hxxps://github[.]com/TheDarkMythos/windows-malware

Resubmissions

25/03/2025, 19:55

250325-ym9gxa1yct 10

25/03/2025, 19:51

250325-yky86a1xh1 10

25/03/2025, 19:35

250325-ya1dgavm12 10

25/03/2025, 19:32

250325-x849msvmw6 8

Analysis

max time kernel
833s
max time network
829s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 19:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/TheDarkMythos/windows-malware

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
197	3784	msedge.exe

Executes dropped EXE 7 IoCs

pid	Process
5220	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
1640	geometry dash auto speedhack.exe
4876	geometry dash auto speedhack.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
186	raw.githubusercontent.com
193	raw.githubusercontent.com
194	raw.githubusercontent.com
195	raw.githubusercontent.com
196	raw.githubusercontent.com
197	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	geometry dash auto speedhack.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_752715322\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\Notification\notification_fast.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\Wallet-BuyNow\wallet-buynow.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\wallet-webui-560.da6c8914bf5007e1044c.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_752715322\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\wallet\README.md	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_830715014\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-notification\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-notification\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-tokenized-card\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-ec\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_857619383\edge_confirmation_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-hub\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-shared-components\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\wallet\super_coupon.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\wallet\wallet-notification-config.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\runtime.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-mobile-hub\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-notification-shared\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-shared-components\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\load-hub-i18n.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\Tokenized-Card\tokenized-card.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_278957475\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_857619383\shopping.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-ec\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-hub\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\shopping_iframe_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\crypto.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-hub\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-notification\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-notification-shared\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_1814545949\data.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-hub\fi\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-notification-shared\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\Wallet-Checkout\load-ec-i18n.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_857619383\auto_open_controller.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-hub\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-mobile-hub\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\Wallet-Checkout\app-setup.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-ec\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-notification-shared\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\wallet\wallet-checkout-eligible-sites.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_857619383\shopping_fre.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-ec\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\wallet-webui-101.079f5d74a18127cd9d6a.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\bnpl\bnpl.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-shared-components\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_857619383\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-ec\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-tokenized-card\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-hub\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-hub\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\Notification\notification.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_278957475\_platform_specific\win_x64\widevinecdm.dll	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-mobile-hub\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-tokenized-card\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-hub\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-tokenized-card\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-notification\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-mobile-hub\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-notification\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\bnpl\bnpl.bundle.js	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\geometry dash auto speedhack.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874049664135598"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1678082226-3994841222-899489560-1000\{0F7BBDFC-3A69-4731-92CE-2D25AFB364FD}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\geometry dash auto speedhack.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5816	geometry dash auto speedhack.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5220	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
1640	geometry dash auto speedhack.exe
4876	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe
5620	geometry dash auto speedhack.exe
5828	geometry dash auto speedhack.exe
4748	geometry dash auto speedhack.exe
5816	geometry dash auto speedhack.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5568 wrote to memory of 1604	5568	msedge.exe	82
PID 5568 wrote to memory of 1604	5568	msedge.exe	82
PID 5568 wrote to memory of 3784	5568	msedge.exe	84
PID 5568 wrote to memory of 3784	5568	msedge.exe	84
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4760	5568	msedge.exe	85
PID 5568 wrote to memory of 4776	5568	msedge.exe	86
PID 5568 wrote to memory of 4776	5568	msedge.exe	86
PID 5568 wrote to memory of 4776	5568	msedge.exe	86
PID 5568 wrote to memory of 4776	5568	msedge.exe	86
PID 5568 wrote to memory of 4776	5568	msedge.exe	86
PID 5568 wrote to memory of 4776	5568	msedge.exe	86
PID 5568 wrote to memory of 4776	5568	msedge.exe	86
PID 5568 wrote to memory of 4776	5568	msedge.exe	86
PID 5568 wrote to memory of 4776	5568	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/TheDarkMythos/windows-malware
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x220,0x268,0x7ffaf501f208,0x7ffaf501f214,0x7ffaf501f220
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1740,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2280,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:2
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2548,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=2560 /prefetch:13
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3436,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5348,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:14
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5356,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:14
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5700,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5704 /prefetch:14
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5996,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:14
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6020,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=4900 /prefetch:14
  2⤵
  PID:5924
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1108
    3⤵
    PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5996,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:14
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=572,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=6032 /prefetch:14
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6172,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=6232 /prefetch:14
  2⤵
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4996,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=6256 /prefetch:14
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5224,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:14
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:14
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5708,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5752 /prefetch:14
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5264,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=4528 /prefetch:14
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5524,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5748 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5576,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5124 /prefetch:14
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6100,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:14
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3736,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=4820 /prefetch:14
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3076,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=1032 /prefetch:14
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5800,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:14
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3364,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:14
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5552,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:14
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5568,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:14
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6344,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=3064 /prefetch:14
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=6376,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6388,i,17762210692376797609,7395756882437383202,262144 --variations-seed-version --mojo-platform-channel-handle=2056 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4708
- C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
  "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5220
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5816
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5620
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4748
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5828
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1640
- - C:\Users\Admin\Downloads\geometry dash auto speedhack.exe
    "C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4876
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
19a88bad99bffbae6102e191cfedd75b

SHA1
df476b325df883b73eda1b2349bab45aa22e808d

SHA256
0d576dfbde1712b7288e4561e3eea75ffdad84dc50a77ceb57a6e9c37d60465a

SHA512
9ec5eb487d8c8fc8e283a94bd43afd740edc4df6a4509d83629416d040586bd42330eb0da6dd41ec1e5550bce9a6643319ff8584f8638a9cde9042fa406825fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3b6ca303-5dc4-496a-a1a6-1c18dc1ac245.tmp

Filesize
17KB

MD5
f009572544f01fb188df1fcbece184b6

SHA1
f6e8ea39cc15de151924ff28450548933a9f5b56

SHA256
ea2b4ef9863059d5a5564fee469f8a6f462c86addc2c8406c2eaf67a576735f8

SHA512
b9b89685eab6871038c0c00f5bc95192df281f63d2770c067919c05ed9f1ac37dadbfbe3683df6a9ea08b9e332c678af615ce132ff2457df610bae2bf1d63124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000007.log

Filesize
21KB

MD5
a26940277c2c8de3bcad01ac95f90b48

SHA1
bced53b93db68a58730487b509c964ff8dfd40d4

SHA256
6f68bf636c1790de8020110a751409990944bb30479cdb3d02dfd0c2331b54b0

SHA512
71c2eaa226240bfdf4c67e9467cb23a9d57c8a091748d29a5279275e9e63f1150619ccb1fc0c5bc03786403386794cd8d5f2975a287906740bcc551629fd2f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
331B

MD5
4344262133b2cf1ffacc0b90885bd893

SHA1
d28847aecb5eab875dd2f682f0dd15eae32401f4

SHA256
8bb5d6d4d8127169d8b4db15c5a967b5fa3b939488d7415d5c2032c8d1ae7d4c

SHA512
e425cb5ca07059c96c405d08ae36dc9e6609569c9948f1e73cfdea3267a7660dd97617865af87c095645f0d4964d6f0c2f837bdae08ed84b6e5cdbbd52a81546

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
334B

MD5
a21524b0210f0684aa4038a9f3f1fded

SHA1
7b6146310eaf8bcc7c29604bfc2f2500fb032827

SHA256
dd15c8e8d4f26a72faba9c8343c7b5f0998b89bcd1ccadc53969bf3818e3226a

SHA512
25b23d4d298c08a79889321f09b5cf88d60ff2a529df98daf86acdfdd31ba260c3a6772dc652ed0128247ad11e98cecbb9026587aac64de6efa9b4248500e6a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
331B

MD5
19356aa9566c8b67b8265a2ff305a249

SHA1
ae7f558b1be0b785a9ead0783618e0dc4a8439b8

SHA256
7be64f8939772afb3630d80bd0bf91dcb90954a786002f389329d2f42725dd65

SHA512
d4978c8e0ca6f5f87359c25559ab2f09edf87f13f08d23f8c787470b5bf44cda63caaa1300eb0305730e325cbbac1f6b2dba9d7c8753b5e5833aa244edd726c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
432659d7079db82dda2c1703883a2d92

SHA1
e5d3bee6bcf84a257cd522a566c713528ad53244

SHA256
e626f774e0910b5e3118f6b95d78ee8ee40eb06f45f68e475cb65f509a9f80e1

SHA512
7f50046bbaf2d50c9290c5dd13997e7146b94c91f00af74c95a2bc3d4779fd187f6dc3e9c0c77d67dd7934ad6e7600107ac80427f5b2c6d9c95fe6689d73a55f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
2f939fa48e6efd37db3b08cc65dcd380

SHA1
a29c7b3f769a0928704c9e5df522cb9545ed017c

SHA256
abfa0fe5d06ad793f13f6dded2f7d94cb7f66a04407d4212384c7088f452542c

SHA512
9e23d7204a2b280e1fa35e32883237367af72f653c86077a2743cd4b3a4951f93794be9071f2d09415d623e86fc7d9a7913aa1e16798555271f7fbc326d9c493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57b71b.TMP

Filesize
3KB

MD5
35cb6e8a691d833d87e72918a51adf73

SHA1
3dd3ec01541facce9f72c72b2fab13f6cc94f395

SHA256
bc77dec3f994d2eddb477e375f50833022944aa8782fdb7dd985652a5c35d173

SHA512
743fbe4c7ec8ee2fad24a148dc6cac1c571da88451518ee6a9a6f24927d1a465b9750d193afe36ba36d640957d5686b5837a0352a2eb39b8952ccd6c2077455e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e12180d1b10380ab9246687e4aa2f34d

SHA1
7c33722a6e33811905ed6ad98c46a35d5773e13b

SHA256
ca86da689b252f71815f992654045167070fea2b08c7e6963d10f341885c1458

SHA512
07fd0ed636a5194c2b908035829a004948ecc74b35677a761fad477f6be0a2b11cb4b0ec506cad08378bab9a7ecc70d7293c2e6e1d0f3a11d4f8f2c80f22df7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3293fbd950e9960cfd6f3775603909bc

SHA1
c39232f15f9ebe8182b82acb61cfc09dad739869

SHA256
1eb46ad062e505cd92a51f7f67707179f1fa981fbbeb4ca4dc4614fec348f26a

SHA512
466cf3e4edbfe4a2936eeac47f15332947709d7ac101439f5cfa77a6986247d78f917c6386e344a94974199b0b96312f1c71c73a6b2f6f24676f913b6e2fec56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f1e5c10c027ffa5a615026e6610e90b8

SHA1
cf36e6f0f9f5fa5146538f004afda374d50522d3

SHA256
b01ebd2f33106755aa8a7266ea8e3148755d631a60e7fc48774ec3ee7095efee

SHA512
1bf71089d9c06fc999c8f5e69e4cf14e902b0ab5d927d368d47bbc2d2f0968be734e5acb8e9c15adb133b57060bf2bcb12704bdf9a019f0a188b39353230a43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e6afca0aa38d8cfb8627594112e6eb1e

SHA1
ecf7341a59cced604f8817002cb8817914ebf7fa

SHA256
d9f5bdc4c3e89a86c30f20a88fb0bdf719552f6709498522edca39a38d2fe7b8

SHA512
787466fa109c5317706a1d30282ccf5c4f22c8a75ee749d454c34ac071437f11d6c8e3aa375739d8ad20dc1e149720273c28d64b6112a571bb17aebf66918781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
535ebab86e88260f0f02a419ec9e275d

SHA1
0a9d2120e208bb9eb3c05cf2023b5b76638e2c79

SHA256
21ccc5f2283213d2c378c656ba7431368c483d15201009501fc1fcb2ce6e06cd

SHA512
e19557771f1e4d8933bf5a08ed3f0a145b4fccfabbfc2262a1a51e5e4b6bfd42542895379edbd66f5303109f93468ba2d7fa244ed704d84b32ec4602fa67adf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
0458f0bdf601c8b69d09cf137e59c9b0

SHA1
60c10be2c8fba063d398d52cbc12907956a2adc6

SHA256
3759618af7da561bfec83e42a9a10b9d0f5412059d87a60a7706d170e99a1cb8

SHA512
4cf3f223be3713c97d6a0b3a83d7da0eff29397311a09f9d6510d66299191996341a3b9748d4dda25d915d65c897f333618af17608254edc9679f3f6fdaca49e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
211d577e0a95b16b0b82c760ece84846

SHA1
c1c0550bd0cd07152358b9c463817e8673279941

SHA256
a8c31a70809d9f23106654cfd1803c6362c487d57eaba8412f02475f362f0457

SHA512
817e245439150ff66723849fe7b3aab5596ce0d8d616fef651dfa027facaf60be51c855c786a6607fa58a3bcce4146818fd702bfdf34d225d2f0d44254f11576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\index-dir\temp-index

Filesize
2KB

MD5
c478bfd496562720e760890cb2ff86df

SHA1
296e58be494f1178795727c745fec45f60facd1b

SHA256
8395fb3b72a9c02ac025eb24413fafb41f09d2465b63b2b12bdfeb8c6bbbf3a6

SHA512
4ef0247aff1277c18b701b3a1d4e48c18f2eb63e49a896db686cd0c331526c915ac67484948e3636ad93427ff96a0f8a70c6b50b9d7faeadc34802c6861ccdea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\index-dir\the-real-index~RFe5bf808.TMP

Filesize
2KB

MD5
0f5b74f084e31c45278b3ae3693f99a2

SHA1
7360bba1a0bdd6406e390b8fe21cf4438133b7b5

SHA256
b0911f6893f16f0231573c36fd79c48fac9640a3fb14a902851294c57bab1f32

SHA512
2a6999ccc7cda4bdca13689ed7509ceeee3e0fc9e0c1d074c3aa2dfcf7433efcd4063783e37ce13613950827affcfd53f324b1815492f154b6670e6e635c4df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
767f34e283a23fcf5e24caf417fee5dc

SHA1
b1adfb26a5fbbf77a3cfc91d3c26310f856ce9d5

SHA256
0ef2d9c29de0bb04660cb4527af1d3114ab20da0e1563e5c8105c75bf62aedc5

SHA512
10dcd651b436c774c4eaf7cc203a44c3b5584ad7c599deb3d39328ecd48decbc09b378938406bb3a2c5c647f6c158a0524b2825aa4068276f81a7007d6709909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
ed09126b240e11a6dc3433c9fae9b7db

SHA1
5b90bd4d7ddec997f085e983db5db24364f3e8b5

SHA256
645ca5a3a83e8c29ee696bcf5deb5a966aa7cbc8266fcb288c9ee9455982a981

SHA512
a0b1fafb65449383b91a8e7cc6438698964f520df34d3e0ef8a2886cc93ad8c81d249ba4ae2c42b5bd24753adf0003b358ce3af76fe6e1a3cfafbfc50cd4f0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
0aca03a54aa2b47c67b947e6ca9eb6cb

SHA1
a766b43e4cca01c574b2e10f7f4dd666b0dca3b6

SHA256
2e8de99576c44a2a42606aa67d6ec4880b7bef65d2877bcda173b4ed81a2c951

SHA512
1579014b38512d5be6df7e914e142fda3fad8aa4712b7fc975bfa70893693958b01b7cfdc168efce46864b9009cc6e62854a582bec3b76bc5a3bba743ac908ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
1d95c21fab9355273858953d16961497

SHA1
b480a283cb754accd99d76283b279ccdf4a1d6e4

SHA256
60ea0469e3d306cdda400f05a21c02d36c5b5b40f1a4132675ad7b24f2dee512

SHA512
005d5a0a30bdc108123dbda5d3d317e66cc6cce7f42a50ed2409d17564cfcc624599b2252a3d50b0b01d67ba0b60cb4f4b4555c62259a9b882d1a051b6b244e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
4836b4b4b7426eff7acd2d04ef0d42b3

SHA1
6401ecf9b43cea72f8e3658eb432418f161a0e3e

SHA256
f7652645dce809fd207d1b7b5eb12cec1d44e7c014a16b07b9254baa74d97f90

SHA512
0c11888c30eac56a6ff9199224a0f14786e20eb645ae003a591ead69b83070e966665e0084a4c5fb13c5f84aa3dbe5af6b8774119ed5317a17d7c536a4d89d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-checkout-eligible-sites.json

Filesize
23KB

MD5
16d41ebc643fd34addf3704a3be1acdd

SHA1
b7fadc8afa56fbf4026b8c176112632c63be58a0

SHA256
b962497993e2cd24039474bc84be430f8f6e6ab0f52010e90351dc3ff259336c

SHA512
8d58aa30613a2376ccc729278d166a9b3ec87eca95544b9dec1ee9300e7dd987326ea42d05dca3f1cc08186685f2fdaf53c24fd2b756c1ed9f2b46436689dc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-notification-config.json

Filesize
804B

MD5
4cdefd9eb040c2755db20aa8ea5ee8f7

SHA1
f649fcd1c12c26fb90906c4c2ec0a9127af275f4

SHA256
bb26ce6fe9416918e9f92fcc4a6fe8a641eceea54985356637991cf6d768f9fd

SHA512
7e23b91eab88c472eec664f7254c5513fc5de78e2e0151b0bcc86c3cd0bf2cb5d8bb0345d27afdd9f8fcb10be96feaa753f09e301fa92b8d76f4300600577209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-stable.json

Filesize
81KB

MD5
2e7d07dadfdac9adcabe5600fe21e3be

SHA1
d4601f65c6aa995132f4fce7b3854add5e7996a7

SHA256
56090563e8867339f38c025eafb152ffe40b9cfa53f2560c6f8d455511a2346a

SHA512
5cd1c818253e75cc02fccec46aeb34aeff95ea202aa48d4de527f4558c00e69e4cfd74d5cacfcf1bcd705fe6ff5287a74612ee69b5cc75f9428acfbdb4010593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-tokenization-config.json

Filesize
34KB

MD5
ae3bd0f89f8a8cdeb1ea6eea1636cbdd

SHA1
1801bc211e260ba8f8099727ea820ecf636c684a

SHA256
0088d5ebd8360ad66bd7bcc80b9754939775d4118cb7605fc1f514c707f0e20d

SHA512
69aff97091813d9d400bb332426c36e6b133a4b571b521e8fb6ad1a2b8124a3c5da8f3a9c52b8840152cf7adbd2ac653102aa2210632aa64b129cf7704d5b4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
8f34f9de08abf5f504469a23cb67ee53

SHA1
7e993c975c86e9b807f7ae7a8e653357ba8d159f

SHA256
c902ffdc5c961e54fe69b40a6df1bdbe792ff863a341d2d5768caedaa91f2f6a

SHA512
032e136c58b58de37b9a0567b61b0eade91ce33ae8a346ccb7908549262e21d34ca0eb1e6d5fc559cc9e897f7a1d1946bd9f6149ba28bb0f929baeb97469eb30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
9fb7cbdaff44f2d195259cf17f35c0bb

SHA1
45965f4448f70d8bed0cfd02c9e88311dd776e93

SHA256
bf061453f5a7c70a835521941e30bf32ec980070dc6bf27fd77d9e8d962e8c86

SHA512
2312bb2a34243d75664d07d00689217a8ce0bafdda705c95de5b7100af634c7810ec8cee45987ba916360dafb9a0a837d17e448f4566adf5b67fc1e9e2f96e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
9161c33e7040c48f6650de2a4159abbf

SHA1
5267b0478e64f87acfb011e28fa0f40a7e788ae3

SHA256
32d48c474a998d06cd85500aeb3541665cb3caf5af0d8bc1bddc310639330089

SHA512
8c8f6fc6a760de3456beb11414d29da2061b145e7c77150b5a0281ce20b77e3f5875e3caf963bc9b2d7a1a632081bebe3b767b14fdbdc92e4716200881b71a36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
af20e9d5b8c11bd055d0a13f90fe78ff

SHA1
e1c693178d9bf8bde19586e16696946b5eec71f0

SHA256
f6dfb57a538b619cef8cd4041fbc1c44344e2d1ce958ebf49899354826af8092

SHA512
12290f7c5a66cc84802f6581a2a219f6aac11ec9e217e55cf26cc9a0e107df7da9a2f576ba96c98f5681524c3ce7552a5d3e01174fa9f6692060b3ab815c5910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
a4b6d7bf5deb41b72667e3f2bc3ece81

SHA1
ae779dd2bbab986196e2dcf2709d855a65128f80

SHA256
1c369a61249799994cd0baa39b0dffad08d300b3852cb92e1a48710c5429cf10

SHA512
6a2856b81e711f794c9ba967d3db73afbef9433a957c85c8538724bf86bc873b810ecf15c36394ca6e06932c98364658a6f8a0e7cce3e1d7266ce1a41a0d5b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
708fdbbdfdc3e6185a9d4e2f0116e88f

SHA1
82862c0ebd9fda28c4f79cf1ff16ae787acc3ea0

SHA256
15da9b3db7498d3f36f96ff8f94c2a96151f4aae1638abb278ce9e4180397f69

SHA512
90e3d7f266bbfbd0bd3176161fc1c3cfa453563f57c2b74109c1f85ad9da6cff19c08a178ea6933773696f6981db589e9493b9811b632ecc336a7fbb4a4d927b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
4e0ed7b381ad42eb36d7a8a43358bc38

SHA1
e3cb74980377915eab42a8bbfd06066d13503556

SHA256
e7ffd0e7d547ebaa104ce204fa23f003cb83bf86e09d896ce3fea191870592fe

SHA512
16913b09da25aae7df69349d855fa72bb32cf24a617319eef893b272b53f00b0052b9725e03427242aa75ced2f442fbbb73111d302a1fccfbfef40f223a62e03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe632e88.TMP

Filesize
392B

MD5
09b1a777c31122a243c84e4c84c2cd3e

SHA1
016294f9dfb0d28045c41ac412d9a972076a2400

SHA256
f2f440398d479c8ea997c4ac7996e1c191c4dff6de3d2a18d5ff91844072c49b

SHA512
dcf105542da76734c9cdb72970b7a14a12eeacf91eadd769b21c3831ee9d345be32915b24709c519a3cf6f1dd53cbd9dd8fc8ce9003c46ee41e546e9b9b6f8a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.25.1\typosquatting_list.pb

Filesize
628KB

MD5
c26015b2460d1acf6859aad730dc8f4a

SHA1
9c772753b62eaf995e39ea5ce1ef86454b58f169

SHA256
5d816db5713aa5d2fa0c1de5461729250439d7609d95bd65623c0ea62da192c7

SHA512
ef72f6e7a4ac1eab4c59ef0d90f884e29880a305ca262869b87a90462897d182a45b38fb074d704205a422cb886214c05aea6d0701715917b3092cb15559a6d2

Download Submit
C:\Users\Admin\Downloads\geometry dash auto speedhack.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\geometry dash auto speedhack.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_1814545949\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_1875689284\manifest.json

Filesize
118B

MD5
3004ab7c9e3747e5109246e7f6b3859b

SHA1
ac4c574c03611b8bc675e878a1be8124bc32fb48

SHA256
1cb88f273e7906a853670161b6c75fabdd67f67c91b96a78171e2877b88eee96

SHA512
f81e8de5d3010bce31b311de7545353b72a9befd01249cca99e870f141090ba66913991c458f4b5cdfb80902fd116fecd54981cc0a0f4049102247c273f905e0

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_278957475\manifest.json

Filesize
1003B

MD5
578c9dbc62724b9d481ec9484a347b37

SHA1
a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d

SHA256
005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0

SHA512
2060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_752715322\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_752715322\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_830715014\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\Notification\notification_fast.bundle.js.LICENSE.txt

Filesize
551B

MD5
7bf61e84e614585030a26b0b148f4d79

SHA1
c4ffbc5c6aa599e578d3f5524a59a99228eea400

SHA256
38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179

SHA512
ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt

Filesize
1KB

MD5
8595bdd96ab7d24cc60eb749ce1b8b82

SHA1
3b612cc3d05e372c5ac91124f3756bbf099b378d

SHA256
363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831

SHA512
555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\json\i18n-tokenized-card\fr-CA\strings.json

Filesize
2KB

MD5
cd247582beb274ca64f720aa588ffbc0

SHA1
4aaeef0905e67b490d4a9508ed5d4a406263ed9c

SHA256
c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5

SHA512
bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_856489530\manifest.json

Filesize
121B

MD5
7122b7d5c202d095d0f4b235e8a73ca5

SHA1
0cca47528a8b4fb3e3d9511d42f06dc8443317c2

SHA256
93b603f06d510b23b95b3cacd08c3f74c19dc1f36cd3848b56943f069c65e975

SHA512
ad6fba6e0710cc26149dcf7f63143891aad4ebba0cc45670d8885fade19dc1a50b542a15b10a7604b6b1be4b8e50fcd5514f40c59b83cc68bd10a15ab2a93c1a

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5568_857619383\manifest.json

Filesize
145B

MD5
92d8fd80d37e7f7ceab3b7f7e9ade68a

SHA1
f350b2460c3d9a9dcf1ed3fb965f727503a7944b

SHA256
2262c642067206eb885632bcfd0e12238155a14c98fd46be587c852471514513

SHA512
8112d4bd7256726fe63dea0eedf8c274f90424d29ee3cc4c360ba0c54ccc1d07ef36faf1a2fe19d1aea1447dd5a6ba6d2db0607161c486e882bcb3c01885238a

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads