edbffba6e6d33eba1b770f94cbf151815997c556523c0dce832cbf1eda01fa71

Resubmissions

25/03/2024, 19:01

240325-xphljafh58 1

25/03/2024, 18:58

240325-xmn1jaaf3w 6

Analysis

max time kernel
143s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ-virus
Size

215KB
MD5

369b4e1e774576fe2b6eda759b8bec5d
SHA1

d93ebafcecd8a95a4345c78e2475163f01f49ce0
SHA256

edbffba6e6d33eba1b770f94cbf151815997c556523c0dce832cbf1eda01fa71
SHA512

a4f3b0a4f2e9118e56ba5a4112c709eb1ab769324a6e152d6ec4f50c15fc23a91ab33d91b6af2a7e57046eaad85a6af94ecbc3a6e70dc5d8b16c7689094b8180
SSDEEP

6144:oDuqJDfWeVSgE29xxspm0n1vuz379uvZJT3CqbMrhryfQNRPaCieMjAkvCJv1ViN:KfWeVSgE29xxspm0n1vuz379uvZJT3CU

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3594324687-1993884830-4019639329-1000\{5BCE8A34-0CBE-4814-BCC1-F17C13C77D05}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\memz-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1296	msedge.exe
1296	msedge.exe
4840	msedge.exe
4840	msedge.exe
4412	msedge.exe
4412	msedge.exe
5084	msedge.exe
5084	msedge.exe
2724	identity_helper.exe
2724	identity_helper.exe
4896	msedge.exe
4896	msedge.exe
8	msedge.exe
8	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
484	msedge.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3272	firefox.exe
Token: SeDebugPrivilege	3272	firefox.exe
Token: SeShutdownPrivilege	4072	MEMZ-Destructive.exe
Token: SeShutdownPrivilege	780	MEMZ-Destructive.exe
Token: SeShutdownPrivilege	3244	MEMZ-Destructive.exe
Token: SeShutdownPrivilege	5040	MEMZ-Destructive.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
3272	firefox.exe
3272	firefox.exe
3272	firefox.exe
3272	firefox.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3272	firefox.exe
3272	firefox.exe
3272	firefox.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3272	firefox.exe
3220	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
4896	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
3244	MEMZ-Destructive.exe
5040	MEMZ-Destructive.exe
780	MEMZ-Destructive.exe
4072	MEMZ-Destructive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 3272	3180	firefox.exe	81
PID 3180 wrote to memory of 3272	3180	firefox.exe	81
PID 3180 wrote to memory of 3272	3180	firefox.exe	81
PID 3180 wrote to memory of 3272	3180	firefox.exe	81
PID 3180 wrote to memory of 3272	3180	firefox.exe	81
PID 3180 wrote to memory of 3272	3180	firefox.exe	81
PID 3180 wrote to memory of 3272	3180	firefox.exe	81
PID 3180 wrote to memory of 3272	3180	firefox.exe	81
PID 3180 wrote to memory of 3272	3180	firefox.exe	81
PID 3180 wrote to memory of 3272	3180	firefox.exe	81
PID 3180 wrote to memory of 3272	3180	firefox.exe	81
PID 3272 wrote to memory of 4956	3272	firefox.exe	82
PID 3272 wrote to memory of 4956	3272	firefox.exe	82
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 3044	3272	firefox.exe	83
PID 3272 wrote to memory of 992	3272	firefox.exe	84
PID 3272 wrote to memory of 992	3272	firefox.exe	84
PID 3272 wrote to memory of 992	3272	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MEMZ-virus
1⤵
PID:788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3272.0.838852484\2140197179" -parentBuildID 20221007134813 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b89d37c-079d-40b6-837f-7e6e225f4dcc} 3272 "\\.\pipe\gecko-crash-server-pipe.3272" 1884 262c8905d58 gpu
    3⤵
    PID:4956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3272.1.915315707\1123458252" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2212 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c661f784-2258-49ae-87d2-3d26ff1089ab} 3272 "\\.\pipe\gecko-crash-server-pipe.3272" 2260 262c76e5f58 socket
    3⤵
    - Checks processor information in registry
    PID:3044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3272.2.296417578\233792535" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3020 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4fa7295-479f-4438-a7f2-26ba3456602d} 3272 "\\.\pipe\gecko-crash-server-pipe.3272" 2996 262c7b66258 tab
    3⤵
    PID:992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3272.3.130148966\397541108" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d62a40ed-98d3-4781-b0ae-aa005337fd77} 3272 "\\.\pipe\gecko-crash-server-pipe.3272" 3476 262bb767e58 tab
    3⤵
    PID:4696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3272.4.1986404347\574303597" -childID 3 -isForBrowser -prefsHandle 4120 -prefMapHandle 4116 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0399b73-339b-41ac-ab28-306a2cdbfeaf} 3272 "\\.\pipe\gecko-crash-server-pipe.3272" 4132 262cdbe3658 tab
    3⤵
    PID:1924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3272.5.452144866\1642912733" -childID 4 -isForBrowser -prefsHandle 5000 -prefMapHandle 5096 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad5464ea-ad76-46df-b40f-5d32e4d5db70} 3272 "\\.\pipe\gecko-crash-server-pipe.3272" 4992 262cecc9058 tab
    3⤵
    PID:2864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3272.6.1872658338\371530298" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b53fdaf-b541-4ea3-939f-642793a55851} 3272 "\\.\pipe\gecko-crash-server-pipe.3272" 5152 262cecc9c58 tab
    3⤵
    PID:4704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3272.7.1546931958\1820800133" -childID 6 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27295357-9b34-483c-9a43-dd3950aaf1b0} 3272 "\\.\pipe\gecko-crash-server-pipe.3272" 5344 262cecca558 tab
    3⤵
    PID:3008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3272.8.1987712037\643498825" -childID 7 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {339070b5-e982-4d52-aa05-d7ae368ef95b} 3272 "\\.\pipe\gecko-crash-server-pipe.3272" 5864 262d09f2b58 tab
    3⤵
    PID:3632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc08f13cb8,0x7ffc08f13cc8,0x7ffc08f13cd8
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3892 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7068 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17970493643707114721,8142793652140580282,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1344 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2936

C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3220
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:780
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3244
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5040
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4072
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1728
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:4896
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c3ea95e17becd26086dd59ba83b8e84

SHA1
7943b2a84dcf26240afc77459ffaaf269bfef29f

SHA256
a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc

SHA512
64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c65e704fc47bc3d9d2c45a244bb74d76

SHA1
3e7917feebea866e0909e089e0b976b4a0947a6e

SHA256
2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110

SHA512
36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0973def5-3834-4c15-854a-2eaa4df40035.tmp

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c1a54057df2e506d40ca0432b26c5629

SHA1
a2b2f0a51d332213c80825bf322cc3e4ca2bc338

SHA256
f6696fe057ed32a6ef2cb524d165f1c069497ff71fda69171c0508ecc6c0f39e

SHA512
1a514d0dd658053aafb4b9b6914bdb81eec2ca9274ce8959036e27f33ff1a466dba2b5a4fabb8e603c9bea53513c1e832a74b4f3ffeb4cc0e106ba493c4759da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
96e2e1a544fa599c124ca01c5bf603ac

SHA1
a11df4e97276f1381435001e6b1e4b8f4823cb9f

SHA256
c63e605c074582944a61e619f9c8c5b73dbcebf1007c62196113354b4f15693a

SHA512
dd0277718dfdd5cca4b34e102c58c6dedf17da4256b57f9f78bcfb175d0c913c98bcc2d4cca3d2d78f106e72e76900a1112ead62ee5d250037a997ebb94f8d8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6e814d6e101d4ce5ee949606a0607221

SHA1
937e85620d5dbea951949d0ad7316b5dcdd2fc8e

SHA256
2a9188d0fd2c14ab221f8fe78b2377ee018027c139697604d3b8cc65173c7100

SHA512
401d71f8b8050f266fe821d33e9c9d16f3e4858a6f26fefa12aba89942d9fe51fb781cc7f9f2581b94e757db1b68770064812fda3c14434a03adc3970d79992e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
936B

MD5
c2668fbad3d5e3f8f35afc5a730b4e0f

SHA1
6afeec19507f365257935ad51b6afd341597e721

SHA256
168ca1521004693e7be57b6f6628f65e6b9269befa35306ff744cd362212b89b

SHA512
fd74ce29aed01b60cc3b595462798b816c67f899e40820ca42f9dcbc12cec25d73f26d3be5004057a23def6819db9f29459d243d9ae07f526f89a59715c7af9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
936B

MD5
549bc4d0e70e787852bd28f4e13df5cb

SHA1
779733d485a17f2ae9df0af37a4adbb29f42aa43

SHA256
93d4f09fa225977d46feb9f37125471e786f6be295e50e4ff2982ba308035682

SHA512
d5ddc1455c81e03594ef89b413bbadda77d8acbc4f4af3afae8cca19fc2b94142ff9b39e8f4e1a02bdf1480ac45730844f8dad1be7abec9f86326a9d60f0e077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
245d4d3f81cb9e0e4041e9a3d904567c

SHA1
443ce9800375c4ea3e94e91ea6279c3fe2ad677b

SHA256
d668cd039a12f5c7ac29661d526bb09d58358e0f422d832657bc4756d5b1737c

SHA512
844663273efe122762365116aee031b28e5f93f27fee1f46b732f8431343ac0e056f8786cd405a8a37c01db09d3952f7866b6f185c6607f689dd3ed6ce9d8eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4361af8a5d6a58bf3624280ed2f15966

SHA1
74130f09b794be5ebb584e9893951d34ac341b01

SHA256
24200167524afd916645c3cab1c05435145555800d44acd7bf16903845f2aa72

SHA512
5663b83690ebb0906011f71be4ac068e3091d42a7e34f22fe1fa59548bbc525114e7a0743391c5810a3d185e62e95cc13056923e24ac19220c41436ab7d494ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c59b893868fe4bee0d3924f8e34449bc

SHA1
14304b2ec9170b77521737624d33264a7b50cf90

SHA256
c8afbc1cb15c5195d8fadfff8a899d3d9ab8a7bb48fbd88dab47d45d06a40c71

SHA512
9caf50a2ca1822a30ad6f81a31211684b92fcde75ad6eb8d65f5f9e234a5ec91f6fbd2ff232a0a02fa7735f44865179c8d60f9bc6ae8727ccead5eb7643d02d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14da92a424c8d36173ffbd0ebc5dd39c

SHA1
a6eea32766623c2fb8afe4080b1973646cfed8b3

SHA256
1b0dc401d9373831dc677bc1288f223be0ca07c166efc025132f05d46c068198

SHA512
f56a4bd178f318bc19b2a3f99c15fd71a6a13a3f8267fa5876ccf7e836a10cea856394f115b87df0ffd6f2168d45e42fd6a1f746cebefc4fbc8d322c7799e085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b09b72a09d91361d1d03a539b1352337

SHA1
185a5144a70788458131aac1ab32bb80507c4382

SHA256
100df68a69e347e9d0705b0c84cb7cb470a223c33d9fea3348cfabcedd51f772

SHA512
0efec539ee3378961eafbbacf4dffe3c7d1f7d8263f459f29242b3e4d572335f9429fe984b38df34db09b443f601d4567c2064d8f080989aef936febd1f87ee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
30f8058319d5026b7fec388092809d01

SHA1
b0fe303ad7ec6c6e4be9de145254c8de413cff55

SHA256
acfb688e1a53111fcf9abea2dab527ba0e76afa1bf05966234542babe056a36e

SHA512
c0d3df365f2cbdbf33ae66d9e7a9b6ebc30f5c9f1a734d70d140955a63511633a3695fda49692ce0fe382419785673509c5cdbe8bd531257e72ec9e7fecb07ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9b4bdb524df516604f0ee5951e687cf5

SHA1
4ddda015eb2e0fc7739be2a12e05cc587d653fbf

SHA256
23db53879cb9a7b617cc67d73e46e33ca21a10290c37cc37348b33f6fa171840

SHA512
23c560517601bbb0580a10c31e9d1ee886b7f8e093f60af4bb3cac462938dfacfcccc2c50574d960aa44e11a6c67e7dfc0b2730aeb6dc6dcaec2d67f74558f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585213.TMP

Filesize
534B

MD5
16494ebbc2fa38e0097262618d37284a

SHA1
67ed53b437db2984a0cb6bd64dd2f87e3f0bc33c

SHA256
742c0bdb855fe05735cb2f474061ac50542414cb296d9583a092c4921eee7983

SHA512
2fcdd8a1e877504ad68aa6728f131a409013a83e59f21346d6c7f4823796601e7c940821a2403c4b8669f30a4197ce0261890717bb5e5dd3893418e0465b789d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1aa9719ba1e39d0b5a67569963f9ea4b

SHA1
fc90e32b6df1d811873e37c817a3a9dcc6dacac1

SHA256
76cc650c965c45c2e3de40048b3e1fb5c3d9e99045ac6d31111e8837b9b204eb

SHA512
c4f283457456e00df47219fccc5b04300019cebfddda03862df2684e67fba80bb04ae1efea449c930650b939d0ff2a2eee1dd76f294c3cbca81ce9fec2746bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
beec2dc97324f3887c233767e9a7cdea

SHA1
0e1c2bafbbff0caf96cbd890bdb7060101108fb5

SHA256
d8f88613ad413c84edbc3770f3a385eec0e183d71d4f8ef3822ff1fa45d622b9

SHA512
50a615e422c1db5a186afe9c3a1a151b17977f236b2aec0bdd7628544ff4601072c13e548b7922a1c85dd2ba14079dbae17a9016d6d196d8707afbe388f358be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d10550c9f819795c09dcbde598db2991

SHA1
6edd3e61cba7d8291def01b3fc418824c511aa12

SHA256
c675e3ff6807ab5bfa049f46808d23200494b147b7a27cf498b4b68fe944793b

SHA512
1bbffe2648e0de01a2b64500487b400950901604dbede63b803f840be296dc54ea637182f2821b43f684614978d733c53a22e4ab5be3f064198f2287486833a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
137598d25ad198a2adca899f0a911b69

SHA1
3c873ad3337d0f9eb16aeaef04231bdf9111f79b

SHA256
edcde1390ffbbff13980372ace69fab49f98df4302568759965b1ebc25784a6d

SHA512
25758b47df6be50e252cf259bd71bac920afe90d1f865d4f272c0edf1646e4f9ce5e333d0e41036ae6b363bcc74a1279e10c009074e6517ec69129014ace3070

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\datareporting\glean\pending_pings\7a53305d-4a15-4c97-8168-107560283ea6

Filesize
746B

MD5
0cf2fb837de01c8bc5484fd2c4c3546b

SHA1
cf53eb08aa55226f47fa54de8d3b4f54805d8055

SHA256
1d55d8fbd67210127ad7d1de03f96e6f6c231328d1fcd28fba26c37a3e22c854

SHA512
21951e19e0e1c84d99c64dcf5c8df144b3c0fd1030b443b3ca108055599d11f26f97830a11eae5f8b58a473c9528f1509b83dcea81679840d587f4a784a68b42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\datareporting\glean\pending_pings\958ccbea-e70d-445f-9367-3781dc181468

Filesize
12KB

MD5
0b88a0205a8d3930bb58b35f48e00e63

SHA1
ab7761e1a573c54f98fda4212a482fd75e89d752

SHA256
d8ba341dbc4fe3dddeaa11bfeac056747f929e426d2ef8548e8dda32ffd3ad67

SHA512
482eaf2841b8af5aec1371b883563a170b531da8dfad9804b7f5159f8c86ef9670e4a6cc3b2f5aa1a36d2ebaf09bef426e4004eabc62b5f0c7cb07ba26d59db5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\prefs-1.js

Filesize
6KB

MD5
70bf80bb594c33ce8dadd8b9c1e6172c

SHA1
e07a9fbfafd3966b78b10784c5c3f9289ad1e59d

SHA256
8e0a408a4f7262381554a41f8dba45fb112d1d45cdafd5d35734e7503e710e5e

SHA512
8f3f8c22d173e9a01c91addab72cf6c286a32ca1099c7b824b168216ea2590f259a628af4c6dd37071596e0da0ec0c0bd49f52b93a5b5251254e5dc097414d5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
d1a45c84423af84c5dcb169f833863e8

SHA1
abf7ccc094e752521dd3cf52e921392ebe14d1f1

SHA256
0846a9e6b8b7d8487afc6becc50e58da8de82f1460f35181271bf1f6c99171a6

SHA512
e5cd092bba1703e67445169ea146832509a1c6f3984907ea7e3cad45d40d8d884da01aad6659f73a019ba82eda07a3bd39834b4c2fe6639de586aca68e390d3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
8d069675b5b27947541a9381d4d2bc1d

SHA1
a7cdc28a7e73ba41f8af39b8138d346013792b26

SHA256
9555f3cd8edfc9bd54cd22d0f87267a468f5cf255b38c9293a89a8e962a938f0

SHA512
dcc4b3b8b335d144a9682cd2df727424533b2509e5b8d949cbf87eeb65a5dff9916ba156bb2cda5f4978766c54a78f915ca4a7b2b5c9ac3dbfc8285b5892a8a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b5b136d3bb26cf07e644db277a4cf1cd

SHA1
88c7c3b7a6e8e42ca8ce086de2e01679e2b5a8f6

SHA256
8b280539bf927a5b45875eb5bf322e92590a23b6063dd7fb692b27ee5fa10c59

SHA512
62c261a50ef4800b54e22289d77f8c4a9d642dfd2ceaf08def52d7ce9a08cfff3f2d8f30f1acc6d668e57bcb72f85f56f1134039eb29978bfaecb1a89fba8816

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip

Filesize
12KB

MD5
8ce8fc61248ec439225bdd3a71ad4be9

SHA1
881d4c3f400b74fdde172df440a2eddb22eb90f6

SHA256
15ef265d305f4a1eac11fc0e65515b94b115cf6cbb498597125fa3a8a1af44f5

SHA512
fe66db34bde67304091281872510354c8381f2d1cf053b91dcd2ff16839e6e58969b2c4cb8f70544f5ddef2e7898af18aaaacb074fb2d51883687034ec18cdd9

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier

Filesize
650B

MD5
6f2bf9f661ca487abf2e75c12b138c23

SHA1
0ce9416dde2a0a34c9a02d397e03ea4083af9d87

SHA256
100db4f53d0f5444f631dd0ba7ac9592e7f120818aac5606c485e87c94b8cbeb

SHA512
7237be38ffd9462928454b4570c9be3ac20f6da80da98075f920b44d400b5567be073cc0426625b48840d74bd970707f64bf1ba44c53f2a52af6cdaf3baf05aa

Download Submit
C:\Users\Admin\Downloads\memz-master.zip

Filesize
17KB

MD5
4790677e05d72ef7429dddf35562bf4a

SHA1
4243d6ea53db7e8cc0c355e70d6cffb54787b90b

SHA256
319bf6087040d17b87f46cd05f5ee064c291ba9ca46e1910f28d1f4c57cb3d96

SHA512
a93c5f691938bc1bdd9ef20b975f0b22cf494543e7df82ec31838bf811552ead5cd855959be4e47186ee7de944be005030f52f58b9dc85e7cde719cb97b794e3

Download Submit
C:\Users\Admin\Downloads\memz-master.zip:Zone.Identifier

Filesize
167B

MD5
48aa202d5600ab0160ddf7d753b4a177

SHA1
4d1e68a6908f66faaa15d253130aeff6fe323c3f

SHA256
832b62b5324e24a4e7f43cc66e1610f2e22871acd1a930b9991b4d79e5930154

SHA512
1a51b931c974ad6c54ce5167535f17df75c5fcf11b8314d3a55dbdda777d826f3d27032b51308725f6af925163dc0b22095ca62523375850cd63349fc7148c79

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit