6876e647529d14ec1bcb0f86cbcb5e56f2ea452b3c559becba66309bbc5af3f0

Analysis

max time kernel
252s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2023 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NL Hybrid.exe
Size

4.6MB
MD5

9919c732de9be51b26277eb2a56d1050
SHA1

52f3cd72659c7f1bbca70e7e5f1c242ace3167d5
SHA256

15f6bf413abc71a741a013fd819737c0235f88139ab4caaf216c1882208a50c8
SHA512

d189ce6726b74edf9dda0020af8c6b090ff86c27b02ae2f12123c63270a7a4c9418ad6304112ee45157f208204a038cf5b2eae4549cc535489b3494931418d59
SSDEEP

98304:BXaNRs0fX+Gv5mC94AWGT31VCOrPsVW/+tnTXvC1dcP8rmB5Oa5:BXAfOSmC9H1HrPcXK1mkr

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 8 IoCs

pid	Process
5424	MEMZ.exe
5020	MEMZ.exe
60	MEMZ.exe
4316	MEMZ.exe
3540	MEMZ.exe
5276	MEMZ.exe
1976	MEMZ.exe
228	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	mmc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350690463-3549324357-1323838019-1000\{927C995F-86D6-4BAD-B65E-8C9ED59E30C9}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	MEMZ.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 703400.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	msedge.exe
1948	msedge.exe
2312	msedge.exe
2312	msedge.exe
5528	identity_helper.exe
5528	identity_helper.exe
5160	msedge.exe
5160	msedge.exe
6068	msedge.exe
6068	msedge.exe
3540	MEMZ.exe
4316	MEMZ.exe
3540	MEMZ.exe
4316	MEMZ.exe
60	MEMZ.exe
60	MEMZ.exe
60	MEMZ.exe
60	MEMZ.exe
4316	MEMZ.exe
3540	MEMZ.exe
4316	MEMZ.exe
3540	MEMZ.exe
60	MEMZ.exe
60	MEMZ.exe
5276	MEMZ.exe
5276	MEMZ.exe
60	MEMZ.exe
1976	MEMZ.exe
1976	MEMZ.exe
60	MEMZ.exe
3540	MEMZ.exe
3540	MEMZ.exe
4316	MEMZ.exe
4316	MEMZ.exe
3540	MEMZ.exe
3540	MEMZ.exe
1976	MEMZ.exe
1976	MEMZ.exe
5276	MEMZ.exe
5276	MEMZ.exe
60	MEMZ.exe
4316	MEMZ.exe
60	MEMZ.exe
4316	MEMZ.exe
1976	MEMZ.exe
1976	MEMZ.exe
3540	MEMZ.exe
3540	MEMZ.exe
5276	MEMZ.exe
5276	MEMZ.exe
3540	MEMZ.exe
3540	MEMZ.exe
4316	MEMZ.exe
4316	MEMZ.exe
60	MEMZ.exe
60	MEMZ.exe
1976	MEMZ.exe
5276	MEMZ.exe
5276	MEMZ.exe
1976	MEMZ.exe
60	MEMZ.exe
4316	MEMZ.exe
60	MEMZ.exe
4316	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4216	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: 33	4216	mmc.exe
Token: SeIncBasePriorityPrivilege	4216	mmc.exe
Token: 33	4216	mmc.exe
Token: SeIncBasePriorityPrivilege	4216	mmc.exe
Token: 33	5580	mmc.exe
Token: SeIncBasePriorityPrivilege	5580	mmc.exe
Token: 33	5580	mmc.exe
Token: SeIncBasePriorityPrivilege	5580	mmc.exe
Token: 33	5580	mmc.exe
Token: SeIncBasePriorityPrivilege	5580	mmc.exe
Token: SeManageVolumePrivilege	5964	svchost.exe
Token: 33	3188	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3188	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4588	mmc.exe
4216	mmc.exe
4216	mmc.exe
5168	mmc.exe
5580	mmc.exe
5580	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3868	2312	msedge.exe	102
PID 2312 wrote to memory of 3868	2312	msedge.exe	102
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1524	2312	msedge.exe	103
PID 2312 wrote to memory of 1948	2312	msedge.exe	104
PID 2312 wrote to memory of 1948	2312	msedge.exe	104
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105
PID 2312 wrote to memory of 4696	2312	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\NL Hybrid.exe
"C:\Users\Admin\AppData\Local\Temp\NL Hybrid.exe"
1⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ffbc3f646f8,0x7ffbc3f64708,0x7ffbc3f64718
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6560 /prefetch:8
  2⤵
  PID:5720
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5424
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3540
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4316
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:60
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5276
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1976
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Modifies registry class
    PID:228
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4588
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=vinesauce+meme+collection
      4⤵
      PID:5980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbc3f646f8,0x7ffbc3f64708,0x7ffbc3f64718
        5⤵
        
        PID:5256
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5168
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=minecraft+hax+download+no+virus
      4⤵
      PID:5468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffbc3f646f8,0x7ffbc3f64708,0x7ffbc3f64718
        5⤵
        
        PID:864
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  PID:5020
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:4808
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:5500
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:5380
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:5732
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:3432
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    PID:5684
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6168 /prefetch:2
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,5286722263062787824,12543074105116370935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:3472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5580

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c8 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
4d2ce9bbe000b726504422b78983f879

SHA1
a9e4fb7c131cf7d1efcd4f6eaca82db99f775c9c

SHA256
6b2af5580388dd00b334b45b1cb140f46895b5996c81e4787ed54cf522280c9a

SHA512
5e0f80c0d8c971589f6cace7e41836b57e9825bfe63e76b2d802b8ffae61bbf53cc5bdef49ba530d829e6cc77a91cc79924053cdde262c7a760951f8a60ae433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0358b88d-7fe3-48da-98d4-37ddba5ac73d.tmp

Filesize
11KB

MD5
c8506b2b82d2b348a9628e23d50991b7

SHA1
26d03362eb976f932326b876d9a445fd0042cc90

SHA256
919a2bf1daa30074283c217d7577da60058e4554ea0e1273eee7a3f6282ed320

SHA512
75c83537f17c3eed83b62511e55164aaf1c9d1812669ed98dc95319f1a9b532693c908908a44fb837bcb8e7e7d8339dde4a4c78c16ad673d27738a0f457496ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
186KB

MD5
740a924b01c31c08ad37fe04d22af7c5

SHA1
34feb0face110afc3a7673e36d27eee2d4edbbff

SHA256
f0e1953b71cc4abbffdd5096d99dfb274688e517c381b15c3446c28a4ac416e0

SHA512
da7061f944c69245c2f66b0e6a8b5a9bca91bda8a73f99734dcb23db56c5047de796fa7e348ff8840d9ac123436e38a4206408573215b7e5e98942ea6d66bb7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d57931791fcf5e6b8512dcf3d513fad7

SHA1
6380f9f9455e1fe7f969d0afc1060ea06c2233c7

SHA256
eaf5a6fd25c370df5db17cab915675abfb655623be0b3b00b7b74f828ae0301c

SHA512
2ad7f7bd80949206e5470ed6fd3cb6ed06566ab15f9c710af367479eab4cda19a8e92ad7b00ee2b3264d0c26b21c1fac416b307a4dfddf320ac635bd460a58ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f038c76dfb03f98a8a96018e0c05b07f

SHA1
cf06e9919f2046de56b0216e3e94f8399ab95c41

SHA256
b360146fc08f68c160baa47283b56bfb82a410738843d8d9551e77d31b7df92e

SHA512
4b9a0782d9681910211fd5d0ebf09dccad7936ade3e79eeb9d76df1d2038b7beb3f2ebc78fca17932507e554c03636413e9d32b63ddef5bad0bacccb39566c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
25253297630cfb7ad3192fe0dc4c2ef3

SHA1
58b889025485d5268653f502d01018615ed66483

SHA256
4c36d1a18653c82ce68e467b4da6eec0b48eb20119a8b214f0ed38b50715e640

SHA512
94972202003484682868bef18d3d68a9607fb777b927968918741ab8be077476b345acbbddf253fe517d802a0dff3970e9a29f73cc855bd61df4493d8f8d4469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
867B

MD5
150d072ffeeb3d69a19cd6235c65f240

SHA1
4adc3510bd614c9ea2c5e856a4a47fb71b166a81

SHA256
7c2ec65dd52911c50f1c8a83da25e6786900cab65db4f16f1e3599a0bb37689c

SHA512
b0e557505f8188adba298f53ecbe925c4d97a7dded0c5d8a423b2e2be0e6b4102d3e26baf4918c851f80c41d730e80f260b3132712d9dbdd084dba4f10e8a0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f539aa43f6b8d509d7db8c27ae0d91df

SHA1
ab1b1e28cdd0b3a2112d110eb60742ced4bafe6b

SHA256
c492b506fe8a00d0f6c29137369edf9bb302a6650dcb98b7efae384ac1429c3f

SHA512
ba20bd0ae9c42b20112b5f82d5a0b05f002802d7bcc5fec40fd22f1e7a651220658a68826583d624ff329b40708d8cad0b7d85cc36de52a552922c0a3121ca4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccf0b2bbb6164064d110e58b17922f41

SHA1
137150be955fadeb4285d16082108626b3f6aeff

SHA256
c8f831c50a6a3c8ec812d0e68836bc587a42ae2b7c34eba640e7974d51a51b51

SHA512
ef874257a367c98aa2d6885b1b22d97b15d111ea200f0c8e90ca0250c2d256d04534a85fc6bd0c2ff495706b178cdb7c610f5f9525076fdb98bb867a99cd9dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
315062e21a327e724a1aa5ee184c5674

SHA1
f014ef9a44238493a86f8f05dedc50dc3720b92e

SHA256
a17bebfc65469364291ed65780d9d69b5ef74c0dd6a996859d867b1d50c43534

SHA512
339bd3419b0e80557f3cdef2b811b21b4aaf86dfaa7b70e2afef2927996f2fe623a27e8b3f3e1ddfe49fb5d714a3683aa83e9f55258c69b2734814af57e358d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
af3768666ccf8337b0d298e3685efe9f

SHA1
8514d0773003f0938693f290ed299b9c98facc7c

SHA256
f70057d639ccd153b7ad626076531a434bf96e76fcf2a7b127e9bf602e1e695a

SHA512
944ea94b3e54da10428cd6bae454bd09a7210ea2432bbbadf8ab14d70f4cf4268cea4b5d8784e6e22d1918ce9dc0a6b16ffe25a90143ccdc123a8bbc1f8dc352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b6eb13c6bb9157c1359f5e105dc0cdd9

SHA1
c3f07f1f4a889af8bc78663b257a79e694373195

SHA256
88835f07ce9a161e0d789cfd4b7aba1de7be0c453be2790e1689bce821f7afc4

SHA512
9164306ef6481ed0513f0cb6d9f12d939e72dd5d0e2c15064381e47aca41854ef8b95c0191243e58b834aebdded7ec73faac7c2e83a7835b439f29cb118eb71e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
99cb50d49d845ebdfb03baa3f7337332

SHA1
ba10fabf4be50120c985075b039a88bd77914238

SHA256
112c22302f2adf9a49e4d5dd6b4d2a0c58f7032b1e28075296bbe8ef7fc27c63

SHA512
9dd9f58afb2558ba3466fd3f028f1300b7d22fa7911e8a6a5d818974b2203ab812d5e68097f9df5038fa43a229745005d1ada797c2f13fbc26f53bc810d50c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
af376e16d05ecead17608679fde4045e

SHA1
55b94d12268a256eb70ef863bc494848eb399945

SHA256
c550c8ca537ce8d3c3d5acbc2f6213101f5bd64c3eac80657fb772dec0d7f2ef

SHA512
2f3071e37dcf9c333ac16204c3d593f7209d6852d532a0ac69ab104484f87c72b798519e80af36eb7a953649b276ede042340f008bf43f7b9762b2fe8505f8ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d073c84dac74c67b91291941605b747e

SHA1
7470d2b0465d6bb094f735f7c2d1be5699ea217d

SHA256
bc6f05d4393eb32ac85f135cd0fcf147dcaa403d48a71fa0c8b48cc26e856a0e

SHA512
bec8df2043bdfb178b47d25318f9260e2bb3fd86cd601a6edcad2ed546fb8e3813b64bce3753c147e52e09bc01b92756b92410c0a7056d392870217be9e12833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
206fb0fac25464c17c28e12563486fb4

SHA1
4d342724b30128b7d7ed0270db71d3151940da4c

SHA256
4a4461e8b5315c2caab719a3a78dc2e5ef334a5c04de77d4dc0c19afac451f00

SHA512
940680892103cc475896a9a3ccc021fcca3c4c7aa536e0049583a584c2b1f08eb222274818b5ee44aebf2822db04c680e4f412bb2b8f23286d65b91c810d0181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
46c9131a06cacf98ef3183f0a2973acc

SHA1
1a06a2a9b883bcf60a5024be44d3fa2cda798484

SHA256
8a0c9f605c0b95f779774cd1e3d67e8e0a6c7c63e3ffbdc252c8d8b05eaec182

SHA512
ea4d68b1d07f7d849442d677a44a69a8e8a15d33c5ce9d0dd57d51a69ed54f6b7de2cf5300e19dd08b0254047fbb85fc8fb97f972dac6b2001c0de085764f33f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1c706d53e85fb5321a8396d197051531

SHA1
0d92aa8524fb1d47e7ee5d614e58a398c06141a4

SHA256
80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932

SHA512
d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ac9612a35c9d8195ca2929cf94fce99d

SHA1
e8f0b1a48ef4b1522f7e1d9976fb2522c229b35f

SHA256
1cc31f98189ef5a5f15968bf14cd3808481f4106267aaebf79d83c60b879dd1e

SHA512
ef6e29fda87d1822ffe2d3d9fa21c42937af5ec66ea15e23f4ceae9cd8edc6b9d8a448e0b8b6913758f3081d4d98482b247e18be75f8867dff826d53e668bbcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9c57e74811c75eff1f55f9d2586510a1

SHA1
dce79bd5ca917f1b133fb25b4f4643e284cfe522

SHA256
00056434eeb4030bae71a6f1afabc91923e6543849104c2c8e7b8b3f3f5a0b05

SHA512
1fbc6156ea9b44b9a839fbbe49d7f86ee21d0730717bda0da3aa715806b640bd9789288b9ce56eab73ca75874e10efb62bf35508329e28dd21b16fd337fcfb72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
22ff6842f22f87704330dd3bf534545c

SHA1
731ab770ba96cdda91fb53c85c538714c1deb816

SHA256
616b0bc795149eea63221961a6712f8d97e2434841b88374f07028994c1d403b

SHA512
d7fad91afc6671fb7d9c2f973ac1fe76652fbc19b505e9717d055c27c8dbe1d00321d1e9127570633641604d332f4919229656035b86797561ed9c3e6e999d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
85c37dc5453326600fd90f21105239aa

SHA1
f9bfc30daa262e2bf09dac62f430045d3c0166b3

SHA256
51c0c4bb32b16f982cb051245f963948efee35f6af3f083f58aa2ff5d19eb193

SHA512
a1163b4fda5c116a875c6258bb7938f115f15bb97532840f62e1033e69aa3cbcfe144b13ea1d041b485cfc0776c071b0585fc66feb3e37ef6350e2550668ef3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58557e.TMP

Filesize
203B

MD5
f3f2c031ed80304c9c95b680cef0c76f

SHA1
a4a04fb8fda7cf0087e8099e40b5d3586eaac085

SHA256
1d3f52c9b39c644bef172903293d2ef87d6250b5ff8e9d523055073ec9ae4c17

SHA512
716ffd0423bdb5938b1d178729f0489bdd36eb032f44aa7ac5c1a710ab4e8dc23c10231dde089569722c5ac35af85ff5bad8c077483f654f0792beb7892f3ee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
216d0345e2894e97a4e4cf1a8d0ec005

SHA1
d26ccbbe81d3bd157de9aa5ebfa7f38696c13b6a

SHA256
721800098104e5883cca9a7eded7bcba19130dfd625b2df259321bbaae81ed85

SHA512
5bb71b132e2216ef9649282ea6698b7d9c987769c7f674f0f5bc908a43ba5a8f2b13ad175e27abfd79d7b4978658b5eeca7eaaacf031156b04aaf57e25c8e585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cf9e30f4919f350eeb922d3020edde50

SHA1
a53993790bdad7c9c77ebb5751349b3082047c81

SHA256
5740cc88ee299dc16c4121e5c2339df9059fcccfcc27bc0441213165991ec7c8

SHA512
5dacd797109b9698f5ac5fe8e7e93e3f6e4116d023f37577f39cdde5ab530b3e69ac3e227a955ecfee8772e32e45a0b7734c317f0462673d2731c34a376cb7d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f1ae87cc1aaafaedc8e99e4c7e85a539

SHA1
2426ae9abbd0a843f60e7f1a9e834223527c3cfc

SHA256
9e572aa08f335387c49e3e3f328c251cbd32e8383e24bfc66b086f066469fdb3

SHA512
81be38402a6e299936657a907a402701ec2ece1cd829bf9387e1fe64828413e1acaebe8e776f71d36b73ef97c76861c00ca7ca5d16e0229e8918549387a13821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e6a1dca1a45b76a56d8fc3cd6fb6b068

SHA1
9e74f79c2898ef6d94ba6366cbf22e54c8b8486f

SHA256
35eb1f8559a19738f2351592ef01fd92a1989d47d344bdd884d93e619cf176e9

SHA512
63a05fb047bde2cc8b1d1af352950c20a1bb89584ef3a502419b51c885690d9d441983f90f1d2bf660edb05c0c51a07239fc123ca875130039c103ed170a016d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cc6f252713449948917be4f49c90c03b

SHA1
272d0060455b703d30f29dd833f36298be43c51a

SHA256
64b112a9e2ded268fdf8c4fa449d3b2bbbdc073d7a33cc4013b484fcd8c6c38b

SHA512
092c51e1812445099a4a46da1df64e2a8efb29a2a0f97f76e0e9aeffbe0c2d9eb71157bf75610fc142500909590e86b458deddcd3d985cf44615f867c29a2f53

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/5964-685-0x000001D35FA10000-0x000001D35FA11000-memory.dmp

Filesize
4KB

Download
memory/5964-706-0x000001D35F630000-0x000001D35F631000-memory.dmp

Filesize
4KB

Download
memory/5964-718-0x000001D35F570000-0x000001D35F571000-memory.dmp

Filesize
4KB

Download
memory/5964-694-0x000001D35F640000-0x000001D35F641000-memory.dmp

Filesize
4KB

Download
memory/5964-730-0x000001D35F770000-0x000001D35F771000-memory.dmp

Filesize
4KB

Download
memory/5964-732-0x000001D35F780000-0x000001D35F781000-memory.dmp

Filesize
4KB

Download
memory/5964-733-0x000001D35F780000-0x000001D35F781000-memory.dmp

Filesize
4KB

Download
memory/5964-734-0x000001D35F890000-0x000001D35F891000-memory.dmp

Filesize
4KB

Download
memory/5964-735-0x000001D35F7C0000-0x000001D35F88D000-memory.dmp

Filesize
820KB

Download
memory/5964-692-0x000001D35F630000-0x000001D35F631000-memory.dmp

Filesize
4KB

Download
memory/5964-691-0x000001D35F640000-0x000001D35F641000-memory.dmp

Filesize
4KB

Download
memory/5964-690-0x000001D35FA10000-0x000001D35FA11000-memory.dmp

Filesize
4KB

Download
memory/5964-689-0x000001D35FA10000-0x000001D35FA11000-memory.dmp

Filesize
4KB

Download
memory/5964-688-0x000001D35FA10000-0x000001D35FA11000-memory.dmp

Filesize
4KB

Download
memory/5964-687-0x000001D35FA10000-0x000001D35FA11000-memory.dmp

Filesize
4KB

Download
memory/5964-686-0x000001D35FA10000-0x000001D35FA11000-memory.dmp

Filesize
4KB

Download
memory/5964-684-0x000001D35FA10000-0x000001D35FA11000-memory.dmp

Filesize
4KB

Download
memory/5964-683-0x000001D35FA10000-0x000001D35FA11000-memory.dmp

Filesize
4KB

Download
memory/5964-682-0x000001D35FA10000-0x000001D35FA11000-memory.dmp

Filesize
4KB

Download
memory/5964-681-0x000001D35FA10000-0x000001D35FA11000-memory.dmp

Filesize
4KB

Download
memory/5964-680-0x000001D35F9F0000-0x000001D35F9F1000-memory.dmp

Filesize
4KB

Download
memory/5964-664-0x000001D357440000-0x000001D357450000-memory.dmp

Filesize
64KB

Download
memory/5964-648-0x000001D357340000-0x000001D357350000-memory.dmp

Filesize
64KB

Download