hxxps://github[.]com/Dfmaaa/MEMZ-virus/commit/70281025ac56b07fdc71b0e4e480e4bcb5222309

Resubmissions

02/08/2024, 19:56

240802-ynvp5ssgre 8

Analysis

max time kernel
131s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Dfmaaa/MEMZ-virus/commit/70281025ac56b07fdc71b0e4e480e4bcb5222309

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 14 IoCs

pid	Process
1860	MEMZ.exe
3896	MEMZ.exe
668	MEMZ.exe
3720	MEMZ.exe
4812	MEMZ.exe
4460	MEMZ.exe
2020	MEMZ.exe
4972	MEMZ.exe
5244	MEMZ.exe
5256	MEMZ.exe
5280	MEMZ.exe
5296	MEMZ.exe
5328	MEMZ.exe
5368	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
41	raw.githubusercontent.com
42	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{7FE43A94-6413-4C83-91D3-6116EDFE14E6}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 769491.crdownload:SmartScreen	msedge.exe

Runs regedit.exe 1 IoCs

pid	Process
1456	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2152	msedge.exe
2152	msedge.exe
4976	msedge.exe
4976	msedge.exe
1800	identity_helper.exe
1800	identity_helper.exe
1284	msedge.exe
1284	msedge.exe
668	MEMZ.exe
668	MEMZ.exe
3896	MEMZ.exe
3896	MEMZ.exe
3896	MEMZ.exe
668	MEMZ.exe
3896	MEMZ.exe
668	MEMZ.exe
3896	MEMZ.exe
3896	MEMZ.exe
668	MEMZ.exe
668	MEMZ.exe
3720	MEMZ.exe
668	MEMZ.exe
668	MEMZ.exe
3720	MEMZ.exe
3896	MEMZ.exe
3896	MEMZ.exe
3896	MEMZ.exe
3720	MEMZ.exe
3896	MEMZ.exe
3720	MEMZ.exe
668	MEMZ.exe
668	MEMZ.exe
4460	MEMZ.exe
4460	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4460	MEMZ.exe
4460	MEMZ.exe
668	MEMZ.exe
668	MEMZ.exe
3896	MEMZ.exe
3896	MEMZ.exe
3720	MEMZ.exe
3720	MEMZ.exe
3896	MEMZ.exe
668	MEMZ.exe
668	MEMZ.exe
3896	MEMZ.exe
4460	MEMZ.exe
4812	MEMZ.exe
4460	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4460	MEMZ.exe
4460	MEMZ.exe
3896	MEMZ.exe
3896	MEMZ.exe
668	MEMZ.exe
668	MEMZ.exe
3720	MEMZ.exe
3720	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2148	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2148	AUDIODG.EXE
Token: SeShutdownPrivilege	4812	MEMZ.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
1456	regedit.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe
4812	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 1480	4976	msedge.exe	82
PID 4976 wrote to memory of 1480	4976	msedge.exe	82
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2496	4976	msedge.exe	84
PID 4976 wrote to memory of 2152	4976	msedge.exe	85
PID 4976 wrote to memory of 2152	4976	msedge.exe	85
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86
PID 4976 wrote to memory of 2144	4976	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Dfmaaa/MEMZ-virus/commit/70281025ac56b07fdc71b0e4e480e4bcb5222309
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab34b46f8,0x7ffab34b4708,0x7ffab34b4718
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1860
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3896
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:668
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3720
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4812
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4460
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:2020
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:3252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
      4⤵
      PID:8
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffab34b46f8,0x7ffab34b4708,0x7ffab34b4718
        5⤵
        
        PID:4736
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Runs regedit.exe
      Suspicious use of FindShellTrayWindow
      PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7160 /prefetch:8
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5328 /prefetch:2
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2218664879865568174,13465431971761491117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:3748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x4cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3328

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4972
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  PID:5244
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  PID:5256
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  PID:5280
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  PID:5296
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  PID:5328
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:5368
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
229KB

MD5
57c541221efeb823a27c684f30a80469

SHA1
e957951d9c55c4d94f40f6bd9cd392b4f8c11688

SHA256
eb469eb2741dcddefd9bf7e33fa3027a4d1a25f8ecbc267eee7f40667f526ce0

SHA512
e4fb117cb65026cbd7a5567d018f3dedaca06dc47321b2d91ce7359fc0e0e9704de9b59a4a2caac491ff1680ed88fe4431960af5b01c0f395fbb1900101ccc5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
47KB

MD5
1b41de287931f25dcfdb32b449b62dce

SHA1
e457bbc7784ceacbb11cfa3ff65571de5c0ff227

SHA256
c1fe59b2b1995ef9709e1dcc147a96774f04c95374ca1c4df0c41e1cfbaeb8e0

SHA512
4d1de63bd0e1d61375a72252f41be91a61d766b3b204a0e72bf6530195a3f26d89c8aecd75e175281287b3b3b56a71f964ced207a0037641ba8c893d2ef75c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
747KB

MD5
b81ace3b4244eb24aa6f719dcb7fba9f

SHA1
32d47f92d659ca2d8cb6676f1e49e8eb60ce5607

SHA256
d0b39a681e75b724c42d10cc205349f04adc2dbea71c41e2825bb7cbf62ca539

SHA512
f5f997d82c37195e7f5256133f8d00b3532cb91b7be850d702ba2f40f76a7b7e36671b73ab1ed9fc0f5fe97055a15008ffbbc61c34ebb0d84f0e44e632b0f366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
20KB

MD5
644f2b0ee81b56ac7303031ab3ca10e4

SHA1
7ca67423f0ded5ff534f0a0d42df416b44d36805

SHA256
dda33f363084c0f939d6daf5e648ede370fe5be24bd408a6ea0e6bfa1042e6cc

SHA512
461b910c1c3d43d5e62ca18d8a2ec7c9a3db196d649c08ca56d92a8a5e39a991fa5dc53ee20572ecb93b3315b0ba2e2a0ba9f5644c61b2d2c81ef74c05abc39d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
32KB

MD5
610293cf4ea82a578cd1887889626ad0

SHA1
8f505a4584e51bac66f9b6a623a1675e5cc10cd9

SHA256
66753c185ee3c839fa84adad3e2809f4419fa87be1a4910d05997ff33a783324

SHA512
80103e0a65015af0f79c7c37f63fa9ad7bd0290cb7d1f2324ce17811b3a125af27f02958fa4d55590f4f8d29e444245066127dcdf201c9f522e00b79f82e2e33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
32KB

MD5
9d01eb0a17ab073b23578fa43d8cb8ff

SHA1
9494cff21da72d4c633827d4316b5b3295e837f0

SHA256
c262b68986387896023519db8825e3ed1e080d5307b72474bac05ec98185c530

SHA512
6c78a5cc939506d590dd63dd2a630e92ce68de84e4055e093bbd3a2f233243da12e315f5ca2d221948e39d5fbc951b1e958da851d31b41b9a86d29a133e3b3b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
69e53c10f0851d6a9a7832893a640fbc

SHA1
7788bb9b4afaa2658a4d5ea09b2a662ef338d49a

SHA256
6ab25a144a455e13618b5440f6e81b1d5ce38f3c2d6dc5c341c3be4b0e8cbb9e

SHA512
66d1407980aa3c56efd9761d94accb9bce99cefedc78a87492f8600f0efefc69c289f7a0eed7d5eb13e8d0611ca0cee1125525f59c7dabcfdea25f4a2756c7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d4503e19806e4725495dad11d38d2495

SHA1
b66e00e538540190a9b5dc472589f937b9fc6fe2

SHA256
3ad7cc10dd6a521a8c96c23bcbffb21040a124b18c0f07677728e677d4308905

SHA512
3a3f82333c77e8f3f8b5192673c8e59059459364e999b6be49aaff0541e5d2161b615f892b1391953b22d694fc31050a089b78d58f7e5e0b063812e10153de4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2e9e6afeb69342cedcaa85296b4cc0e9

SHA1
d15475053d935eed9f139eab5c58be351b5fe882

SHA256
86a3d0d2d116cc41b142c4f454e0f697c248eb991edc89376acd2377a0152735

SHA512
d95c0c067158d134cd3c30b17832c6956d8ec9a224b39d9f01f4dcffb2af01ad649a11d7cec50bf862728909ea90fb69bb12109596c5b8fffcb8504b10e6aa9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b78f9856ad87031825e201f2030d2a9e

SHA1
1917dc0ebaca38848eb54bc2152b8b13769eee37

SHA256
7602c431d699891a6ca7c3f69ee3d18d759341261cfb5b798c38ea25077be8f7

SHA512
8681ce72acc955d83e3dd3479b65bd9ccbe5ce6d53f154a02bea9fd526f122e004734f2f622054dca30a4727c75546287ec8cbd36670b84b669018aabc38b39d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0a347d0cf17bcb9055eb6941ea4db5b

SHA1
fc2afb9d5bb3bbd7487649686e0b2f11e4f5dfaa

SHA256
c0dd5655f101ca1391d0c5241270a07db47358deda4212710765b84233b06634

SHA512
05c2a9d580c967c244de1ea77c0506459296cd4b6eb8d733d8667d241c1b5420b85abac2b90bb64ef49db29afe9baacb0f6d8c05493472bae2618cf99d27b153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6c2d94a72ebb48f50873ea223ca9868a

SHA1
4465fc39bc09e75d318d3ac6cdf67001de0a9320

SHA256
ebcd2865efaf60d452ac1cdf3f21f8251a4fbec1d766e800e26bce2cab4e7ea4

SHA512
23174eebe01b07e7b5d725abd64eeebeed3c89060b029cec138dcde7d6a4298ff348035fee3be82cf8133dc72f0d08c41dfacb75bdeef7b9095a332f540f5ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be355351870d113fa2734aedb7a1e144

SHA1
e5b3d23afe5f58a44473872113e1c849337f4f15

SHA256
93c8803476233c8c9f01e7408f86aa967768aff82c28628ff0a0f734239123cb

SHA512
a2a2caff3bbb53a80be74373aebd33d6e4ee2fc0f47f65e231c47c4ae97f223cb8b24acfa9ee9ed12e447badb8e18c01ed5564aee61545d85229ee917e3da3eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\923f2bb0-2b35-4c9c-a932-0798ab57093b\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b7efc71f-6c8a-4cd0-8d36-a6323aac4faa\index-dir\the-real-index

Filesize
624B

MD5
5c8f932652063eb6a58516924d4275dc

SHA1
b99d17258bc5da8a404474e8555a4e36ad9c6fdb

SHA256
e1331ee8e11398f7726b6571f062ad6de39cfa5414ececde79dc6e1a805e39e6

SHA512
4549545a8a3e2d299a48fdb78bf6b553f6e23409e775d159e2bd9481aeacc17b33bb65dc442c99e5103fa837b0ad8470b048a830f342f03c5fa0a3e97a60bcc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b7efc71f-6c8a-4cd0-8d36-a6323aac4faa\index-dir\the-real-index~RFe593687.TMP

Filesize
48B

MD5
ff13bfea5c0054fa0743ac05f58cebc3

SHA1
6c18af4d5d69a35f716ff00889836766cde2dabe

SHA256
c1efaf01e418e0db8175a5bb50d204b0077a72bf869c5c5d82f35c8ebed1a245

SHA512
dd9379d0f78c90c5092c80858fa24c2894a5e28c096fb2d7e428077a2bfbf122a7d7b66cbedef964b4341769ae182e84f27f720d4daefa9063c0eb9f82bbfab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e1cd065c-dbb1-4455-9dce-d64bf85b39b3\index-dir\the-real-index

Filesize
2KB

MD5
928112e38dbede54f15a7dbd84412004

SHA1
784f74fcb9f7401c256773f7fa30794d3d1b6ed6

SHA256
19f74cc925ae2dd4340dae9e8377bbdc19e82ce0baac6899455302124ecbc7c0

SHA512
65970957836e39e07d8a37fa0f31e9205fa753aedb075fadceb50cf8ccc60edc149f44a8be78b4c198651aa490bb0910ee102e403a02ee80ef9e447ce3103c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e1cd065c-dbb1-4455-9dce-d64bf85b39b3\index-dir\the-real-index~RFe58dbb5.TMP

Filesize
48B

MD5
dd270278293cd555f0af02abb4310fbb

SHA1
595db204cccc7abbc00c3e7c631039fae49b5e48

SHA256
50e29347e1808f7726260162d640503560a7152a26e5368b701665899abd0f74

SHA512
a1459db47fbb73f1f7c70b520b0650330a100554e808f6eca09b5a4f191f11d2780d4f894a9d19ee671b37914f32f4e85fc8a7f5d9177d3b3d7cf6ab20c76a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
4c54672946881641124c23fa005f1744

SHA1
fed81e53928ea0927e4f61bf716ccb8386b9d844

SHA256
8ce7c9821f43e6cd28e9c742ac735f4eb9e514f2137c3b6c216856cac1d7bf90

SHA512
c828e5ec5a058566f55b27cc598fcb77936c78e1969102b158c160d10ea72220667a2cfbd6606a591b33b6c4638af156fb081df9fd50fc3bd9906804bed85f03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
e4ff6d9cd7cdf9291271ab632d775278

SHA1
1ab167f2acde62da38a9ac12e3bbbf632b81c1e0

SHA256
edd5b94144f90ef955c3cbfe985c0b39028eea43bcd47fcca19da3b58ebda8a4

SHA512
f2d2d6a1f611c93dba4fdf2acfd45688bd5041c0e349ee38517695a107b511d9af5eb9b935086dae47f4893a1947653c29f2654fe1a078768105e647b30dcbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
1189174ba0e196c28fd53ec7d3250c53

SHA1
c6bd3ee9a63d55d1596e37557a986942d787cdfa

SHA256
2f2365d4e6d1f7572d3d1ae64cdbc976b8b02916c4a0d98b20b00368212b886a

SHA512
7d21f4d01bcad19d92c033d22fbb61a1589dafebc3237acd5be6ad3f79c1d37b05868c7c625046ea1f7d042180084be1c7bbcc7bc2d3ef98ed4d92facc46d59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
732cce56e331e1add1b67f8266e89a2d

SHA1
21bf48495f1b5a5bffc5fea5b5e4c8821fcf6ef2

SHA256
4d6d624fb6395b537215dce6aa3ee159a6456cea044b4fa194fb35955033c088

SHA512
8ef8ac63e8b6d2d2f3727e1100d4d58353f622fede8e4d8943ec18537b84d0c90e13eec8a858de8f516f24f086b84bee7510bd376b2bc381627ae57a9285a13a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
9ae183987fb93bc95516fcb216c15987

SHA1
cd21047b0e66037791fb2725147187520a832ce9

SHA256
2745fcaf748b77f4ee50edd1d0e04ac4652235dab867cac6f73dd165eea337a3

SHA512
ca0a842a490306e093ffe00244d3a2c03c11da1a58748865c21ebbbc5799ba89cddffe1acf11ddd9db4213bed2fa4908b999d3f9de6c5b5ec82515fbf3a69abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
ff93928affdde183822ac49d2cbdd5ae

SHA1
1e8693d23e09363245235ef4c35612e4ddc63f92

SHA256
51a9890994b22a3fd0fe640968e656c654dfe90a2b916cb6ca24414c6ce4a602

SHA512
dc5f40d1f6e3ff7fe220c9a59ec4b6dfb504fc4f38c91f2bad0c7d6839e506d3bed1f5a7085ae49f50d020cac30dcee77b7f819ac2c4f45791b5ad4d3396bc98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
2a90e9e6affde9ac3d525ae6ba846e51

SHA1
c188d9b6e04290d55561bb3bca9f6bf6a8592a56

SHA256
9c94a9f7befbafa61d208fd8ff720ce8db63694014608f0601f4756a9504d6c2

SHA512
14d8fc78b6555c4e7af8d88fce20719127f1b4f1dd8d67fbf820b03460f3f444669e7c60eefd1018504d063cc33926b5eee487da0915b28ea342ebbbf2f97eee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
679850fc72004c9d66b9c6ff5dbcc74e

SHA1
5202cf901e53e20d4043e5580f8173ff197036a3

SHA256
e9440d8806f47a149e1c3becdfc48e11891782d91ae2c6e021a53f0ce88aff77

SHA512
b56437b3a57ca99e27a8a374596b49f396d23cb621be597f15850bc20e564c3c99f8c189c826bbb97ee77ad6ebe1fb2eac52ce037fa0639180640ea92d4b57c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe592dfc.TMP

Filesize
48B

MD5
5624a6595f8d034628fb356946d3c4f4

SHA1
0c93e3fe220e4434d1356659a6ad3052d7a6b7b2

SHA256
43b4f44347d92af01a9bb2e297699b146bf14ceb368b17e81fdc1b563e463981

SHA512
d989fe00d9cb1f804a4bae124c7e203b0a153b7d43d31addf53a20c2540ee448c979db8843f5e7cdee12e1dafb0ff2f6b22aadb3326e315646aa3bef30301b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1b9c120b9f6abefef3ed5b9aff866ff1

SHA1
02adda1b85d3432bae92c44c75fe5ef85a53b11d

SHA256
750b8ed57db60688df27ab7dbeddc777877fd78794e68bce850f53cb4ef47fe3

SHA512
6b05b843669b55d636f68039ca80be48a0255be713637a752aa060f954fdb14d14ae6f2ef4cdcd3d9af1440db40f87915379108defcca8a18de9f7031c77cf61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
3a10fb0c7defd92c3a35a17a375135f8

SHA1
0a9fa594ad6b68a6ad1227a25802bb97745680cb

SHA256
57b9faebdd56f3f2bf01b43ec2d92262f45ffd0c515bf038af04aad448a2429d

SHA512
194206c21e2886bfed7d37b7cae4011b0893467e9892073989172ded5313b61b35eb46d7bd9ee19fee47112902ae352bb574f0d64f6017e2cc4d0291c31fbc1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aca5c101154b75bce2b8c4fc07d48e57

SHA1
aee5be617f1040c0c3a89c1329d8783427a92814

SHA256
3a2c840d218e1a532944fb06bbd09fa586a82aff06236d4697e93a032098125c

SHA512
2ef22fcece67107b5defcbc54a558f141351f5069b250f0fe4d57b55513e41205649679558a08fc82bf4c8011653bb49cfd86132cacf72d1bc0beebd7590de18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
df2ca7953a654999dd0ca80c14339df2

SHA1
38f12fd21f202b53077980a4b39772094d62c699

SHA256
d7f82ed8586dafb856b37a371c487243bde6e6619c72ca5eeafa6e4c1106d388

SHA512
61b328e15c8e4a0cac0fde8cb8db81cf86c02915a44d9661c6b8c00a337d3c2f7bccf6e9e7db0e0e7e93d5f2110936d842ccbb7fbffda1a611702ece02abb4c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
03f9c7abdc7e997cbb5b43057ddb2bf8

SHA1
3e99f36b73c4ccd0268d94a98858cd5993776219

SHA256
6480a24e8ec4863cb2a5b006857bffdcc42f1dd05854fb05a906047e92a24466

SHA512
7beb0e6f87c4e55c104149cf8425056f10e8a1009683b756f29b2f9feb3e6edba265872623e093e26de2c3e30e900501752b253a4fe1cfc9f83c7351ec6cdb43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d7b377ccb1115711d1df5b4926c49bbb

SHA1
41d20165beaf990c9358a52fdd57174de59bc8a0

SHA256
457f58af52485044ca01dcae6648f856692418fa3b4c770b168bec8ecd759b0a

SHA512
75fce025d7306d846f597c7d343014669780b6eaff82934aed9c229c15ee05f7453610866c201d2dc2eabe75c9e0d7d418bfb4f5fa5ecaafbfb3010f7788602e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57df92.TMP

Filesize
874B

MD5
ee973e960c495b9655f4a0f3af4962de

SHA1
55bfc5c9dd1377bcb013c75027cc33ea46d86541

SHA256
f7a7126980a387db24d949b02f9f28648f505e13a44f1e3ceda0bcf2f0478cec

SHA512
2da1f280c4271d2e9789d9a3b0eac46c57d5522ed7b61c7826ed55b708b58d00934c10b1e38030bc319dec05c903fe5534df345f72101ea34789777b9df95e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f68adf21-36b9-4c9b-b0ef-b5ebd6ce5f5b.tmp

Filesize
6KB

MD5
452609faa2cbdf62cd8efacd38d00a51

SHA1
c8ddb6eaceff53457e6a2185761f4a00e23c91c9

SHA256
72a65c1340ea4320698238d4f2c64d55c1e4bae723ac2addba45d9edc5c135ad

SHA512
eb3066997bff7b127d804a4da6bbf90e2069799e4c1e00426cc2af29b742bbaadb3b3db4a2de4fcfd064b24e1fad3b11c4d24f8ec1fdf9ffc5775dc47893ad3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f9c96cc117c3dab7384a1b05f86b079a

SHA1
85fe4f9dcb2ceee4402b681396353fdb3d5d1472

SHA256
1db49a19e1b0c197df43e95fb62c44f395b70d7583da8cc25077bc5fefd60fcf

SHA512
29fdd108abda5aa9776460f3ea81b7d41532405d5d20613f0621ed99d8a2760b21db862c1c228b0c087dd61986084cd0d568afebea86c9bb3ade5ce1d3c460f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a360aa2a37cb0afcc30201f8895306f6

SHA1
e01713aa3eaf18ac20f91cf38c564ec093dc787d

SHA256
faf16ac97f7405ba5a3acc1265051d8a2409b54b29a1f803682d68afaf4e393b

SHA512
f40563551e1946b9cd258a9ef057265ea486c1ae15be184b7f8fc1bfd997fe7101f7b604faea163dc686344db930be8a5aa2b8b13f972cba8267cfb705a58b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0d3526bb96fa6a7baec798668712cb4e

SHA1
9736327e005a8a2872b445d09bf5a3bcea9c4492

SHA256
7e2a6996b15d337386c75b1f121909dca943fdf7c1fff6a2a767650bb498ed3c

SHA512
89fb503a061495acc2ce388a3a4eab5a76b689381486aece9c547086387c07a69ace1e5c74b9beb877dfe0e69e96a84d1079159156b9fad903d5615127b7d0cd

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads