf8e716ecd5a82874279f0ca995186e9e8a7763fc44bb1c234a47f87fe3efa1108fc2ddd3719868f4ab33451233c742e2c7379725c70bfbc47c3ce5aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0535f86b057e09940963b522185fbbf9

SHA1
ae87331aa6a1d0bc7b3a1dbaae83254bacd8986c

SHA256
8225d90f2f215d75c5edcfe5fd2c2516229d45927741bc9d22fe382113c9c86a

SHA512
12be50655cdc4cab2eefad4932ded6eaf21664aafafe03396ec96b322ca7bb94f31a3b076c57911708982a8b5688f1d1fc1f4c031453aff59aa63e102dc5a5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
9b6ed3580a392e8b8ef695d1a42d952b

SHA1
59787c7d5722066b8d1c2fa10e6877775f619cb1

SHA256
bb860f846ea21c59f34597950a0544ca9a31746e435803e10e9d14b0186104c6

SHA512
30e34513b01eadf3483e0737941fc1761944c3c0ad80680fc4c121575138860c5d9d438f2661b7fa06fd24dddc74c8504742485221a20a942cd6c084f3a3d8b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
d03fcc892a7b1f64b0b4f47fab1e0a51

SHA1
b1e76ae280ba769fe9458d8b570bf8b66c170e77

SHA256
dda19699e90ab4429a561c5faec33dbc14c0063745549bbfd9d5fa085d0e39a4

SHA512
ed58dac03c4382d9788c9837e96bc1f773d91bf36461b1165c55447f2c6dcb6ac39cdc77f1a9f4c858457cecf73e51f107c5bbe2e9079f91703b7a8892006fc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
3013ff43054d07ff20278e83de5b0ea6

SHA1
a751e7087c88db845162661d99da8f308c5442fb

SHA256
42783f2d119146be1c0e8b89e8f10424599b0109ba2840213607c3747ac4e79e

SHA512
01b8cd0b7d1251216b7e3f4a50c61f4384d089ff9abb3f6e8da4a8b735cda17df0aa4017fe211b273578ac80b0b8b3e69ccf00f80732f71d666b54b6d2b682b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
778ddf08afea656ceb496f0dba3ede79

SHA1
96cd70294b6615aec20f7f14baa11f31766d9295

SHA256
80c214382691e5dfc1ebcd18430f8638befa6d7e9a0118741e0e50c8e55fc4cd

SHA512
1b551aab21e3c0871daf1c01d1baf5b85d94854bab4862bc08240231fbc5bca195382ffb1510f2a0d8fb2d1df35814671016b1a57ce8b0b28da22e6b679dc20c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
0cf0e4080d5109bf6d220dff52fc835c

SHA1
d90bfbc33d47be94858de0faf419d6795dbacd3f

SHA256
2c6ee780d02e68118340ccb9627df3026613aa1c0b2433020ca667a9a83a682a

SHA512
8072bee5c1b0b4522e924f5d3043c3cd21553a6cd6ccfc613c88fad4c76c2bb5529ef44c0b6978211e44f2b26af543fde4761c6d1d45f1c12a93c6c66a258705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
5d3cf0866493b160fb0e908631c1c039

SHA1
2b0d7a6b302844cdcd27242ca657dac73481ff65

SHA256
34cc3f8713cfa4ff998161dabfe69e76af7db5fa8c3dbc82c255dd56bd4b60f8

SHA512
6ab5ca42b17d402144b452ff97d4cd76ae85ec2841528814aacca39774afa2479d8f9aea52d098b0ba4cf091109ca80daef126367b3ba33606a24b6bac7c7241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
ec01fbe847c34a9b1b527ed2d586793d

SHA1
9e0aad6b66f3fc91dba493d86eb9be760a53f227

SHA256
3595c0e752629606002ecfa9bdac5f9b231e5a05223e1e0809f90a4fb2b87de2

SHA512
322e27eb3c04193653ba4b68e3457f9da5574c2da4eee95ea65fd605b06417433fba33e79927bc4f11a7db41013f65e41093453d8e6757f2fd63ebd053ffc851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
2f1f564211d56e081c8ee6df5625cc95

SHA1
19ccb3e1c489e26b44b8e3374ea041bd547ca344

SHA256
a68f2cd54e2bc817984740488b1348e2a6803b66da3ab91e5f016b7bf8c9ab41

SHA512
fd857bdc143283bf58fdd1887fe29d41673075eb4b91bd5cb86216263985197402e970be4001c4bf5590ca07937ea2c255df94a8d4ceb81067518bfcf33bf6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
9db1572126deeaee2e7c3b9f1236189b

SHA1
8fff32484c529ca410d6f58cd81d4f1916e11307

SHA256
62c5f1ff0c15204ac64cea53e2fced610063b5a3c1e82c056120f3b60101eeb8

SHA512
4255d2cb7095408347c38914c6e6a9e917f1e5eb88321cb7dffb7b3dde293875b38376bbce38c4583355927387709d9de52ce204875b29214541a9b13990f098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
16b201434ca72e13f5e10cbcd4035f54

SHA1
6fd0498c88acce9b792d881b805cf9f67328ed82

SHA256
2bcc35ad5c5513ff1b0a21fe6f1a520b66adcd9bfc70b2cb737d90c1c3618dc1

SHA512
1164e362109437352f73b1c15f2a1d276956a3c922934e17a5afec54e3be8f5b28d77238bdf5168410acfdae77357f453c5a867afb491c0746344a6019f474bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
94dc1115915bd9534c066b0f92043bed

SHA1
5a6ee464ffca85dd2ea12f62f1cb6b51cff28594

SHA256
8aea9a8e09566ae12d43697119d94c8cfa48613bb856f0a59813682af7bcb111

SHA512
dfe59a770c88e514271938c7ab4907c151e3dcd20f68ee67b106913c978fefaeb28c42080a05e4c0cd624d208d0d3d14c735a1bcb552c2ac113b6542a860c572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
055c94e46d6188d0bdcc85caece18d31

SHA1
b0554dfdcdcc8bfc86b0a2dd3b5115e4faba2a34

SHA256
c0bc47c8385b7326fef501b43ada6dbc440afdba4ce33efdd75b2e0245a312af

SHA512
55488eecbc8c0f83da55312fe1f701a7930d9ef56f9fe18b8dd629a7af382ed63bf6e09b5bcaac2d995956c3fd8231c81c94e3e493f521e6d348431c3e74ec21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
9bf56bd4f0bf0687f3d75c9fb51db02a

SHA1
72c508a15fd68f11619094d38870566287247dd1

SHA256
54bf02052b70ecc27db37a878d24534f3d5f83c8f0e7f325409146b893ddbb4e

SHA512
fbdbf18dada19053061ba055a0196ff69c9577651b10c68536fe53adf910e9d525008ee63c825491dd3342e5dafc5763c5d1bde6f81fa9089c34a0e17de28a7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
6e8597a183537368d2ac405bbd7328aa

SHA1
2782d05abe28f996c35416cbe665f36e9ba8da69

SHA256
20292b01221dba098400b83e03dd36e0fe150df3a6e9caf73cd6d1be36dadb04

SHA512
ea92ce23488585d0d13b8ffa219ae9707724a14bb9051d87943b26e0f80a7524167a64aaf03644228e29155e1efc54aab0fbfade4c93e2bf2a6859e4b680f177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe58cbe6.TMP

Filesize
392B

MD5
e182f6f485bd5f858bd67b4f9ba1646e

SHA1
aad62db47776a59be2f71e4c614085a5d8189304

SHA256
2c5c2be626ddc0c8ab8188d27d7a7f41b9b44120ca8599afbd7a0ae3eefc9d17

SHA512
3960f8799fc8cf2d7ab35d6298d697f105e95acdd98d6f1f27e18a826ad4f6e12019aff688a770d8df998462f3647efbf64e066d21de22c008e484b1a053efd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
b0369b25ee9036dd71738eed32e9431e

SHA1
634cc64989b0fa1a77e5622a1ec921285c239423

SHA256
9ee67c0338ad4a3af77f068f43f2c10f70b3502578d5164534571ea939b8c989

SHA512
9bbaa24b4518dbde4bf16ef27ec6d30ae5bc6bf0628562b6bd8d2af4b4c2fe6dbe9123e75c2e26f35f963342ad5b7d3e5d8eb52d06040625d9509c04207d2fb9

Download Submit
C:\Users\Admin\Downloads\geometry dash auto speedhack.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/3384-652-0x000001FC983E0000-0x000001FC983E1000-memory.dmp

Filesize
4KB

Download
memory/3384-653-0x000001FC983E0000-0x000001FC983E1000-memory.dmp

Filesize
4KB

Download
memory/3384-654-0x000001FC983E0000-0x000001FC983E1000-memory.dmp

Filesize
4KB

Download
memory/3384-664-0x000001FC983E0000-0x000001FC983E1000-memory.dmp

Filesize
4KB

Download
memory/3384-663-0x000001FC983E0000-0x000001FC983E1000-memory.dmp

Filesize
4KB

Download
memory/3384-662-0x000001FC983E0000-0x000001FC983E1000-memory.dmp

Filesize
4KB

Download
memory/3384-661-0x000001FC983E0000-0x000001FC983E1000-memory.dmp

Filesize
4KB

Download
memory/3384-660-0x000001FC983E0000-0x000001FC983E1000-memory.dmp

Filesize
4KB

Download
memory/3384-659-0x000001FC983E0000-0x000001FC983E1000-memory.dmp

Filesize
4KB

Download
memory/3384-658-0x000001FC983E0000-0x000001FC983E1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads