hxxps://github[.]com/Dfmaaa/MEMZ-virus/blob/main/MEMZ[.]exe

Resubmissions

14/02/2024, 00:03

240214-acjlqsdd84 10

14/02/2024, 00:00

240214-aagpcscb5w 8

13/02/2024, 23:57

240213-3zsr5sdd36 8

Analysis

max time kernel
85s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Dfmaaa/MEMZ-virus/blob/main/MEMZ.exe

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 11 IoCs

pid	Process
6404	MEMZ.exe
6604	MEMZ.exe
6632	MEMZ.exe
6692	MEMZ.exe
6792	MEMZ.exe
6816	MEMZ.exe
6540	MEMZ.exe
5196	MEMZ.exe
5296	MEMZ.exe
5164	MEMZ.exe
6976	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	raw.githubusercontent.com
45	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
108	whatismyipaddress.com
109	whatismyipaddress.com
110	whatismyipaddress.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{7D208F09-5BD2-4943-9226-83FEC534F255}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 287944.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
648	msedge.exe
648	msedge.exe
1212	msedge.exe
1212	msedge.exe
1624	identity_helper.exe
1624	identity_helper.exe
2256	msedge.exe
2256	msedge.exe
6024	msedge.exe
6024	msedge.exe
6604	MEMZ.exe
6604	MEMZ.exe
6632	MEMZ.exe
6632	MEMZ.exe
6604	MEMZ.exe
6632	MEMZ.exe
6604	MEMZ.exe
6632	MEMZ.exe
6632	MEMZ.exe
6604	MEMZ.exe
6632	MEMZ.exe
6604	MEMZ.exe
6692	MEMZ.exe
6792	MEMZ.exe
6692	MEMZ.exe
6792	MEMZ.exe
6792	MEMZ.exe
6792	MEMZ.exe
6692	MEMZ.exe
6692	MEMZ.exe
6604	MEMZ.exe
6604	MEMZ.exe
6632	MEMZ.exe
6632	MEMZ.exe
6816	MEMZ.exe
6816	MEMZ.exe
6692	MEMZ.exe
6792	MEMZ.exe
6692	MEMZ.exe
6792	MEMZ.exe
6632	MEMZ.exe
6632	MEMZ.exe
6604	MEMZ.exe
6604	MEMZ.exe
6604	MEMZ.exe
6632	MEMZ.exe
6632	MEMZ.exe
6604	MEMZ.exe
6792	MEMZ.exe
6792	MEMZ.exe
6692	MEMZ.exe
6692	MEMZ.exe
6816	MEMZ.exe
6816	MEMZ.exe
6692	MEMZ.exe
6816	MEMZ.exe
6692	MEMZ.exe
6816	MEMZ.exe
6792	MEMZ.exe
6632	MEMZ.exe
6792	MEMZ.exe
6632	MEMZ.exe
6604	MEMZ.exe
6604	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs

pid	Process
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1696	1212	msedge.exe	84
PID 1212 wrote to memory of 1696	1212	msedge.exe	84
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 3768	1212	msedge.exe	87
PID 1212 wrote to memory of 648	1212	msedge.exe	86
PID 1212 wrote to memory of 648	1212	msedge.exe	86
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85
PID 1212 wrote to memory of 4744	1212	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Dfmaaa/MEMZ-virus/blob/main/MEMZ.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd3ca46f8,0x7ffbd3ca4708,0x7ffbd3ca4718
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3632 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7652 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7660 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8592 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8388 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9056 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8928 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7608 /prefetch:1
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8076 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8348 /prefetch:1
  2⤵
  PID:6348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9428 /prefetch:1
  2⤵
  PID:6672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9476 /prefetch:1
  2⤵
  PID:6820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7868 /prefetch:1
  2⤵
  PID:7124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,2678607663907446699,15107237892658266448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6404
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6632
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6604
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6692
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6792
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6816
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:6540
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:5568
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5196
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:5296
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:5164
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:6976
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:4532
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:1260
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    PID:5796
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:6628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x45c
1⤵
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

Filesize
241KB

MD5
94eb3b562647cb059e1dc7e28e1c1d27

SHA1
761597bad8036d032f24915d1d8dea7fcb059b8b

SHA256
9442dc58fedfc285331b9059cc7e22e5eea150c4fca3b96a0e38b9fba8a04259

SHA512
8e989da8b4ac8b29964cff22828a82a52d92591b250b16490cf504ef8956b3d0cde3d25edf617aef0febafb487614584440da0766c191bdeabeea5674661ffad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
fc661cea7f3236d560a8b3038d49fce3

SHA1
c55a23167d74a873a2aa1a73c2a2b6d0a7af0632

SHA256
4a3a6344ed7293d5d2aaa2f86236ec080c20e1e4da94639f0a8f3bb07bd17dad

SHA512
3ecb127234bfb65b47deb6a955565b9e2d65fbf9f653c7a7c0b62ce2bdb6608eeaee9d34a90b6cb1919a2c6093a50f9558c03604129b1df3ee6cd6f90b299173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
834202aee1052d01c1d3c7af6208c5e7

SHA1
95ab1445b01127704cb59d014347d95e6c2ebea0

SHA256
4a31e057ffc409d27dc27544b7bce4ffeadcbb7ca0234a0bb15656ee358d6b9f

SHA512
da04e7952e790b8f3a9558c9c0824dfa092bafbfee7d48983a9438a64e5e643eb1d110f6b45a0b5060bf24735ded1ca1498fd706e8a1468333734181cf2a54ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
782dbf582c28ea35aa1aa69272beed7f

SHA1
f91271ab56e006e9a62c5dcd76825bf4338666fe

SHA256
e70fbcd5ff6f4c9ff24b2291d19a40af15527dd078051639d17c819c0e347a2d

SHA512
02ac0dcf0e81b078d46cfc0622a70205638002e53c31e32cf4b14af0e6532b5b34b6f4ba152378c3543249129b0490e698faf69ecc375051f199c140ecd371cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c9c61020093b37980e2be3a2d11bcaa9

SHA1
3b17921d400b6bc5c06eebf03ae9934a8bdafe62

SHA256
be3bd39026a035af83af3016aac46315c452a0d133a4563aee02d1f8bb0ec9b5

SHA512
7f3e895af76a83f8fb8f5b5c812a4b7ee2b9ddf7f08947440ada4e075e6420ba701e3110efe522eaba211a0cd2f1b53e2547951f1350006d515432d5e3adf6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2600afc813ae92265d7b52a717c3f00f

SHA1
063520732e50908f9333fa0a4ceb4b9f883eae65

SHA256
231bbf1e1d041a758462cd8da1699ccbbcae28601fde101f76d01e71bf3fe4bb

SHA512
9d9a074c9f15b741d3ff22d3787681fa3c2480027f93581396b0fdf99f8bc7845d188baddc4c6a4dea755ab743ae2119facdd31a3f5b5adb39b73ca961f58527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7a1990d149f79ecada3b28dcb1372c04

SHA1
6eb788a651a1b2f5b108109c20e582327bc620dd

SHA256
18e2e17fcec295e6247c8fcfc7d6beb83bc2ce895d7a8f10a36878b130d42a15

SHA512
0f9845f078a37b576b4909c9bf24f4684583cbab48adac1a11d0eb92a22baabcbb191858a9c072d63deca2ec439c09308893214b80a7be9e25abca1ba75d97ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
07f26265f30dd2b7e8a58c561d58d175

SHA1
6a80ce8ead8c7a5e2d751cfe12c641852e589ca1

SHA256
28bac3ba5a1ee4b53bd6d93207c280ed81dd4c8ec17df703c7f3fa2567b635c8

SHA512
da6de49bfd6491a121b105aa48bf234e384e76d415a8941f0b08f0b6dff79aca886a959fb158f811b7b2210e2a7e241e3ce0fba04cb6acb050c64d70a7282793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
9b8f433745e95b812e3761299fc8ce6e

SHA1
8eca51aaf47986d0f56faa0e93078e3f55911486

SHA256
6e5c9dbda86b4dbd6980ce1f3a46b3b3c940c942f298f8353d0cdb3e0ae4e5fc

SHA512
fca3286250b9a3e8498803751185507511e89b018cb39416fa313d59b11b6a6d63f9e67c914a28e699ee7564b6268df04eeab71fad7af6f68c6404b4fc81ccbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2b91b784bfc02c09a5c542795922ede2

SHA1
37367864c2de29a2db58feae2b14ca3e1c028e1b

SHA256
12ed29fd9ff0d2b260be7a4b5c20e68ed9da5128f2fd2ee0e101919fceb28568

SHA512
be4ecbbaccd0446c0ba58592af007728b477b1e4663eb6b1fee8051e3286033ee0ca7d46dd7cc394902557e8e0182ac2b891296a41c46e1a99cc37e6fa0455ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
89c5eee97dd50b48c065e7bb8cebebbf

SHA1
104ca1319db441849cb526133049a198cfea1f6f

SHA256
d16de742e53ab3d15651990c1bd6034aaa0740cb239d2861d9593b1a92af72bc

SHA512
5a2ea2fe75a183c5c33ae45dc97897f38196139eccbe03b932bb7c3f1e4880d35d8016c62c8fec63b6dc264c12104b70538a11907dc34e303141e0a909479b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c776.TMP

Filesize
1KB

MD5
7df0b158dceb8cee08cd5a685ec6f867

SHA1
3b57a210c371471da7e3c4bf7da479e6a8e20ee8

SHA256
3ae6c95edba3cea12df13f947fc54d25367174dea3d64688a86430957886baa7

SHA512
62459d8194a290bb6d86c89b678003053931a7f41cc49d6fde13093fdf3bfac808ebf093e34949783ebc13a8ad6f27bf4b66f2943fc442a225a3066a6db246a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
72673323fb9727447166c8b6dbc26f9d

SHA1
c941d702f4c79475ea0975ae2388d577d5475b48

SHA256
22d0d771067ae3617a11225d8e679a166d59789855c30b04cef32d112778e16e

SHA512
c2809210dbaf8a6b2f2386aab2c8c39cb903874483fcc87cdcd589f111cd15503f9d59c5dcb1d383a742240974107282427d2b60ed03cce27a28440988967bdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6bd918aecb605efb38c37526f11ed4f1

SHA1
763e52ad07a526a5de9e5c25b2ba36a498bd5177

SHA256
0676dfe2136e8abf2841831d3cab2aed2dbd397b38b64923c48731083aa6675a

SHA512
6282998f0eb2c960bb96b36458fa3e1878553d8f89fa3fbdfce130e4bd30840968e1e30615c7c923b170ae2871fadd36330af96165aff35a36b764250e9c8039

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit