2a45e44be359fba4c85591e7b13d1ec772ed181adc41254d8b00d31b2d15878e

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Memz.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Memz.exeMemz.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	Memz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	Memz.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

Memz.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Memz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Memz.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Memz.exeMemz.exeMemz.exeMemz.exeMemz.exe

pid	process
5084	Memz.exe
4924	Memz.exe
4924	Memz.exe
5084	Memz.exe
4608	Memz.exe
4608	Memz.exe
5084	Memz.exe
4924	Memz.exe
4924	Memz.exe
5084	Memz.exe
1224	Memz.exe
1224	Memz.exe
5084	Memz.exe
1224	Memz.exe
1224	Memz.exe
5084	Memz.exe
4924	Memz.exe
4924	Memz.exe
5020	Memz.exe
5020	Memz.exe
4608	Memz.exe
4608	Memz.exe
4608	Memz.exe
5020	Memz.exe
4608	Memz.exe
5020	Memz.exe
4924	Memz.exe
4924	Memz.exe
1224	Memz.exe
1224	Memz.exe
5084	Memz.exe
5084	Memz.exe
1224	Memz.exe
1224	Memz.exe
5084	Memz.exe
5084	Memz.exe
4924	Memz.exe
4924	Memz.exe
5020	Memz.exe
5020	Memz.exe
4608	Memz.exe
4608	Memz.exe
4608	Memz.exe
5020	Memz.exe
5020	Memz.exe
4608	Memz.exe
4924	Memz.exe
5084	Memz.exe
4924	Memz.exe
5084	Memz.exe
1224	Memz.exe
1224	Memz.exe
1224	Memz.exe
1224	Memz.exe
5084	Memz.exe
5084	Memz.exe
4924	Memz.exe
4924	Memz.exe
5020	Memz.exe
5020	Memz.exe
4608	Memz.exe
4608	Memz.exe
4608	Memz.exe
5020	Memz.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exe

pid	process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 6140 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 6140 AUDIODG.EXE

description	pid	process
Token: 33	6140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6140	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Memz.exe

pid process

3700 Memz.exe

pid	process
3700	Memz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Memz.exeMemz.exemsedge.exe

description	pid	process	target process
PID 1492 wrote to memory of 4608	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 4608	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 4608	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 4924	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 4924	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 4924	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 5084	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 5084	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 5084	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 1224	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 1224	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 1224	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 5020	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 5020	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 5020	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 3700	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 3700	1492	Memz.exe	Memz.exe
PID 1492 wrote to memory of 3700	1492	Memz.exe	Memz.exe
PID 3700 wrote to memory of 3720	3700	Memz.exe	notepad.exe
PID 3700 wrote to memory of 3720	3700	Memz.exe	notepad.exe
PID 3700 wrote to memory of 3720	3700	Memz.exe	notepad.exe
PID 3700 wrote to memory of 432	3700	Memz.exe	msedge.exe
PID 3700 wrote to memory of 432	3700	Memz.exe	msedge.exe
PID 432 wrote to memory of 4968	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 4968	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe
PID 432 wrote to memory of 800	432	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Memz.exe
"C:\Users\Admin\AppData\Local\Temp\Memz.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:3720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=the+memz+are+real
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffff88d46f8,0x7ffff88d4708,0x7ffff88d4718
      4⤵
      PID:4968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
      4⤵
      PID:1056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
      4⤵
      PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:3920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:1484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
      4⤵
      PID:3016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
      4⤵
      PID:4500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
      4⤵
      PID:3868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
      4⤵
      PID:1864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
      4⤵
      PID:4140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
      4⤵
      PID:4044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
      4⤵
      PID:540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
      4⤵
      PID:1096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
      4⤵
      PID:3224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
      4⤵
      PID:2692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2120 /prefetch:1
      4⤵
      PID:5336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
      4⤵
      PID:5592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
      4⤵
      PID:5148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
      4⤵
      PID:5452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
      4⤵
      PID:5728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
      4⤵
      PID:5444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
      4⤵
      PID:5468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
      4⤵
      PID:5568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
      4⤵
      PID:1840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
      4⤵
      PID:5620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
      4⤵
      PID:896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
      4⤵
      PID:6576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8080 /prefetch:1
      4⤵
      PID:6664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6623934720999259030,8102388362783521339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
      4⤵
      PID:4492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=bonzi+buddy+download+free
    3⤵
    PID:636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffff88d46f8,0x7ffff88d4708,0x7ffff88d4718
      4⤵
      PID:3956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
    3⤵
    PID:4764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffff88d46f8,0x7ffff88d4708,0x7ffff88d4718
      4⤵
      PID:1156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+remove+memz+trojan+virus
    3⤵
    PID:6504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffff88d46f8,0x7ffff88d4708,0x7ffff88d4718
      4⤵
      PID:6520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=internet+explorer+is+the+best+browser
    3⤵
    PID:6220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffff88d46f8,0x7ffff88d4708,0x7ffff88d4718
      4⤵
      PID:6228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6036

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8 0x3ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cff358b013d6f9f633bc1587f6f54ffa

SHA1
6cb7852e096be24695ff1bc213abde42d35bb376

SHA256
39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9

SHA512
8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc629a750e345390344524fe0ea7dcd7

SHA1
5f9f00a358caaef0321707c4f6f38d52bd7e0399

SHA256
38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a

SHA512
2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
86862d3b5609f6ca70783528d7962690

SHA1
886d4b35290775ceadf576b3bb5654f3a481baf3

SHA256
19e1a1ad6c54fc29a402c10c551fa6e70022cefca6162a10640ee7d9b85783ed

SHA512
f0746c23a06effd14e1e31b0ea7d12156ff92b1f80445aa46e1a4c65cf5df4bc94f6dabe7aead01f1bd6a6c7b851b577a11697a186426a2c8dca897c48515ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
2354ab29511c9a26a4a91d36ee895179

SHA1
ed0a86b00ced7274c4fda24c814b729dcd01a959

SHA256
a4fd8b9b248938d3c1ae24f82a0c8ff168996546cd117daed0c754ab35ad9423

SHA512
69c1829a177e1edd9128cc7d6c123e765815f2ef05f71bbc884d0a33b9d9503c256104ab6e3e26cfa837c267a5cda9f46f89b771b4ba7c24c85f78c787453303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
9def2e244689db7ce5441c6daa09b977

SHA1
32a206f60bc3abc78dde028ea3ec7d91ad5dc132

SHA256
684070c6ab1bd40d8916922f8b2fe572cea123b93e3b1b9afed891dcea683b5c

SHA512
6848648d90d852027e57aacba9b544f029af8389c289e604506dc2f70d565348134813a83d4ddc3164661db0918d59d091f63b779d840e7d56da50d8ca99b2dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
62ca039ed80a9b881b48e17864ea0317

SHA1
a7cfca8f6f1b7dc87b7a0ebe57cf7fefdfed0328

SHA256
86fe1030af22c5181d9223759cf3a6af6815725c685232ac911081399ef7ec79

SHA512
4320467ed362796748bc30d7982291a55a1496d989309cc3630d5f5354f883a9b17d09a2796fc109f4a46b9254675ad8efed458083ccb6854efb59de98004f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.vice.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ce62298af1bd39986da57c235812c82d

SHA1
669d4ba0a8ef656a8f42849807022520f177b158

SHA256
992bc0576c5fc9b6a53b314b1907a4332ea776dc16d75abec967a99aabd85b88

SHA512
98fd7695824ea004be7e1d659dfa2fbda76ff06fc7535b4b03e2b2f94e74a8adb36863467baced8197b98541842bff3627b1ef32ab52746a19a6622823168f7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6bd6c15fc304f673734645924a379d0b

SHA1
a98a21529e0380df32c160be0982bd8189439ed7

SHA256
1e614c7a46898cf43f67d55b1e2c69bc46c4da1a63a4396984ae48a60a5a4a17

SHA512
271fcf31f5adfffaa8e795e71df55559f61bfab021af06c612d9a392e827980a09daf23ec7f4e5f08136adc0c63d7a668203162d0d5f93b624d3e64d671669c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b5961198dad296a97eee76b4610fd3a9

SHA1
40317650c1ae8e0e0ca3f0834c5166ec70429e44

SHA256
25e925f8e709a874cf839eb45d5d10a0bf9f644217fbe3fc98524fc306c583bd

SHA512
9e373b3e82814c19d1d2281a948409d5fda22de99feeff46bd8d8d50bf833aac487f484cca21574c30e8947fc14325bb8bb6dbe9541c3e1a940d3fb5f0903918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
b178af8431e6174663ccaa50c89dbe0f

SHA1
8ae9e117195730ca0ff9b52cd85de0b0754ed806

SHA256
c8f0e683e313ba258cceeffff52dab152451fbe24b215803f0978ebf140cb04a

SHA512
158c702577144f2013445602a9599e6b477215c47ddf768f1b641bfc0ea483212f18c50326167ef6b63dcc1c240d3298d6a8e6b567782edb2db15cb4951bf5b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c10ade220949bd0af499332517cf3d5

SHA1
0815a89cc4a3d99dd3e872b9ffaa122686a0ebe3

SHA256
f08ff4197f9d8243ebe43968e887940511e16863d79134b3735da633f04550f3

SHA512
ffa3802729e6b8d1ea2f6386812d469fda9239ba95af63d56a71379619a955cab114e2487d3f0cc0d66169ccb4cf60d29e41638934d79beabd2dd398fa6bae77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
6eb405f417242a579a2f40eb14a2c347

SHA1
ffec3d1415b8e5b3d52f50fe9610a372fa0046c1

SHA256
9614f8d9ba88bd9314d86c29b2c940f53d9bb7f8e89ad8acec21c41c2f7b4e57

SHA512
fef4705e0e2a476e6f8107372ffd0bb1549e80224f7751753d42cb03ad2a2bd2515d74ba1dbe5ad782c5ff703151122a21f92fcd58189aa3024f0468c5108f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
90B

MD5
731c36d5aa030f998481226080faddf9

SHA1
138a5c3b294aa18455a0705b0e2dfe7d3684d117

SHA256
7b452f2e39e87fb569357bbcb0309a88119cf7eae243f749ba5bdd7c9c5b8c96

SHA512
3d9ff3704759b619172c5c226c0df03dc25d86e35cc1950f8cab836511db47dc3cc9829cba21a89053a4ba9b2e2eff3e053ea17007a0271e3316b429c5993a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\46d55544-a3dc-407a-8b7f-fb0fd656ba20\index-dir\temp-index

Filesize
1KB

MD5
882cb6d987872f0bbc8e76a3364700db

SHA1
38e72fc66f002c4e18e24fa0a5d5d0565067c846

SHA256
09222be9b6cd684cc6cb5824ef106a85d82f34842e8dd48a576df27a0ac4e2ce

SHA512
43e6f65e9af8f3e0e7de455f16e82ceb22f5bd62abafafb2b0021cccec087dba78066cdf398417d401b0a96fe6a0d5d12eff9d9708105a88feffc9a9472030cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\46d55544-a3dc-407a-8b7f-fb0fd656ba20\index-dir\the-real-index~RFe597044.TMP

Filesize
48B

MD5
34acd6fb6a5620e29951238ff6b3eeb3

SHA1
421b2365f53c2acd97712e3410266f66fc5035b9

SHA256
09129ad2870f50c5adcba1cf122bbfa4f581dfd37215d7d714c7cc4d51604373

SHA512
3258235dd38df572926d367bd76793730fe94754827066f42308f8b9386b1a2147f673ba433519f1dd39792f87c42fcc1476b58e1593ae9c08b6e1c655aaf4e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\index.txt

Filesize
115B

MD5
8c5c9f3ffe9c91e9bc9c7ff757219943

SHA1
b75e5f889b9519418b65f3246bd7fc904759a0bc

SHA256
82c2d96b6a18258527f172ace5913275e63eb20b7b2cab676c2332a5ae9d2a92

SHA512
9d86c044270ab6ba14a0eec058a4a056b479b23c6315f09aa022072f23921172f0dc33f790c71604a5339d51261a7f132f7e99f7c050debc97dd4cf1b2781c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\index.txt~RFe597073.TMP

Filesize
119B

MD5
327d868860fa73c72a62238ff5e3abc6

SHA1
952cde953313314e74da8d057906b0a332ce1c73

SHA256
5688fc8cb7ecd81ee132a7cf381e6530752f743cc49a21a17792492f1b8546d2

SHA512
c848d09ac5a66ee5111da5c6df72bcf8616c3331ab7a87878fffde571c419e7f027e67d610acde5bef1a118e983a9d945a8e4d47348ea9e175483b8d9ead6f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c7c64c0da08a8b08eda736d101ec42d0

SHA1
516165fe7ec3834eb2226aa21e7d209e0f8d9b78

SHA256
7b3cd1f9fb9d69892daaa7a9401e9b6c0a12f0d093fa4d64cd751c6a673276f4

SHA512
d490ef908b32cbaf438fdaa825a8722e0b6cdb1ddc22a690a4dd633a4636a3b68c0c774187516eb5eb81370df2318adacf1e9b9df005d72bd4e8ffe1fdad52b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5963c1.TMP

Filesize
48B

MD5
2d41a8808554f8bba675952f52e7cd89

SHA1
de379ef95568c8c4a84de80a799ac611aa6ae3bb

SHA256
d7c77adb368cfa85ed79a637c6eec8fc7e9ac904c43973ccbe73532ba5471939

SHA512
b9bb310db437ba8f7a86297bb1ea9b5a0885c860443eddf4eb89fdc95bdb13a01a0ec810efa391ce3bce3bebc3a383894f26311afb620d8a698d68f43e448d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c70553f5cf95d776b25afe1042e0014b

SHA1
a813f8f757b4cd791b51797da98e203c7e9e9299

SHA256
45638bef49b214ed8a2ea22ccfce411ce557e8ee7142f17b34d10b149dbaa07a

SHA512
45e21ad2ba28111dd425784cd0e9cc5803bc5a6eed4fa08c8e3a20986d8f88778c70d207f41c7f7b8a787e078e4760fd6a260fbb45e8446f78028e8675fb67f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
a7f1e4f1ef04cd2b3c8c73fde0a55c3d

SHA1
b46914756a099b937aa88a912993a0633ed1b676

SHA256
d0e9f7a92095ba25124fa3543bf9d5e98cb3bfeb7613ae5b156d7e1fe59a1f2b

SHA512
1ea8f6a71354cf3eaad1a31841ef9740dc57ed091e07d72f79a14c377a55649690e3f744f57888437f7f4d8c49d532ec4e2c3c8433b2a7d6d2b63446fe1e9a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c98d484710b79695aaa24048b76de072

SHA1
f32599099447dee7824f3863775fe622f09e9267

SHA256
4f6db9e1383cf8f339495ad44feb640edd5808ef893765853969922186fef465

SHA512
946fe2d798ccdf13e7b3a173e74fb8724cd27ef06c85b0d835e9b9fdadd973d1ce727a32c2d0f7fc2c85a33b08cb43bf31c979b3b652356f792bffa9dc9e2d2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b08e.TMP

Filesize
204B

MD5
cd84d7800e4771ee0973f9156030fd5e

SHA1
658a8032d70c7472f2dc5c27a499855692369a01

SHA256
7287f34a3384e4a214b2c37f3837f68540dcd4bbd6790b1b02fb8db8c7eeed7b

SHA512
7b7daec3fda7291e020f4bd22cb234314aec9f9d09e3f773bde2710ec00b0c96f0a8c491465fa1a32d684365bf97610f8f6a423333002e9700f12627d3c20c3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
851389c6af152d76965aedbf2b7ffefd

SHA1
e6c2377377cda62515085682db3f6379d8938b70

SHA256
6788d7d54d0cc576a8fcb0b130fd093dbea84c922ab0039a6b525f029102f6b5

SHA512
ba5982a846ef1723cb12eb25d0228395e103a431f854adbe4591a9394d41fcd538d0017a8a924b6d30f8dbabfc490a222d17a27d8271d25f2ce97c617b480002

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_432_FSWTXXLAVRNJUQEI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit