hxxps://github[.]com/TheDarkMythos/windows-malware

Resubmissions

25/03/2025, 19:55

250325-ym9gxa1yct 10

25/03/2025, 19:51

250325-yky86a1xh1 10

25/03/2025, 19:35

250325-ya1dgavm12 10

25/03/2025, 19:32

250325-x849msvmw6 8

Analysis

max time kernel
305s
max time network
310s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 19:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/TheDarkMythos/windows-malware

Score

10^/10

bootkit discovery persistence

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5032 created 4368	5032	Taskmgr.exe	159
PID 5032 created 4368	5032	Taskmgr.exe	159

Downloads MZ/PE file 1 IoCs

flow	pid	Process
259	5904	msedge.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	geometry dash auto speedhack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	geometry dash auto speedhack.exe

Executes dropped EXE 9 IoCs

pid	Process
3872	geometry dash auto speedhack.exe
4368	geometry dash auto speedhack.exe
4536	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
2428	geometry dash auto speedhack.exe

Loads dropped DLL 2 IoCs

pid	Process
5032	Taskmgr.exe
5032	Taskmgr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
259	raw.githubusercontent.com
257	raw.githubusercontent.com
258	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	geometry dash auto speedhack.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_644725901\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_2006040859\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1704634064\classification.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1638254617\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1153743105\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1801188997\deny_etld1_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1816038384\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1153743105\nav_config.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_608674383\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1801188997\deny_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_644725901\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_608674383\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_608674383\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1440813024\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_608674383\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_2006040859\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1704634064\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1801188997\deny_full_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_644725901\crl-set	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_2006040859\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1704634064\travel-facilitated-booking-bing.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1704634064\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1816038384\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1638254617\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1638254617\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1440813024\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_608674383\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_2006040859\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1801188997\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1440813024\office_endpoints_list.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1440813024\smart_switch_list.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_2006040859\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1704634064\extraction.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1704634064\travel-facilitated-booking-kayak.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1153743105\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1704634064\automation.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1801188997\manifest.fingerprint	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874049633412751"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3218366390-1258052702-4267193707-1000\{C9BBA9ED-0904-4D63-847B-045718A2E231}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2252	msedge.exe
2252	msedge.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5308	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5308	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	Taskmgr.exe
Token: SeSystemProfilePrivilege	5032	Taskmgr.exe
Token: SeCreateGlobalPrivilege	5032	Taskmgr.exe
Token: SeShutdownPrivilege	4440	geometry dash auto speedhack.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe
5032	Taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3872	geometry dash auto speedhack.exe
4368	geometry dash auto speedhack.exe
4536	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
2428	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe
4192	geometry dash auto speedhack.exe
3004	geometry dash auto speedhack.exe
3400	geometry dash auto speedhack.exe
4440	geometry dash auto speedhack.exe
5308	geometry dash auto speedhack.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5792 wrote to memory of 560	5792	msedge.exe	86
PID 5792 wrote to memory of 560	5792	msedge.exe	86
PID 5792 wrote to memory of 5904	5792	msedge.exe	87
PID 5792 wrote to memory of 5904	5792	msedge.exe	87
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3496	5792	msedge.exe	88
PID 5792 wrote to memory of 3212	5792	msedge.exe	89
PID 5792 wrote to memory of 3212	5792	msedge.exe	89
PID 5792 wrote to memory of 3212	5792	msedge.exe	89
PID 5792 wrote to memory of 3212	5792	msedge.exe	89
PID 5792 wrote to memory of 3212	5792	msedge.exe	89
PID 5792 wrote to memory of 3212	5792	msedge.exe	89
PID 5792 wrote to memory of 3212	5792	msedge.exe	89
PID 5792 wrote to memory of 3212	5792	msedge.exe	89
PID 5792 wrote to memory of 3212	5792	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/TheDarkMythos/windows-malware
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ff97abff208,0x7ff97abff214,0x7ff97abff220
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1932,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2220,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1864,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3428,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3448,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4208,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4192,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:2
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5096,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5304,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5300,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5992,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5996,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6232,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6192,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6012,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6472,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6476 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6536,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6700,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6828 /prefetch:8
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6856,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6284,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6336,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6248,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6544,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5388,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5264,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5460,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6644,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6976,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2572,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=1028 /prefetch:8
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3736,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6340,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6268,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=3952 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=4832,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4812,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6176,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6372,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=1032 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6416,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:5912
- C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3872
- C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4368
- C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4536
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5308
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4440
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3400
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4192
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3004
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2428
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6308,i,14078421748293554140,2983915329900127627,262144 --variations-seed-version --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4640

C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\SysWOW64\Taskmgr.exe"
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5032

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\18fc275f2d4e46d2893cdd91ef7dceb5 /t 3964 /p 4368
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1153743105\manifest.json

Filesize
160B

MD5
c3911ceb35539db42e5654bdd60ac956

SHA1
71be0751e5fc583b119730dbceb2c723f2389f6c

SHA256
31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d

SHA512
d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1440813024\manifest.json

Filesize
160B

MD5
a24a1941bbb8d90784f5ef76712002f5

SHA1
5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

SHA256
2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

SHA512
fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1638254617\manifest.json

Filesize
134B

MD5
58d3ca1189df439d0538a75912496bcf

SHA1
99af5b6a006a6929cc08744d1b54e3623fec2f36

SHA256
a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

SHA512
afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1704634064\manifest.json

Filesize
135B

MD5
4055ba4ebd5546fb6306d6a3151a236a

SHA1
609a989f14f8ee9ed9bffbd6ddba3214fd0d0109

SHA256
cb929ae2d466e597ecc4f588ba22faf68f7cfc204b3986819c85ac608d6f82b5

SHA512
58d39f7ae0dafd067c6dba34c686506c1718112ad5af8a255eb9a7d6ec0edca318b557565f5914c5140eb9d1b6e2ffbb08c9d596f43e7a79fdb4ef95457bf29a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1801188997\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5792_1816038384\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5792_2006040859\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5792_2006040859\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5792_608674383\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5792_644725901\manifest.json

Filesize
114B

MD5
e6cd92ad3b3ab9cb3d325f3c4b7559aa

SHA1
0704d57b52cf55674524a5278ed4f7ba1e19ca0c

SHA256
63dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d

SHA512
172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json

Filesize
3KB

MD5
6bbb18bb210b0af189f5d76a65f7ad80

SHA1
87b804075e78af64293611a637504273fadfe718

SHA256
01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c

SHA512
4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2024.12.2\crl-set

Filesize
21KB

MD5
846feb52bd6829102a780ec0da74ab04

SHA1
dd98409b49f0cd1f9d0028962d7276860579fb54

SHA256
124b7eeba31f0e3d9b842a62f3441204beb13fade81da38b854aecba0e03a5b4

SHA512
c8759e675506ccc6aa9807798252c7e7c48a0ab31674609738617dc105cee38bce69d4d41d6b95e16731466880b386d35483cbeea6275773f7041ba6e305fae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4013ebc7b496bf70ecf9f6824832d4ae

SHA1
cfdcdac5d8c939976c11525cf5e79c6a491c272a

SHA256
fb1a67bdc2761f1f9e72bbc41b6fc0bf89c068205ffd0689e4f7e2c34264b22a

SHA512
96822252f121fb358aa43d490bb5f5ce3a81c65c8de773c170f1d0e91da1e6beb83cb1fb9d4d656230344cd31c3dca51a6c421fda8e55598c364092232e0ad22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
fed4ab68611c6ce720965bcb5dfbf546

SHA1
af33fc71721625645993be6fcba5c5852e210864

SHA256
c41acdf5d0a01d5e9720ef9f6d503099950791b6f975ba698ccd013c4defa8c4

SHA512
f9ab23b3b4052f7fda6c9a3e8cd68056f21da5d0fcf28061331900cac6f31ef081705804d9a9d4103ee7d9c9bdb6aa4237987b7e821d2d96cd52da24219e55ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
495B

MD5
4ba2d99dad79c5c6bc414b8631946662

SHA1
fd78627fc1c4e14a8f6f225ded3caef90269a4ab

SHA256
5fb6ff04e635db99ba844942d101832a5fe9865a1a398e2768866abeeda91c9d

SHA512
8dcd9127c54df3e4133de7daeb7cf828404f7e513a5b872ddf127a29a913724397534c56c210346f3b6c1eb4b2928f0147ad5d73310ca3cfeb4c7438ed86a0fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\MANIFEST-000001

Filesize
158B

MD5
86796f18d97cee5f10f1c4a954961390

SHA1
284d2a0d9bc49be74dd616560fa3cd7f90d147a7

SHA256
e08d8c51060835cc472682b0c8240bb0b9acfdf376daa538050fc34ad4fec489

SHA512
2d6baa43775efd075977556fcac18e258fabd08f52a1d29d5cd69a78e6bac2d9ac1bfef5c793cb15c0751ee569733a73595f220fe4ac66f25a7ced6195f8b445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
a7aabe7a707c5670c7d3f7cd2ad2b449

SHA1
d997403db2f36b92945b2b80cf5d399180626c46

SHA256
509cd9e44ce74ae0b2acbd213a70e2d286e03a36b5642fc2f6a422e6ab17a20b

SHA512
c8f57e0baab0dc3b99d90fe724dedb31b9d881b988e0ba879c423e31cd4f7d4cb79fc7e882680ea1e8f41533cd461d480f8ca07c7091e07cf8b7e29f75dc2b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
d0904da1f94780e59be776141771bbe6

SHA1
393b5f1fe748f0db73ef4bcee18b510f7a91ed7f

SHA256
2f99c1bea411ae81d510efd99ce90d2cf6b3c9ae66e7b3db90db8202e95b84c3

SHA512
7429efae8c112f21c864ef993dc6c6497045ce871fdcfeb8e8230eeb0e12087ce280a0b570aaa62be373a82961dfd8ce632c00845afcb2b374d0d673f978e890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe581141.TMP

Filesize
3KB

MD5
27597cf9b17666317f0b6ab9a40628e9

SHA1
2ab5597f4c06c98b91bdb79176fd6c3d7ccd843c

SHA256
88120b951e2f5a00cd0b3a51467b6ba68900633beb7585565467e8f1ea55d304

SHA512
4077e51393d90e4629137f0f3ac8566dd0c6d0cabb2a5254fa88f57e946964f8d6ebcfa92b33ae32e6aad7295f17a19f37e449fa0ad7e30d69d1584272fae10a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2438278b5b451a75711c7dde8940e0e0

SHA1
a4744df22be00ae7f52e8d5e7bfaaf57d16abf6a

SHA256
3f9899bf9e26b77c59038cc243cf9e9543671a16d9213202611a64a88e598c04

SHA512
9807a4a377d3a94e33e0ab0b2ee0a0005ceee2a3570a89ff716f637f38f7e507bd2118995d02f78801e17ab03201f7f486a6236128b436ebc21373fc5681604a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a3bb3331de9d3bcc71cd8c68b28b441a

SHA1
201ffbc7f72a13cf35a21ec7e353881e9d243e0a

SHA256
28aa70e2351976a67692b2829a6a0bef6891b17f147d288e64baa5ca7eefa668

SHA512
c3d29d72c7e43b3a719e4e9fb5f9e6daddc3952363c15c002b32e6e0abf8f333ab77c4d9b1468f5944ef8f4bd53f9724e852d10163199fa99db36d42e79ae1bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
512b3f68e793045e9be112a8bb4f314c

SHA1
92958e8401c591d3e5cf6f14d5fd9b8c0ee6248e

SHA256
8a6f385a585765a1b780203caf66c000f8f0be683ef1c75fff228ef584dc38b4

SHA512
3ccd44b3277dedce89e2304cd0a87085cf2f374f9500484072f1e1c64b8070582669549004d57835a9caec4e8b695b67ea9900d9f3942d0404e579ac3eb6ed3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\ce857822-3e6a-42dc-bd5c-fb906e416785.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
2519b5bc773e24625508f9e410977c11

SHA1
dc83fc03d10e1f624400807cf3e87db42c4db94a

SHA256
9247fe06c62f3a94ff2c0023e144b9ffb0896a367af7682012d0dc44d148cdec

SHA512
3d3eb2e844c5dfd2cc12cc818f3bc7f02ae1a95a05feadc807ae67c141e36b4bd6ce651000d4143776aa28ca49b8afd8338616d593332293063f22f63cd8dd5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
90455817712810de0666dc5dd13b75fd

SHA1
d08adaff22a4c72d796c279c95884fbdaaf312bb

SHA256
f6eaeca1fa7a6d9f0ef1c87444ea2ed0e1a5b33b02bf4eecb42a1623552e44ac

SHA512
1ca386025822fbc1c44812c71c0fa9f0fd0c1f671a95d52dbe5a354a02251528177efc9dfe01c2227d5f1671f3bc23e4816630ede1118f66cd1a0b3a6d6e3ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
06d16acfce6035aa752ef2b034a99350

SHA1
1c2b61d26fa4d040c537b3518f387f991fc9251d

SHA256
d402850e6a52269fa17c5967ec4255ad437b18e642916581765bbf9257c01809

SHA512
4634d8f6ea1b50832673263aad1580eb5730748c43f663ce8747cb367ae31677c01f9dee2a0ca7d8bcb3eb77ebf12ba3c6123f0697519ecc900bc7dbb569adcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
a69ca28c6ab4b8f112e8e5a9e9aafb73

SHA1
b73356e212b4f18a226c168024ce8e89f9b73ddc

SHA256
ad89b7f3b1fc3c55e9a278f9294139006de7f157161256af5bead388fdd7aa41

SHA512
315377c62fcac71e9cdba315b2ca44451768fc8e193f5361d8cc804e0dc2ca445f78c2de1e1de80efe75ead04d1560ea22b52fe24fbf90cb4cb83aadee644c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
504e20344a776a38a13408454f630e5d

SHA1
ac03921aea69c73fbab1259104e26a6f0ebfcf21

SHA256
14ffe25bff14dce74adedb5f3409d6e44d0508942aa8c6898b2e2b63549902f4

SHA512
d6c5515d0cb589d68c54f92a693fbdcec47f6cf2ce825a7e74a1fbcef40d0a9f88d7711636ab8a324daef63d4d37b977f99b8a7a9ebadfbdfa935b36d4c777f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
c669ba839fa5917fdf8705c299e9a13f

SHA1
0fd6fec52013b3c63df032dad524a68cecb7e976

SHA256
91ddd29792a418c3de5b90246b1ae871d34f901427c4c161c55f7c7cbe74b885

SHA512
a0f48b02f8d5fef33e17fe2230c0736b616e1665a545129407363c8e604fe3e481b3cab441c3fdb87c2acec487b31116efe7123aeeab7b43f189778b36d9307c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
880B

MD5
d355529fbf6264ef3573f490ef764c65

SHA1
a0748db2c2a647b93980ab40bf87adfa67ed5861

SHA256
b98769b71beb24de79653332c3133a5664afb6d5a1b8d216d8cc9e72af11dc71

SHA512
84e950fb9110c0fa311c8c6a637d3f706b27a30369a4c12418179206623160233375944ca3fbe92e97dde4c6b7332c160963555f3afc78918dc9b3f50ecc7028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
b00362c47e0d3151588ddda49021ddea

SHA1
7c598cc509432567efa8f35ccb53a5b805f8a912

SHA256
bbb189b2eb8c36994d1c07f12da5e11dd422e094d320e5399830d697c0e6b46b

SHA512
7c386bcd264a23bcc3debdb82e3eabc19db726509ecbafd96fcedeaa2c3005383d183755fefe8ee26cfa61798667aec2474befad279a2d726e706ef27365b0c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe58631a.TMP

Filesize
469B

MD5
0ab58bb893b6664c5307e3a3ee8685e4

SHA1
a8cc0064854be9b1067445b6ab1c2186c4e927a4

SHA256
12f19513eec21e2bb1fe7b49ac32897679eff601e7ec120fa2596d7687b03510

SHA512
952ef7409040940fccb573c38e35b9b10fb1d1177c8c19b5be39e6f7f23b090e78251f603da2ac1f9f0c591454c888c66abca9f5ef092a20e4bff434d0d9cab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
21KB

MD5
97ffbea42e9a0795865f12dedaa14292

SHA1
82b1a9a09d849ca8e55914ceb05677991729de10

SHA256
84db83a7515ea99283ea322d6ae8a7e806287e7e98771a53a5d0e3ff362ecd16

SHA512
884e56e3e7419a5ce22725d8b39b6d9424c882185762fe6ebb3a5c67d65e87b846ecce8a26491019acd3ba79641f489a32e20e2c7b99576315352cca1f5a13a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe586424.TMP

Filesize
3KB

MD5
c7569efb2fa9fe93c0ea2f0896f54036

SHA1
e231c700b778b624f6065b035e5803fdd8b4db4b

SHA256
2422f055fd21adce7a027c3eaab1bbc474345a26cb1b9762b3d7572ebde67d3f

SHA512
c394da9a75cca87f6e20cb2abbc2e087d3e374b613bbc960f255ebfc8f01d4349fc8a487ec56ff8141f47566cf021dc33196e42b6295ce5399ff78e5ce4b066f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

Filesize
3KB

MD5
94406cdd51b55c0f006cfea05745effb

SHA1
a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

SHA256
8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

SHA512
d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
956101ffecc54d38b1a2c69ccbab4b6f

SHA1
4b32abecc65339030d08979f6c1fe0291ccb5c7d

SHA256
05c7336dad4cc64aa09ec001884e7a1d34a2259798b529182caac7f323062788

SHA512
80252b050ddad424936476f682bc1ab7b84001eed52f749bf6f316c7a9e7a7bae14c62395f2470df04fee1d309731ec1913af6f88cbc33863161e27125303f38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
e1f024d05561d62b313052fcd962b191

SHA1
a6389deda5ba977b2a2ebc1cff32cb7d9ddb1753

SHA256
4e0f73c6e387ad5eb0f318989da2a7b3f730e7650ff3e81100b979857f5bf212

SHA512
b8877cb6c49a7f9b017043e57f7030f7d3f20ca396c4e868a991e75838ae6b86c7b34e576fdc25c555ae0ce94f09ff00029ff6bc1797333df55ec027372e4884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
09168ea0a312e5a0267e9d1d4c12fa62

SHA1
f43e4efba38a8a41e79ae34a109870df9beef5dc

SHA256
0512ee57365648e797f35e126632a0a7f34e53bd3600ac1b39565054b9255f7e

SHA512
48e801fc8a09dd0cc908405a39cd5f67dea9ccfffec9d7069ec11914537f22a6277364750f7f9166bd67740817609f36def850cf7091d7d21b3e2eb5697289e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
0ce9abf2a31d478fcf0e953f642759fd

SHA1
f0ce10a467cff2de51adfbcb74f6c74af7b5bd96

SHA256
f2d734e4ec51d4ffedb7e9896ef30f6c0c1ea66175d3348b919cbed4ce3a7b47

SHA512
592cef0e2d7af1dd683916bed2826adf39d3e301bf60659d34283e16a601c7c8619bfdfb4b2abd2bc830daef8001449563a16a1de791d8823fc0953f6cce95db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
4107f05827e4315dfc5c58f702185bcf

SHA1
8ade76afa950d60332fa3d97a1192548b4eba552

SHA256
226493339ff978571f2587d72f8f431b448ac9c99bd419f44cb60ee29075eab7

SHA512
7df840c072b41ab8d6d2349b7e20b2fb06ab02e1f2de6d4d6510a642272db6280fe012a6d89ef81026f655110200eb3b44475d689f18845c9700a6b9579ed7f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json

Filesize
2KB

MD5
499d9e568b96e759959dc69635470211

SHA1
2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6

SHA256
98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d

SHA512
3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
bfeeb48bab56d7ce39af39f6db0fc093

SHA1
65823b43907661bfd502fd00fb05488916e40383

SHA256
a6c7b46db6bcbc18d262bb7891d82cfcb51835dd6205100ec58740c0c3e548b5

SHA512
fc7cfa46e6076cf549c5fd9fbfbc56bca6ab712617365ed8df584ffe95abf9f6521e003b6d0d57e4ac7bada2d57cf2ddd24f1cdd6e68af3bfb2e6f71be38a1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bf6391c-7296-42dd-a309-d8e36da91853.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\813ef563-d360-42cd-bab5-d070d8997479.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5792_423897602\e1ad3cb3-8f61-407b-a9f6-14f3d0648d19.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\Downloads\geometry dash auto speedhack.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/5032-1282-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/5032-1281-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/5032-1280-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/5032-1279-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/5032-1275-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/5032-1285-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/5032-1283-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/5032-1284-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/5032-1274-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/5032-1273-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads