hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/MEMZ[.]exe

Analysis

max time kernel
177s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 16:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/MEMZ.exe

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 9 IoCs

pid	Process
5844	MEMZ.exe
944	MEMZ.exe
5212	MEMZ.exe
5304	MEMZ.exe
5320	MEMZ.exe
5040	MEMZ.exe
4856	MEMZ.exe
4232	MEMZ.exe
5332	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	raw.githubusercontent.com
47	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 573614.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 624872.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 992345.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3044	msedge.exe
3044	msedge.exe
4248	identity_helper.exe
4248	identity_helper.exe
5216	msedge.exe
5216	msedge.exe
5532	msedge.exe
5532	msedge.exe
5320	MEMZ.exe
5304	MEMZ.exe
5320	MEMZ.exe
5304	MEMZ.exe
5320	MEMZ.exe
5304	MEMZ.exe
5320	MEMZ.exe
5304	MEMZ.exe
5320	MEMZ.exe
5304	MEMZ.exe
5320	MEMZ.exe
5304	MEMZ.exe
5320	MEMZ.exe
5320	MEMZ.exe
5304	MEMZ.exe
5304	MEMZ.exe
5304	MEMZ.exe
5304	MEMZ.exe
5040	MEMZ.exe
5040	MEMZ.exe
5320	MEMZ.exe
5320	MEMZ.exe
4856	MEMZ.exe
4856	MEMZ.exe
4856	MEMZ.exe
5320	MEMZ.exe
5320	MEMZ.exe
4856	MEMZ.exe
5040	MEMZ.exe
5304	MEMZ.exe
5040	MEMZ.exe
5304	MEMZ.exe
4232	MEMZ.exe
4232	MEMZ.exe
4232	MEMZ.exe
5304	MEMZ.exe
4232	MEMZ.exe
5304	MEMZ.exe
5040	MEMZ.exe
4856	MEMZ.exe
5040	MEMZ.exe
4856	MEMZ.exe
5320	MEMZ.exe
5320	MEMZ.exe
5320	MEMZ.exe
4856	MEMZ.exe
5320	MEMZ.exe
4856	MEMZ.exe
5040	MEMZ.exe
5304	MEMZ.exe
5040	MEMZ.exe
5304	MEMZ.exe
4232	MEMZ.exe
4232	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5536	taskmgr.exe
Token: SeSystemProfilePrivilege	5536	taskmgr.exe
Token: SeCreateGlobalPrivilege	5536	taskmgr.exe
Token: SeShutdownPrivilege	5304	MEMZ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
5844	MEMZ.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe
5536	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5844	MEMZ.exe
944	MEMZ.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
4440	OpenWith.exe
5212	MEMZ.exe
5304	MEMZ.exe
5320	MEMZ.exe
5040	MEMZ.exe
4856	MEMZ.exe
4232	MEMZ.exe
5332	MEMZ.exe
5304	MEMZ.exe
4856	MEMZ.exe
5040	MEMZ.exe
5320	MEMZ.exe
4856	MEMZ.exe
5304	MEMZ.exe
5320	MEMZ.exe
5040	MEMZ.exe
5304	MEMZ.exe
4856	MEMZ.exe
5040	MEMZ.exe
5320	MEMZ.exe
4856	MEMZ.exe
5304	MEMZ.exe
5320	MEMZ.exe
5040	MEMZ.exe
5304	MEMZ.exe
4856	MEMZ.exe
5040	MEMZ.exe
5320	MEMZ.exe
5040	MEMZ.exe
5320	MEMZ.exe
4856	MEMZ.exe
5304	MEMZ.exe
5304	MEMZ.exe
5320	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1684	3044	msedge.exe	83
PID 3044 wrote to memory of 1684	3044	msedge.exe	83
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 660	3044	msedge.exe	84
PID 3044 wrote to memory of 3052	3044	msedge.exe	85
PID 3044 wrote to memory of 3052	3044	msedge.exe	85
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86
PID 3044 wrote to memory of 1436	3044	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/MEMZ.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa54ff46f8,0x7ffa54ff4708,0x7ffa54ff4718
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5716 /prefetch:2
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10404460493534692036,4528212750959560587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:6120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5732

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5844

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:944

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5212
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5304
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5320
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5040
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4856
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4232
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:5332
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:5404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
    3⤵
    PID:3188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa54ff46f8,0x7ffa54ff4708,0x7ffa54ff4718
      4⤵
      PID:5992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=skrillex+scay+onster+an+nice+sprites+midi
    3⤵
    PID:376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa54ff46f8,0x7ffa54ff4708,0x7ffa54ff4718
      4⤵
      PID:4200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=skrillex+scay+onster+an+nice+sprites+midi
    3⤵
    PID:4420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa54ff46f8,0x7ffa54ff4708,0x7ffa54ff4718
      4⤵
      PID:6048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=half+life+3+release+date
    3⤵
    PID:1708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa54ff46f8,0x7ffa54ff4708,0x7ffa54ff4718
      4⤵
      PID:1416

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0467eed3416967f056eb42ec0f5a7390

SHA1
fc940cb6c0c0986bbf1e981f589c321369902c14

SHA256
d143fda422d1ddc146174a5b1cc374131bbaad393741ca756d48c626934b69dd

SHA512
90163a01996603c8e25c4c0e7a478cc9d62c0ea9ccae5be11946d916b72be9a333ebece7da8887831aa58c73a62415ad76c25486580698610d8fa884abb30f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
421caf7e8a30fa8e33a03235380eb4f0

SHA1
4469f1b2e7e9a49bdc7e2ab2c822590a1935b047

SHA256
5b08f8442084d82c0df0a4ac68a34dae8b740a81b5403bfe4d700bf314589591

SHA512
d2f598fd2c29d3b5ca0528e489df69bebfef1fc0354696de3ace0a54c6354313adfed4ce61a082fc912b3badf578a9399a5c8857cab4ef59c20d93994047e248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0721f4ad5cb6d1479f624a1c5b0e3d26

SHA1
f43d364d783cf12d06c8ac89938f843e51c9c9ed

SHA256
642dcd6caf2d5e72b88d71a7af7e401ad5e06e55eee7ab858977e28cb7b96833

SHA512
a4cf4427e4c8d52cd70fd14d9cf52de677a9e471f6557b5a0747415e0b35e1ba2799be216cbfe4897162ba7c07a37ffc51c5fe172177363f9df33679bfd6fbe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
22fd5ed837ae9c1dce07faae15ed2f5b

SHA1
d62b353da341d0024d1b2864b50bdf2537faa910

SHA256
2af0fd4045b597ad7cfac8e994a2750529b07b0364f3c8daf13dba0be8c82083

SHA512
b33571d2078057b08d410838de0f0cff2dc86453cdef3676379f1bb19b72366ce2b19ea0cdbfe24c52a3e50c66a8a981822806b16b5e2f37f042a98b43e2aa32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c30db2a55d142f7c7b2eb1119d183a26

SHA1
4753af6c1300d550e44fd2a903c8067c68bbe3b2

SHA256
9b7bf704aca546df02ed3236ee507d4d32a780dcefa43669a3de2dc6e8ee1e90

SHA512
4703927a8cd0d4345be23cdc414ffff741df4dac580e14782fb314fd8096c22e41199752e879e20f392fdd2c69dc9884339106246203bb02a963a9ec48fd94d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
c6dba56b9c097935596daed379ede4ae

SHA1
f8603b0cfcabf7ac5e9de6497d38e5ea417d3a4f

SHA256
7d2e72a397c882f5e00eee536904c318247246dda54fa3b46962020e3560bba6

SHA512
8091f48e4b161d1976d6ef19acb85d9cfd360c484dc84cb1f8ad150ddb740bfea76dd58c7763a05f7d4900e27007709bba20c1e2c61f6eed4a9e444580ca0e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
babc9df51e8a70eb711dd7a731870c5a

SHA1
f1069a979f3acdff01cf1a69b8de11267ee4f3f7

SHA256
aa81a21e8e09d2a4e3d28d8b94ef73c6e9b01dbdd2179cc14c8729a5e53298f2

SHA512
3b4b237fc8be7b8ad77f6a709d8c3bd51fdf38338e2bba228e9414eb69d67b9cefadba32fa9289c57a0e8b0dcfe3331a12e5bfa6ee19db8f9a39c6646f855efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2282e270c866e40a852d932bf7718cc2

SHA1
ca143daf350f976eea21b24bb594402843bf9544

SHA256
ee91276362d39d0801efd406a718d16effc437510c7d0429470dd1eb8db7cf51

SHA512
ddf8813559e8be2d50c5b1342c7f8191646c28bbc7baf53167c290f3fec8e61880891eb9ba4022fe2f2ec57c55a9a122a334a734389d04332946c70d5e0b93e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1910992401337bdde225d2ae6893de1b

SHA1
dbb953b8ddbdd34810a2e40b23562fff09d3d796

SHA256
73e128948e7f97daf4ab43ac291e78d73dcbb3bf725e651d11018d9ac566a596

SHA512
4f538f87559a7a82d5b4d658591b710804f725d1a20b90dd467e90ce94b39e7bd3f07045638f12d139a5100f034c5674d2ef09c7abf69f6c595a97d52ca9d61b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f4a567fc534f4d9db78c36a8fb114509

SHA1
6265fa7153d6d4b13bde25ca82f049f647734808

SHA256
2b2417c3491d9f0acf8fb5a9ea16b20e93c16350054af9d086396908de6f2a35

SHA512
32667a14157f46cf11d3021ce682bdb41a6bd816eac23e8862e1a84ea662d9e210caef24c3aa56ba9912f93923c2ce845dd8b817d2367c984a2084d7b80a8381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5ccceafb533894faa279a4a19b0a4a15

SHA1
51c0ac84ed9c3b536103984f5b5c115f74b106e1

SHA256
9130d3a119987f0f1f40ee09f6d8594cd95ca54231a603401f60337fe22a00e0

SHA512
82ddbec23f6f4a2f4ede73a6ff90fc607711808a1815979dc3a7216571ebe6b66ad847b0ff1590db904d32e67089c718dce47a6e31ca57391da55c6e3bbdeae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ffd6e456245aa9b74320e385da1a8649

SHA1
037d4bd49b0bb9d70ddf0f361e2177e114e7f574

SHA256
d2e419435adb6e8251477b5b496c4328e332534e78d5b7e8c919338a2eacc979

SHA512
c8fdf7e679d4c2e1563d772f92a84aa64c2f505279165892571f1ae3aedc10404ce64a0c1f4b3e74d951f896135dcd42895036e416d8496cf38b38c12d6a3f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7f099def3c664a5a1058d9a1d24e252a

SHA1
9091584ef4422445d315903977d06547d643f829

SHA256
2119572835ec2221269c268dfaf161a1b70393a52578743224f19a3e62fc86ad

SHA512
3a534ca32101b9f8e7fae46de6038c4e290aaa6f445709fed199747bbbfe765da62b180051c13f960f07d6256afc392fd4741d6e45db163d6e518f429a5ae101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
02254c4ff1f7ebbd7b122cd518ff127b

SHA1
9ca264bf49c2ef3e0286e407def08bfb3b4e51ef

SHA256
fd6a1008828f812d670084aeef48ed925787fd8a38724025fb9532e5b699a53f

SHA512
59fc70c6f170ac8cf689764726c3410b4cd415d78decf639aca70185d6d5572086b9ce104c15ef40907e37668452ba7d3919ac42bb024b6ef230a530b8d8fa7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fd338db651cb29adaed282f88bcee397

SHA1
d88642e7a591c2b8f07eb99203b422b09cb495b1

SHA256
b39a0393870f538aac9b93327878365dcf0d836e01b78bb3a5d5fadf864a32fa

SHA512
1a6c7b7ddcc757e39fb9854765d2aee06df5c2a3c1f666dd33212ca70f28f6b386fa1458f37630478473fb60ccc60be18dc3dbf09fa862beee8bda22c60a3fd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c331.TMP

Filesize
1KB

MD5
f756faa82f790e0dfdd9ad2a0578a441

SHA1
02c522de3c2376205b66fef7aafd1c6be89f452b

SHA256
a5b2f020f7f4517a978ff5637fbc2a3a7278be339817fd8aeb5621c8dbde5bc9

SHA512
1da51f62fa710fc87e19f42b1ee57fbfd43a747f5232eada9b983c00ca68aad422a237a52bb84dde449cc306c81ebf6bdeeb7d7e06f8f0f2f49579f84e4cbba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
af017eac32c0c1d72523ab65fff6c02a

SHA1
23b4bc02a16b260a5b6c2d29099d43793bae1b9b

SHA256
ab796cdd4d6bee1ceeb5b6e2b473f11aeea63be63f0f64d0d59b4afa9283c91d

SHA512
945d300c4c86795498277f49b902afba9047bc67c56fc53af1df0f04c9eb285ab4268986f130028cc3c88eb542ad68b663adcf977ab53730981deca9b75580d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
57c3fcb573ca3ec97c0c60f4fdbc892c

SHA1
7fa08303533a2c9eb4eb90e41ab09d873bcdb280

SHA256
57cbe10b7401304e88419e507170c17ee94a1aa0d52b92e182844d040082961f

SHA512
a5caf0c00522320bd2c78121e26b00c59f12b55a41761269cac2107f714687eba29ad569ccce3f42e61fbb611890ccdc7e290ea3461283cdf2c20a05d06080d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6c7b85da06b97eab19209dd75a77cb5c

SHA1
4fc398e4275d285dacdf99b0b10caed5933c7e94

SHA256
718b39727a2f5dd5a82a182510a53a5441db354a749c8d3ed17958b33181e9cc

SHA512
972e1a55ea57b260c4095d94e3d882cb90e2701180fca498bb35d25b261b89f84bbc0455952094f6f8056bee729b1cd57eb9992414e9cef3c26d1238d4e519a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
17899162eadf1ac352facee0e5505b7a

SHA1
2b9fede6cb85c3529ec6bb659cc9bec7676518ec

SHA256
d266f816be2d3672626fb950f2f2c26e7422b99d324a6c3c2feb87b8d6c0fd7f

SHA512
d8822074b63e123b7f2d2313ceaa060ef6e7e8778c1ac636341e60808ddf166778ecb6a0cfaf0fc2e57d87eaf779baf0974f56d6e56ec2cafca5cc6a4b7c8009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5ace8e418dcca81e40494cf2c72b88fd

SHA1
5df70d6306f2948c7faf420e0de1e27299ba1d70

SHA256
a1073b0d444e747c25cc9d9ff67dc6f885f6acf3e54c409413e5498e7eb705d6

SHA512
6d57948fd62dddb76bc835d8dd6b97907b593ec10ca72b8c3954be78cf938437a6caf7da232bf21ef3f5a6962619938699491d38192f108665947a3db94dadc8

Download Submit
C:\Users\Admin\Downloads\dc77ab7e-983e-4d9f-93d9-4a27411583da.tmp

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/5536-552-0x00000235610A0000-0x00000235610A1000-memory.dmp

Filesize
4KB

Download
memory/5536-553-0x00000235610A0000-0x00000235610A1000-memory.dmp

Filesize
4KB

Download
memory/5536-551-0x00000235610A0000-0x00000235610A1000-memory.dmp

Filesize
4KB

Download
memory/5536-550-0x00000235610A0000-0x00000235610A1000-memory.dmp

Filesize
4KB

Download
memory/5536-549-0x00000235610A0000-0x00000235610A1000-memory.dmp

Filesize
4KB

Download
memory/5536-548-0x00000235610A0000-0x00000235610A1000-memory.dmp

Filesize
4KB

Download
memory/5536-547-0x00000235610A0000-0x00000235610A1000-memory.dmp

Filesize
4KB

Download
memory/5536-541-0x00000235610A0000-0x00000235610A1000-memory.dmp

Filesize
4KB

Download
memory/5536-543-0x00000235610A0000-0x00000235610A1000-memory.dmp

Filesize
4KB

Download
memory/5536-542-0x00000235610A0000-0x00000235610A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads