hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ[.]zip

Resubmissions

01-04-2023 06:48

230401-hladeshh3w 6

01-04-2023 06:45

230401-hjjt3sge34 6

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ.zip

Score

6^/10

bootkit persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Endermanch@MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Endermanch@MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Endermanch@MEMZ.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bb8313ed-f502-41c6-a036-3da04400403d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230401064735.pma	setup.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248051773907151"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exe

pid	process
2016	chrome.exe
2016	chrome.exe
4620	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2016	chrome.exe
2016	chrome.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
1060	msedge.exe
1060	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

Endermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exemspaint.exe

pid	process
4608	Endermanch@MEMZ.exe
4620	Endermanch@MEMZ.exe
2020	Endermanch@MEMZ.exe
2148	Endermanch@MEMZ.exe
3744	Endermanch@MEMZ.exe
212	Endermanch@MEMZ.exe
4756	Endermanch@MEMZ.exe
5552	mspaint.exe
5552	mspaint.exe
5552	mspaint.exe
5552	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2016 wrote to memory of 2476	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 2476	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3464	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3392	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 3392	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe
PID 2016 wrote to memory of 320	2016	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffade449758,0x7ffade449768,0x7ffade449778
2⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:2
2⤵
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:8
2⤵
PID:3392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:8
2⤵
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3208 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:1
2⤵
PID:3124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:1
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:8
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:8
2⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4460 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:2
2⤵
PID:2724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4620

C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3744

C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:212

C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /main
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffad92846f8,0x7ffad9284708,0x7ffad9284718
4⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
4⤵
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
4⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
4⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
4⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
4⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
4⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
4⤵
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
4⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
4⤵
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
4⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
4⤵
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
4⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
4⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
4⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff614975460,0x7ff614975470,0x7ff614975480
5⤵
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
4⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
4⤵
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
4⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
4⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
4⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/
3⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffad92846f8,0x7ffad9284708,0x7ffad9284718
4⤵
PID:5656

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\System32\mspaint.exe"
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
a3816ec4abd2f9cf9cb7943031dc3d8a

SHA1
42b60959fcaac20cb25347ab7a41555456a2b4b7

SHA256
288df140e1ec3ad76d739b6f88a2603dd32971e9801506f1be3d71b2daa813f9

SHA512
0e0845d99e3de6f8fa272cb748dc4f53b9a4e0458b1f683fcffcf584d94ede11f4b270b6addc7a334a8caee9b9ff4476fe5bc8ca8833ba6d2867bf4ccae58e00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
e344cd0e2bef6c9b118be294103f9adb

SHA1
0e0d23c7ddcf5b5dd906f44cd3046efdc69a994e

SHA256
edb474089775969e5759d7729e0a350400029c707d60afadc6853ea3345647b0

SHA512
02d86965dd6986b4507f4f710a6b583706b4c47cf4fcb20f036323dd7bb891bafa7b7b368b1478a0475f4a822c0e95b84b2e2e47fff6f7807b414672efb84df3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3f7065305a4116dcb09d21e949adbddd

SHA1
282d998143e48b92179311924a643cec2b0beb89

SHA256
e4b12532e280c74365bdf6591dbc21914ead2cd1d2e5378088967ffae5b2a414

SHA512
ca1a33fb5e31ab6c9645e1a0a7d000f9a0621d1a00033362c5491ca84d97d722db527bf5bfda72915c2320ef7a71ccedd9578e14b16a6243853761ca7a8be392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
78a4ec7a0a053b0ed4c2c2c7c141726a

SHA1
206e3957deb6afeef71c0450139306218f154950

SHA256
4b84058ae2f33c287aa1133fb571f8e3ec279365ccbc4e85120faa9c4dcd446b

SHA512
c324f132d43bb0de807543b9d600ac68eedc136420dc85ffa10f4f620ab80477869a5ed55f7feb0a8120e6755e875be285a72773c2fbdfafddc0f7becc27689e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
689ba893c7f135ec755c558a1da13be7

SHA1
f3b3e44a8942bcc9130f066cfac3a6a40e7edaa2

SHA256
307eecbd7257ae85e4f214b605ba3c924f57c07cc57ccfe26b7240957db8341a

SHA512
a5b4c642b31259ffcf0b9c97010a62e5dfa09e260af56848a327e85a09f272e1187896f9847adb12327ebfa0cebd5a0cf02375e1fd2e8515c81bb33ce7c9e241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
3a223540ec3e38831ead6608e25c5df9

SHA1
4df41895e1ed885d879f1cf0cfb236312955b88b

SHA256
457422f30f86c4eed46a69b09c433e8524005513f87b61cae028698d70509d5a

SHA512
9ee98798c3550f0ffaea46498dc663f46aa70db15d7c7a1d1686e17b8bbf510a20e770d360b22a5caf0995b3d2e2cf39dc7ffb8411d0a46d3ca848a5c72a06e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
2caacb576a2165b7eec1a5c63672ccb2

SHA1
c461336165dbc790711cbf8b3e5e15e473f82593

SHA256
1a74f727ad87cfee9d3537b65c7315508d73c256d24e32825274cceacae23e6e

SHA512
5375c619d0da88cb84c8925394362ab3c072d1b0b80910cd033ad196a710517af2be71b0298d8af619dd305913ee6f87e52c2bd06ca78b21d04186b13593ca07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\bc602526-2179-44ca-ade9-2e6697638a7c.tmp
Filesize
5KB

MD5
8aaf720cc75767091c728efdbcf28a7d

SHA1
fa4bdce19a42b5adec40bb458047ac67534041e9

SHA256
a2afe139f5a1f4facd45aac41b490d0b3b9a8c2581f9addbadcde99130e40fbd

SHA512
c687649ccfec0ff546f983c9c09a49db443fd0d8257a03d53890d79c16758e3af1f413f5bcffb8570a21ca0cc7b2246619ca157a812085e9c43874b571fd6f37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
e13f3604eab61d33a5a5e0a643442e05

SHA1
40e3a0fd7acf18a5e0fdede34af373867024abd3

SHA256
2b86e5874f4810be06c14935531fbf4aa7cab9ff8ddde67f47e710a9ee236c08

SHA512
7ebb7ee5f8a5aaf941f81b60bed1ad686b15925b91f8685a3efca2d5e33fbf2b9454139c4186eda7ea37439e1a29a1b379d71cd01403c547e09bc50b60d8516b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
e13f3604eab61d33a5a5e0a643442e05

SHA1
40e3a0fd7acf18a5e0fdede34af373867024abd3

SHA256
2b86e5874f4810be06c14935531fbf4aa7cab9ff8ddde67f47e710a9ee236c08

SHA512
7ebb7ee5f8a5aaf941f81b60bed1ad686b15925b91f8685a3efca2d5e33fbf2b9454139c4186eda7ea37439e1a29a1b379d71cd01403c547e09bc50b60d8516b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
014c9ce3e520f19a8bba679c7296f8c0

SHA1
dea10f30a0c313c5c9e23e45b21ed5c5e02624b9

SHA256
8d37ac330684d1c59dfd971e5e5b8b1923e4d127262a8ed5159896358c52a295

SHA512
d473297d1104abedeb488e33d49b6d563d0c8e002dad29abdcd7b7735e14d1b32c36bd057421a52befdbbbce06260c58530ffd38aad4878af74a722e664f050f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\154b5b64-9c23-493f-8148-cf14dd4d3990.tmp
Filesize
1KB

MD5
2fe437b052017e175454c022cf76815f

SHA1
e3fcbb7964a07dc824b54819486deccbadd01937

SHA256
935967c5697754153228f8f7fc2641f0f8b1628b7dfcb492fdd41ed064576e4f

SHA512
ada53b27033678c9dbf3380dbbf1dc4d5222dce932868b0388fbee9adff87ebe0b5408c5483e9a13f157afa096d5a2a7107d409b6a5e53b21db8b87adbb357a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
432B

MD5
9ecae2e3db056eeff722d72c233b4359

SHA1
d29667f71cf0803716feb2408181801e74246347

SHA256
b143f876d07cfc29911c7dc753921a34c6e66e0712dec7f136c26de54f6fd3ca

SHA512
f14ca6aca364f788398069ee11a739f5573f18f2b22d697544bd71a84453489b4773ddce832f54b6b20fc0c42929a75119c8a2275266f3e25bc60aae9ab68b01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
792B

MD5
2468c719ecafb3cd015cf2f48d7e8803

SHA1
99d256aad025bf14ece0c84e5dd98b763d5696bb

SHA256
b3e70c0a4432e8f1d15458a748a3c54b266e3af5fe3fb250363c5edf1a9a01c6

SHA512
8430ae3549d91d1c84fcf7338366e51e5e811597e71676c8022a0ac5cb752a214d7d39cf90055dcc8e4705cbaf040f6d73d954c3926b4eb219a91c495b8a7d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe583ad2.TMP
Filesize
48B

MD5
c0ecece6175798169c8dd67d9b085acc

SHA1
57acc1903ef992de055ea64d4384ac0c3ac4acd8

SHA256
9f8e7b3bb310f433b8d5388f450544d8917eada0c6c45aab63540393092ea726

SHA512
c2f4c0df9567c0e0df00e8ce2a670e0a0e681cc8ad7beb7988a90ebe179845d60fed0c909d3c56719e205f27ef6f472fee778143d95f0a6ededc64306e610b81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
f3e349da720076c2e02255d88f0ab52f

SHA1
17499624fd7b45c18ba4555c958499dae9c6fca2

SHA256
4715087a1c4e3964a50f0f433e468eca0777ae32172537bb97dde9d31e067a74

SHA512
2e637beca72a89e9824a2214eef114237c67dbee0a577134ac1dbde394775de31a615a3485a0ee9d0a326e67c5ba74c2203552d14603e74478fca437398ed44a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
57ba770ae30666e100c9973383092226

SHA1
78831f396e25f3f7fa7bb33311d146b783aee3b7

SHA256
63c6b6581585b0a8b8fe56bfa96b00b66313de7327fb6a47433e1c15968c1279

SHA512
1732e13dabae7b8da37da9e6e82a527bf14cea533f8fce19d4b2727fa87411f58c24b7a77dd1c3dd3c7c3fc869ab25089b12820dd5cfe90433d5691631bef805

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
1008f45a0e638aa7372730235d96d09c

SHA1
b9b1409027c5f8c72202864f257944163f79d830

SHA256
1efb436a1c83ef657e8df663d0b4fb387d9f6b0f515d54436ccdee836ac34aea

SHA512
0f48d50306fc397ebaaf8da6e25167a3decedbb02f7683618f43843bc80e6a551798eb797767e5e675656acc0664fe869a361bf418b46b980182af8b74fe763a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
4a3c3f55a243f43bffeb7a278a0803c1

SHA1
f55e75cafe483d36fe169a3730aff2d5407ba021

SHA256
904316a0e7427c877d48d16ba8814632a10edbbd47d742d3fbb8be2671d39b48

SHA512
c3e40682613036527cb5564f12c390c74e8219876f659c0ce130abb1ee9e8f6491887380c17a4dee71b05d3708ed4bcb1fa5d0053816c911c967fdf04e390700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4ecee3ffa292341bcc10aa039830dbbb

SHA1
8f3e9771b7357f7fd49f5db77bae1f52d34d730f

SHA256
1cf40fdc183525dc58ca218a30db0319f915e71cc7ab98f08730a76bfe9d64eb

SHA512
e1539ea94397cd007fcd3e6417861b250df5969fae9e401de629a402feb9832fde8752da424ae9f168433a8b5ac83d1e43be390bdcb648dcfe80ede9fd8f8918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
300cef0e9e896e99ef8611641c0b95bb

SHA1
9e2ba1cb7696dd11b19a26cac5eb9155f45c66b2

SHA256
afadd7e42f6b813f8a5f94402caf41a3aac2b50a5f9a70a98847c8d47f019404

SHA512
774e6db1e89d72b8e1b424ff4117aa74e4dc8fb1a0de3e67cd1164852d2b81d7ee850de3f1375b6a5b54fff05c53bf2b39d37beae9c620ec392b4a9e629545bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
dc663744f4c19c3d36f688496fc98e8f

SHA1
fd705a541f128076551acb79bc5dee91c412c650

SHA256
50564030084ae844cd55a287b87112d44d30e14181bb17f867ffff9e3b47975b

SHA512
6e640961db583fa61f7fb704d1def38a982a1bced118cd0a29ccd7a8c50bc8c56a79cb49b3ff968a0e68c26ccb19bfd9787cc6bfb3881c47efa1efa13acdc76d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5833fc.TMP
Filesize
1KB

MD5
4327d87f2cdea63dec34bc6b302c9301

SHA1
9ca5009524398634197df6dd164f7d729a025adc

SHA256
d35a4e544694430b66476008dea9653ef1c6e19fc78d1a223a17dfe16ca7becd

SHA512
bfe92e37aea24e50371d9653b05725e6772bd487b230041c609cc72ffb47b28cbc54c65ef0684ef9fe514b25109b7c296c388f15008dc98aa55f5d99e461b47e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
0d5876af5c75c0f7916442b6e78e97fc

SHA1
8fb85a374923a1f6f9bdea360421dec83f11f5a8

SHA256
c9f81f3e543d44c423a37e95eed962a06887d7de85d3893e4598e257dea3c3f0

SHA512
af74d1ce54b6eb17248e589a394abf9979f81cdd44111bea9516cad6a9d6aa86b95f8e28dd5abe76d0694bd55f2cb269251bf0195d85bbb97acf1be0527739d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9307d10f6baae86054eba13204d5a6ac

SHA1
298941763ed42b0e98e1f3992a42ff0044b2d434

SHA256
3c58da624c84f1a1603f150f0fd0951874ffdb90511bfde720b4a53141fc0da5

SHA512
63251019abbd6396fb76d0d67996e2b45c8020adf3468c9ccd737bb1ec253cc66627ab3d33d0983c421098e7efc28a06144427a40a8bf511b1d55b22480f2345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
dc70f82a44fe954e28fde43e006c143b

SHA1
026365b6b6eb3b8a5e58726551a7f329f5e46f96

SHA256
96c30bb909b4b76276f78daaa0d5fb2d5f3ecdc1d94fd0c6b1dc79b063a61246

SHA512
3f3b59df0cf448711f513dd50e7a9281e6522f94c58367b05f9471123fd87fc6a07f6184b884408efd0ee530f8b39c41072fca1a01eb36c6771593f864bc0244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
eacd7cf95d5d83396deeef7d47064ccc

SHA1
7a197d2e2768f9f878d015a7e61946b704096023

SHA256
b0325adcdaed44b81b25f47947acace94559cd92f168d20ed577f5431d387427

SHA512
c92a05abf1088f776894f065d7a1aa74faa430aa3c7d864b0b50ac58f5838746b7b1a53d856713ef5b56c40dc318dbc246f629acfc06f29ed222726544e0e9ca

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_1060_YNQQJSLFIQULLOIJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2016_CYIILILCZYJBYSQO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit