darkcomet | 141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Size

1.2MB
MD5

0df35e9bc20c616eaf0ec1cbf035f1e5
SHA1

fe5e7ec788f03838289528ccc96f42ee5aaf8e6f
SHA256

141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03
SHA512

9b14f02072d7fde33cf4e00cf3289a1adfbb42c3707ce9a30b4149e97aaa9c7a37bc9e2dde365452481c54039efc9fe2eccf6d79217f62b4205d48bd428336d7
SSDEEP

24576:gvEYVxNoHgkXeLyr6VuPJNNr/K/cRgOnmq9g62pFSSL:gv9NagroLrscOU7m6QF/

Score

10^/10

darkcomet haha discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

HAHA

127.0.0.1:888

217.66.231.239:888

Mutex

DC_MUTEX-F54S21D

Attributes

InstallPath
MOKSC\youtube.exe
gencode
EAYaaW4sHghc
install
true
offline_keylogger
true
persistence
true
reg_key
Micmdjedate

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MOKSC\\youtube.exe"	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe

Executes dropped EXE 2 IoCs

pid	Process
5508	youtube.exe
1180	youtube.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micmdjedate = "C:\\Users\\Admin\\Documents\\MOKSC\\youtube.exe"	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micmdjedate = "C:\\Users\\Admin\\Documents\\MOKSC\\youtube.exe"	youtube.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5960 set thread context of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5508 set thread context of 1180	5508	youtube.exe	118

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_2017553264\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_350817014\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_350817014\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_350817014\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_170106908\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_170106908\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_170106908\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_350817014\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_2017553264\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_2017553264\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_170106908\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_170106908\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_350817014\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_402881211\data.txt	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_402881211\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5100_402881211\manifest.fingerprint	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	youtube.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	youtube.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874087030245370"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1279544337-3716153908-718418795-1000\{CF99F309-DFDD-4E02-AD3D-F315AE236F5F}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1279544337-3716153908-718418795-1000\{5B24C823-D115-4122-A9CD-03DE7994FF4D}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeSecurityPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeTakeOwnershipPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeLoadDriverPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeSystemProfilePrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeSystemtimePrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeProfSingleProcessPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeIncBasePriorityPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeCreatePagefilePrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeBackupPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeRestorePrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeShutdownPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeDebugPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeSystemEnvironmentPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeChangeNotifyPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeRemoteShutdownPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeUndockPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeManageVolumePrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeImpersonatePrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: SeCreateGlobalPrivilege	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: 33	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: 34	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: 35	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: 36	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
Token: 33	344	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	344	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	1180	youtube.exe
Token: SeSecurityPrivilege	1180	youtube.exe
Token: SeTakeOwnershipPrivilege	1180	youtube.exe
Token: SeLoadDriverPrivilege	1180	youtube.exe
Token: SeSystemProfilePrivilege	1180	youtube.exe
Token: SeSystemtimePrivilege	1180	youtube.exe
Token: SeProfSingleProcessPrivilege	1180	youtube.exe
Token: SeIncBasePriorityPrivilege	1180	youtube.exe
Token: SeCreatePagefilePrivilege	1180	youtube.exe
Token: SeBackupPrivilege	1180	youtube.exe
Token: SeRestorePrivilege	1180	youtube.exe
Token: SeShutdownPrivilege	1180	youtube.exe
Token: SeDebugPrivilege	1180	youtube.exe
Token: SeSystemEnvironmentPrivilege	1180	youtube.exe
Token: SeChangeNotifyPrivilege	1180	youtube.exe
Token: SeRemoteShutdownPrivilege	1180	youtube.exe
Token: SeUndockPrivilege	1180	youtube.exe
Token: SeManageVolumePrivilege	1180	youtube.exe
Token: SeImpersonatePrivilege	1180	youtube.exe
Token: SeCreateGlobalPrivilege	1180	youtube.exe
Token: 33	1180	youtube.exe
Token: 34	1180	youtube.exe
Token: 35	1180	youtube.exe
Token: 36	1180	youtube.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5100	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1180	youtube.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 5960 wrote to memory of 804	5960	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	96
PID 804 wrote to memory of 5100	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	97
PID 804 wrote to memory of 5100	804	141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe	97
PID 5100 wrote to memory of 2096	5100	msedge.exe	98
PID 5100 wrote to memory of 2096	5100	msedge.exe	98
PID 5100 wrote to memory of 5200	5100	msedge.exe	99
PID 5100 wrote to memory of 5200	5100	msedge.exe	99
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100
PID 5100 wrote to memory of 5008	5100	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
"C:\Users\Admin\AppData\Local\Temp\141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5960
- C:\Users\Admin\AppData\Local\Temp\141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
  C:\Users\Admin\AppData\Local\Temp\141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=eIWgFo5T0lQ
    3⤵
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2ec,0x7ffa9e8ff208,0x7ffa9e8ff214,0x7ffa9e8ff220
      4⤵
      PID:2096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1976,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:3
      4⤵
      PID:5200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2244,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:2
      4⤵
      PID:5008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2580,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:8
      4⤵
      PID:3620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3448,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      PID:2120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=3516 /prefetch:1
      4⤵
      PID:5896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4956,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=5004 /prefetch:1
      4⤵
      PID:5084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=3944,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=5168 /prefetch:1
      4⤵
      PID:2792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5344,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=4964 /prefetch:8
      4⤵
      PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5472,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8
      4⤵
      Modifies registry class
      PID:1852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3572,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:8
      4⤵
      PID:3036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3560,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:8
      4⤵
      PID:764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6028,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:8
      4⤵
      PID:3528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6364,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=6036 /prefetch:8
      4⤵
      PID:1244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6364,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=6036 /prefetch:8
      4⤵
      PID:2200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8
      4⤵
      PID:5768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6676,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:8
      4⤵
      PID:2276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6484,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=6464 /prefetch:8
      4⤵
      PID:4856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5640,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=3696 /prefetch:8
      4⤵
      PID:2948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5664,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=5700 /prefetch:8
      4⤵
      PID:3928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6380,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:8
      4⤵
      PID:6116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5612,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=5712 /prefetch:8
      4⤵
      PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6384,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=5688 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6416,i,12411950308818114182,18193234065461819039,262144 --variations-seed-version --mojo-platform-channel-handle=4824 /prefetch:8
      4⤵
      PID:1728
- - C:\Users\Admin\Documents\MOKSC\youtube.exe
    "C:\Users\Admin\Documents\MOKSC\youtube.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5508
  - - C:\Users\Admin\Documents\MOKSC\youtube.exe
      C:\Users\Admin\Documents\MOKSC\youtube.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1180
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping5100_170106908\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5100_170106908\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5100_170106908\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5100_2017553264\manifest.json

Filesize
118B

MD5
3004ab7c9e3747e5109246e7f6b3859b

SHA1
ac4c574c03611b8bc675e878a1be8124bc32fb48

SHA256
1cb88f273e7906a853670161b6c75fabdd67f67c91b96a78171e2877b88eee96

SHA512
f81e8de5d3010bce31b311de7545353b72a9befd01249cca99e870f141090ba66913991c458f4b5cdfb80902fd116fecd54981cc0a0f4049102247c273f905e0

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5100_402881211\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
09f9afb2ac7943efece6fecb06704e5c

SHA1
b9789ed8b5eac602051d7a2c9edae1d66b613cd3

SHA256
214a5750a000cfb1ae4de7ec7020dca39ff7ed478411f34646cf524f8d2034dd

SHA512
cc326f2e3eaccceb1c14f19ca4527769a52d00baaa06e19173d43c9bf20ddd6d94e29713f8c7922f4d87b48cd6a620c03c85841d1aa4efb3069fd7e3a42dce5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5849f5.TMP

Filesize
3KB

MD5
462d7cb40057d2bf95a1477f3f2c016b

SHA1
448bb69ea181d456bc7984e479367020800218ed

SHA256
c5228fb8735c1639be6570624b0fbc7aeef9612871d12b942717c098f568a9a5

SHA512
13419b505bcee8412b228d3045362c4423a5a72bcc96cc8130349f60bfb39d6954dc09fa34629d744d45c8ac59792681d6a0e42356e2984a8f685d193c4e9c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
3b0927c25e652ec636a6f6200ca9a800

SHA1
2651e06d284ebff089dbd784fa27cfb07a95d4e8

SHA256
4028c32f93e22a9d000b90f6ca010a89c4c4a211487ab3ca1c9a29db5a678cdf

SHA512
fe552b6d47938436f31e8960c5665288382792ac15da348bfd9105d8cddee7250b7ac1942ec8e7d192d510f983e4e79c47f1eaef3e4600db6b9966714407db2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
11a69dcc026ad0bc9ad0f1f6cdf44474

SHA1
2ed11ffb9b4c4e77b6ca86228e43589d3d462a6a

SHA256
a31f94eda107e5b0ea98aade6f29a192882d3cd6f7424c5a8e06d928b4782d89

SHA512
1ac9633b1f868fd1d69bee366268fe1d971f8fb36274385674dd6940ad46afdedf59aba03abf57ab5b4640103d56a87ed4e37107316cf57d6ec8fe74813dac8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
3453a99dbc27516f76392669a296703c

SHA1
3604ac934f41e1549fe1670383328736d5a83b9f

SHA256
59f91b289ae2968e5d9bebe4a89ba2a5792466e3157071acdbb81b998070cfb5

SHA512
7f718ff827a86efb8f52f337f7d03bc917c82cfc73c3700099a01740fded70b0849f15c63b5e9c824584ea47c3c98fcdce708bdfa0ebb9d369defe9f2df907b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
a7777e89f799ae692f5fbd54f2c92be1

SHA1
a17da3439b86356664286ad66ad0f306a6caac17

SHA256
0b879c5875baa30599da4fb74eb3d1b8c31218d81b05c940efc1dc5d77cc4094

SHA512
30710e1744f2e49cfc5bbf88c074f09108e12b1d3e47271a5ee53d9fe9c8d19e8de2422ab0089583f0116a4b4884d6ac69883510e64fa730ccb993cb5907961b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
9ccc6d9ffd50cb3202033ec36453d3bd

SHA1
b40dabf35309c90336a3c15260638f9849e6f812

SHA256
52732f6237f01060aa6f9d2a1deb803903862279a39e4ca61226c4d17954443c

SHA512
dcd47930d37fb2bfe01d0e0541b0247edb67b772a85f358620932ec08274e19a679ce1edda663f2ceb3eb80e28c8ba1b3e6e2ff3c33ecccb4eb80879beee9b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\df901303-3283-41fe-9e2e-e6fcac66bd60\index-dir\the-real-index

Filesize
2KB

MD5
b21c76ff01c92b394eb6ca4d81ec0ecb

SHA1
c8b88c0ac91a49510f953b748114ec0d03e79e86

SHA256
b7f44d5d2688218bf1cefbb2d5abbdcb34b3dea000cfa589799202f8f2e87a9a

SHA512
71d93518a0953cde101e4b65ed6bd4aa702be92601d86e92501a15a5f93a712c2c0caf7d2218cfa7fd77d40ca456d24f2dfddf4f2b7c4b8d9df81f92f77656c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\df901303-3283-41fe-9e2e-e6fcac66bd60\index-dir\the-real-index~RFe58369b.TMP

Filesize
48B

MD5
0f44e0553e69aa8fe881c987f53b9682

SHA1
1d2ba8a1f5e18d6db955a2cf245012581f30e152

SHA256
ff01e2b07104592a64a73cf1fadb3616611997ac25a61f4246ed35b397e3249a

SHA512
0f75a453c29145a100cd808dd967e824e2c20a28a6137e7ada684deca2cb0af17a7bd52daeb0752171807d1f467060c3a4f6254c583385e222aadf76be6cc97f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
271e35abbcb06eb174a73a76ebf83f51

SHA1
12a0d2b0ed236b03d0ceb8b570c7172a231a2da7

SHA256
9175515c5266fbf6c057c7244c85af62b801d0df67081596c67e618dfa18b709

SHA512
69636dfb6dc2ca7c12515b89b242a3cb1e607436b8332c60a4c2c26e8b3488fbcc2c7c0ba29e8beeaaeb49a7686527aed64e52f591a02e0d3838764436419788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
198B

MD5
8bd1fc5d8613b458cbf7dbad7acfca18

SHA1
cb103afb1319d38c54bc1a3adfb9e50d80e5a963

SHA256
0b724fd9a0a4f3d99fdce5444578adafacaf238dde47735e20badbcae8050b79

SHA512
1fd7ad8244be786f0059387615479fcf35595002a7f9fa427ec9a447b16c7bb87551e09e3bc1866f4fcc9b050cbe8b744e15d5a1b0cc673383ba3f4faf43f725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
0717e891f1af4f30a2469fce0ae00cf1

SHA1
66a2d275f0232a7bb0cd86c0ee630adb4103b159

SHA256
2d0476031468b8a6994c016107b813b27411367d24cea8e10fe7ad72265d33d8

SHA512
34fc51e883a165dfb29f2f9ade2653bac5bdbed03ad59df88b42d1816dd987f4d14fbd51013ac1c4b1a1325fe8601180997727252748ec551bfb757da898aa38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
193B

MD5
c79627d9a50772cf02b317f795a7809c

SHA1
128a1dd373bd8ec80f12165ba3eb7cfe46df2ecd

SHA256
2fb9571ff15826bad2a1ddac4261e90876afcc733f3f215394c206cfe0e22389

SHA512
616e6649524ca67e93689da83e3aedfc7b3bb5571b48c3a85c3a50abbbe5aa6a40b5b696cc1b960426d4039040f3943dc51eb2e6ed00eaab70ca31e45512dcf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57e0bb.TMP

Filesize
119B

MD5
9971f7c4ba71e75a65f29583590303e5

SHA1
7f2065dc97aee32190f298ce113d96c1d463b5e0

SHA256
d2297080beb211e7c2533016d1bf495408f5f78a27069cdb33d1eeb863269fda

SHA512
84d74c6c6fa5ffa131bd04eec11bf3bfe31992a9663c33b455ddfa651777a58208b942eab20dda5f5f378f25d3f5af5c29d3f37ae7fe73bfd786ae7e724f40db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
309be544bc46ee0ca3bf4ba93b137c53

SHA1
22afebfdbd461ab7352e511603946bb37b4017d4

SHA256
3067b1d8f62e6819e2b5cd49cefabfc86f81052d834ad12caee3447ae02555d6

SHA512
298d0781b2af89e68c1cfde51cc395b60b8fc6570b6cbd7384f3bed2cb460a0b41f35ac156a2aee99dcf068cec272628b1df6e96bc5cf8406f374941e6c999fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582f68.TMP

Filesize
48B

MD5
675c3ed2716b49b62390995b8c1a62ba

SHA1
8438e10d38d0d77410d0fc0841e3b71bdec61695

SHA256
0a03140ec186fbf38875814a6efcc8092c5766f779c3cb776c0efa534a6cac0a

SHA512
824a6ee9ee01dc8cb1535e39d433322e57447d32aa430545df52bebbf73ad8d0ff6cb40e7daf1754e30573e48f6623884507fae6860b78fbe6167306525fb5c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
a3dd223eee798f2ab50e146d122c70fb

SHA1
08362622408934e24062969686ea427d644819cd

SHA256
90b9c7d6baa6a05c31dffc206ecdb3ad08c9d0deefbcc6611179563c8ff3c3d9

SHA512
7b6e22d90da1086d307fbdebd21178cde4ec1c784e54de7476b0aa52f1135f9188e9fe8e974511bca6ef542b99d35a42b966271a1d893c46cc47907f57fb3a93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
5e6cb798770eb3f80173bbb32c136519

SHA1
a5665f735f1637bbadd70bc4cda16a6563f9659f

SHA256
e47f90f2a9d11fdbaa415f2b31bc664cd4195df8308e0bfb1b1c7bb867c6366a

SHA512
7575427e51654c91819db84144abf22e66b29cbf853407c7fa39944630f3095bd193ff4454ea1deee02a17c076623c3385133aa31f33b6675af72a32a979cd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
669a09d30dc5626e9ca26bdbf7be7831

SHA1
b4c5d9014c298f3916621c041f0b8997aa2da723

SHA256
e28f547409cb180718141c8082e04c2f93f84de7e96e1ce72bfc92b2fc4d1975

SHA512
aa19c6a3f0f98af6164ab0d40ce026629c54a9c2e9150fe2bf8a226a0038214574c5994b33589ec5a65b5f5f925edc4ab40bb9876ccf7a47730f70d17d435bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
d53c8dc2bae892811deac52349717b5d

SHA1
18dab1be2505fa34fc030ae581315245fc76d0e5

SHA256
581908a9f6515b654d58a7771161b31ec2862ee9f0a11f3cdae9de02ef17aab9

SHA512
3d5d308f450d63f54c21c95ba45bc11fd57f8787fdcadc9cdc909c18c772d041f9b7bd5de8c05ce20d4ffd19bed3e8d379b316a951a9b20913100a8eedfb3251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
4646ff259b26f6b438a8d7a051e4391a

SHA1
a8b634a9ddf87ea48651706d5834cf42c9a07b4d

SHA256
83b2de8eb5e6e2987fd29a8687baf318f093272a703464150dfc70b404f87632

SHA512
0a77323a139861cadf96576780071f2d2bcd5cf09f29237c0b541ba0534e752b5c777becd342acbc630b825cb120d99ffd769664f576ac853665aa3fa1f36b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
d33842e12f7308e7d8b84eff325cf5d7

SHA1
bc409517cfdc6251a3308c8742c348e4315b3adc

SHA256
71f15be26a4ca885f81b191ea177146e9cf5565055c8c5f6d6520bd7384ba2c2

SHA512
e25187465c84d03959ebd40ede630960c37862ce75a45fda97f48a03e91b6f67249a2fb439fba9c08e9934baffc38afb15853b7c9ca89336336048071f432549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
0696375d429a5afb62dcd802f4b2ffba

SHA1
3240335eea95cd30252171c1f67bf89f4ae87847

SHA256
fed61860c8558f52f9b7fc76107c066a50a26a7f5045ff3f4ff84c016ea2e0b4

SHA512
718243f4b9308a6f72ee834997211bdc2f17ba0652e62e2da51170b4fb38d57d46fde23d881c27e04456f211b6f200a54942c31fafa602a2efd3f88378c3e5ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.25.1\typosquatting_list.pb

Filesize
628KB

MD5
c26015b2460d1acf6859aad730dc8f4a

SHA1
9c772753b62eaf995e39ea5ce1ef86454b58f169

SHA256
5d816db5713aa5d2fa0c1de5461729250439d7609d95bd65623c0ea62da192c7

SHA512
ef72f6e7a4ac1eab4c59ef0d90f884e29880a305ca262869b87a90462897d182a45b38fb074d704205a422cb886214c05aea6d0701715917b3092cb15559a6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
13057a20b9a00b6e94b56a21cbc14b22

SHA1
bc72025648342e46785d94d68d3438a7fbe1233f

SHA256
94b552bd712ddc8d8e795b964e34b6330b2ee7674aa259c3f2758ab22616e102

SHA512
a6e7db894fd2b52ed2e3a9674a6a7d50d861e9cd01173d907dc1efae05d7b5de7fd33d1684183ac398994c14be7d526c0ee70f5e8c0718f331beac00f3714b6e

Download Submit
C:\Users\Admin\Documents\MOKSC\youtube.exe

Filesize
1.2MB

MD5
0df35e9bc20c616eaf0ec1cbf035f1e5

SHA1
fe5e7ec788f03838289528ccc96f42ee5aaf8e6f

SHA256
141b05d0d385bf28f19c8cb147a8232bef096ee5a24082c022f0e2efe1387d03

SHA512
9b14f02072d7fde33cf4e00cf3289a1adfbb42c3707ce9a30b4149e97aaa9c7a37bc9e2dde365452481c54039efc9fe2eccf6d79217f62b4205d48bd428336d7

Download Submit
memory/804-90-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/804-42-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/804-48-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/804-51-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/804-43-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/804-47-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/804-44-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/804-45-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1180-510-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1180-571-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1180-531-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1180-514-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1180-512-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1180-513-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1180-507-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/5508-493-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/5508-95-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/5508-509-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/5508-492-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/5616-511-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/5960-31-0x0000000003590000-0x00000000036F0000-memory.dmp

Filesize
1.4MB

Download
memory/5960-9-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/5960-50-0x0000000002450000-0x00000000024B0000-memory.dmp

Filesize
384KB

Download
memory/5960-30-0x0000000002450000-0x00000000024B0000-memory.dmp

Filesize
384KB

Download
memory/5960-4-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/5960-5-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/5960-22-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/5960-2-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/5960-3-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/5960-7-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/5960-33-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/5960-8-0x0000000003590000-0x00000000036F0000-memory.dmp

Filesize
1.4MB

Download
memory/5960-34-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/5960-35-0x0000000003580000-0x0000000003586000-memory.dmp

Filesize
24KB

Download
memory/5960-40-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/5960-39-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/5960-38-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/5960-37-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/5960-0-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/5960-36-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/5960-41-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/5960-32-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/5960-10-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/5960-11-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/5960-12-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/5960-13-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/5960-14-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/5960-15-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/5960-49-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/5960-29-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/5960-16-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/5960-17-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/5960-18-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/5960-19-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/5960-23-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/5960-24-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/5960-25-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/5960-26-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/5960-27-0x0000000003590000-0x0000000003592000-memory.dmp

Filesize
8KB

Download
memory/5960-28-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/5960-20-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/5960-21-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/5960-6-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/5960-1-0x0000000002450000-0x00000000024B0000-memory.dmp

Filesize
384KB

Download