fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786

Resubmissions

26-08-2024 07:17

240826-h4bzza1hjc 8

26-08-2024 07:13

240826-h17mgatalq 10

Analysis

max time kernel
249s
max time network
255s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
26-08-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28242123ed2cf6000f0aa036844bd29.dll
Size

87KB
MD5

b28242123ed2cf6000f0aa036844bd29
SHA1

915f41a6c59ed743803ea0ddde08927ffd623586
SHA256

fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
SHA512

08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
SSDEEP

1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

3344 MEMZ.exe
3564 MEMZ.exe
4624 MEMZ.exe
2392 MEMZ.exe
4524 MEMZ.exe
3768 MEMZ.exe
2888 MEMZ.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

3 raw.githubusercontent.com
56 raw.githubusercontent.com
85 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3296 4824 WerFault.exe regsvr32.exe

flow	ioc
3	raw.githubusercontent.com
56	raw.githubusercontent.com
85	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	msedge.exe

pid	pid_target	process	target process
3296	4824	WerFault.exe	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MEMZ.exeMEMZ.exeMEMZ.exenotepad.exeMEMZ.exeregsvr32.exeMEMZ.exeMEMZ.exeMEMZ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-131918955-2378418313-883382443-1000\{4238BB78-1E3C-45AB-9A9F-51680AD5FB40}	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 374842.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeMEMZ.exe

pid	process
972	msedge.exe
972	msedge.exe
3124	msedge.exe
3124	msedge.exe
1360	msedge.exe
1360	msedge.exe
3668	identity_helper.exe
3668	identity_helper.exe
1096	msedge.exe
1096	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
1556	msedge.exe
1556	msedge.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe
3564	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exe

pid	process
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MEMZ.exe

description pid process

Token: SeShutdownPrivilege 2392 MEMZ.exe

description	pid	process
Token: SeShutdownPrivilege	2392	MEMZ.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
3344	MEMZ.exe
3564	MEMZ.exe
4624	MEMZ.exe
2392	MEMZ.exe
4524	MEMZ.exe
3768	MEMZ.exe
2888	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe
2392	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exemsedge.exe

description	pid	process	target process
PID 3668 wrote to memory of 4824	3668	regsvr32.exe	regsvr32.exe
PID 3668 wrote to memory of 4824	3668	regsvr32.exe	regsvr32.exe
PID 3668 wrote to memory of 4824	3668	regsvr32.exe	regsvr32.exe
PID 972 wrote to memory of 3316	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 3316	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 2148	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 3124	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 3124	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe
PID 972 wrote to memory of 4848	972	msedge.exe	msedge.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 460
    3⤵
    - Program crash
    PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4824 -ip 4824
1⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85c0b3cb8,0x7ff85c0b3cc8,0x7ff85c0b3cd8
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3440 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7044 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,3662187933230772936,747674134772241393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3344
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3564
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4624
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2392
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4524
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3768
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2888
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:4716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
8b600f016bf88656fa93e385b69e1d84

SHA1
7f94c0d3b6769779c69ff5637ffacdd942ac0da1

SHA256
15eac452c0afbe4e3e97d56e1a1167efef5d9a0f285383c3a8abfad7ea6f3e3a

SHA512
04bfca4aef0715599b2ae137a8d9e83e97f820acb36552b29319894d7be6e8cf7d62c6c7bf9488ba2ced35a5db1d8356a67da0b7a3f865be238efb2857279b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
44323965bb8b5229e02dae64462a18e9

SHA1
caac458c50a926d2acc12d3ce0363f6dc2d7cc8b

SHA256
ecf015382f5ea3d48e5680a2fd823de8255cd97c868efb50be54683dea49a4af

SHA512
fb322f85e7b5313f0954b7760e14e57eb28cf221bdb9c1efcc835dd4a415c13a84acc01a58463dfb003798f03381ea87705db4b077331456f4bb7b260b0687b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
6d6f46be4b20df2ad52ecb7609a2fa5b

SHA1
4f932d001c85dd919c2b061e587689b1f782997c

SHA256
188d68fa433cb212a56c38caa271db63ca352b9426884ddafa4b94c260de54e5

SHA512
565172aafccde69e72a646ff0df9d858dd2812bd1207b51ab03e04dc91e1054c44bb1f9c740c16687e193a8a69189f2cd100ee433b7d2b2d034ec58b568a3450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
782B

MD5
74b43b223b386913d7364860c625bd4e

SHA1
9712c387e020abd5884772c548614f469d270217

SHA256
780cf3ff453db76a8cdfb6760236f7afb6a32ffd88d13b7446e66f37ce0f6727

SHA512
7d85accd6b64a45e82cd483eda5a9b7ff9cab1cfa154c92cd645378e00398b88c3df906b7d57a861492c5054cdcf2cc38f0f11741681d02202d478f5a9790d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8d6005a01495755322910b410af73474

SHA1
07e16aab4009e2d2b038c8f31e768a28744c52ba

SHA256
1c1bd799090415d740437bb99d280486af0977fd626d4809d1acae8b714f5219

SHA512
e7f7de446cd1cf46d8757e3744d0570d95c9d7c06d6888270ac3dbe9b9a879f46b6037d78dcefc45e3ad3c6ab749a22fa163dfd17677cf80e0b9f1afcee887e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
aa7887c5dea966b62cd8d519e93a46d5

SHA1
0858b78b037287086d35d50423d01afae7046d18

SHA256
eb9986e9c8b8bc906f4f44a19ca7a8a22475f46942624b8c09d55187122d953d

SHA512
f3bc080b657491f657c45a649c117756e4f42bc6953db23de575c6ccb85ccc49ae8ba5ae76ca19a22fc7bc106af4254e826430f8435dcd4d454361cda7ea0097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11993d4440927e210585deee7964b05f

SHA1
f9826d2541bc82b5acd7d88d09478e4fb83d3c07

SHA256
ec5402336fc5415e8f0f5bca9a0b1c7a3f3b61870cdc7876d73c7b5bde06e7be

SHA512
7e7634664d1c727dc3484663d7ed281273bf77bfcdbf8e5b9ade1081c7cd2527472f1a353955945d2a8eaf2bbb094d00d88cbfbf5323651f39a683c809bc70da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b98cdc2f9eba7dc371be863ef8ed1f8f

SHA1
6953859848167e5140831196dc7372081d65b0f9

SHA256
9c84d0221e7ca2dcbeb75be5bf3f8d84e29d6dabbbe3b55feab0ab5885fa9cfc

SHA512
4e2cfc8b16379592e230953b1149ba4d7bed082ed96babee0dd354cbdcc9024cec6f6389a32746d3bcdfc8d8d448e4531bbc0a7a519f061edb15e1bb8d386cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34d85a61f48e5a1a08a1b6de5dfe9ab6

SHA1
05764d97ed10a2942d764eb26fa0fbdbf965d79f

SHA256
c11726c3e78658322bd9c08361a763b483c3647620213a704954b5a68a9cc626

SHA512
5c9f60328bedb93d41070794926565926249591c2ed365f5a8990f48e9545ddfa192dd84e7f2bcefee9c48b731cc4c9abfefe41b27dc5a6f92f640d60a8b6cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fab7140ffecb0eb9ab1287b7a014f970

SHA1
44596ddacfa7b9f73c7a29f02002d9e3658743d9

SHA256
3d3b529a7be310d4a4f56e9cdf8468213c6c94ace536014a7e93ceee090da99b

SHA512
523da89166493e6f3185ba84ba184fb1aa3f5863d7c1a0a4737863aa3fe9f8f1e5f3c601dc8b70cc856a0a9297b76c5b1542b264e8dd20b51b70f972ed80ceea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c6ec20be1dfa27e398a269508cc215e3

SHA1
690637739851ac4350dbddf9d838eca07dfff347

SHA256
aae686b6339261e6c291584c3757200721fcf0112449561f9b63ebe0bf990fce

SHA512
f69b5e32287fb8853d75eb370a3333e7bc69262df78b284ac460231f33447e90f41ac56ad14b994c25212c8bfc12792d190de2bef829c08a8f4b01925ad55921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d5dd8d1475e11091c6b3cbffa96b345d

SHA1
f19953f6f916063e78a9f5a5d839bc12dbe94000

SHA256
637994f716e0180ad55a03c578d62666afcc8d44ae7a02a59f6d907039c058f5

SHA512
06b215362236566cb2ed55ea75722219b1bd9eb0b33ca4c42d3725cc3602619947188b57ba31ea0d6c509c96892c9d8f99c106528f9fb46f68d8229356f3f29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9221dcfd22ea8e991cb9b939d39920a5

SHA1
81ab44bd0dab478cd6baf66b5be0fe587c816a2c

SHA256
b4dcf363b16e08b8f30002602483925b9d93f74fe29432f5e44949f5188cf148

SHA512
a58cd195235338a157cc1f723948f2bb5fcb2936db9e6010177c53623e75304fc31e9c391c37389b5380f38c59c8782d460f3c5bcdfe7be98c0cd238a4f4f85b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b9e7dc0f58206683c21beb46109526f

SHA1
8efbcec910aadf8d1ba4fd9ab151214208e88159

SHA256
99d8a378476f26cf3ce78c2febe478525907818020c09ad0d6b49105076664ed

SHA512
0ac92d051293290b22e465e56a7abd32cc04bda5cad8ba7d545d2ca0f81a26f40489b1662877d8383be20649c368513278b24413f7a773251567aaa18b4442df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f46ec20b08edfff02390ec951083e520

SHA1
f3ecf12754221236320a6ee4b633975322f06d76

SHA256
560dece8bdfd1824ddcee0b773499fc47b0330e6dda817241df5408aa6cb70ee

SHA512
7390386223e0a487f590f506b108667b119f27a5e5745c9be35df6e89c8ffe0ff50f481b6ab4cbc663555d49a757e661a043e8b98b6c19368e7eb770efb90031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
909e0f51bdcd5495af183ea11f2d83b8

SHA1
3b5b4404215ca172c5ae724b39aa17a56e8ee849

SHA256
80c7edbfd3ec4fe89260ea6a8cc7bfc3b5a07ae70f65d9324e06efc522be1641

SHA512
13f31053717f1e6634a9210913161e7c2a221f8b3d85e439cee3f4dee4df3af24d4dc3067945e7b320d3796a4363ec6d447401823f8bfa00694a56ce47d6b768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0018122699f6c875bcc16f5c5116c6c7

SHA1
4f43b9822fc6d82ac414b7a42889a315a73c6dd4

SHA256
c6d94dcaffda4891d1abf4b3a6627046d2d65ae0c6262c6806a8cee11be2cd88

SHA512
60a304b6423c3b8bae2b325627360664e90a762f0edfcfa0ac9ba793194322f9557bd7cd4429b3fabd7e67cdd35660fe239bd89438e9d4488fac53784edc8ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
45a5903d386346292cafe93cd8c47598

SHA1
e08dcee113f80cced4bd133cac46826ad984ede2

SHA256
38adcf5de2829f4be66dc2210ecec6d1cf9f541e6772a496f56d9a0fe7f31bfc

SHA512
0f1d5318512ee2deae11b5b911a5b0cfcb928893d76849ce30fa07c8abe400029e367cbd77f37fadbf954a1afc9eac716ecfbaa50404abbb883a678928dbed68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584f44.TMP

Filesize
534B

MD5
1269dc45cc09167d182e8dc0bea79355

SHA1
a50f788e8174c7147af5a299357586c98a19a991

SHA256
66f37dd4d5de1ca82e904baaa49d082b78638300ef8fa8dc768b939a8eb92808

SHA512
5f1095f845cc4bc8a8b83f6fabfafceac07c39724a850ac106859b4a848a7ab92ca9b24158271fcd34e6c30f1b945405d58d5a00e800a87e7b96f5eedeec855f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fa06d5d6-5e27-43be-859c-459bb5b3035c.tmp

Filesize
1KB

MD5
11a98b5a72b420bd2dacfd347d4d3c69

SHA1
cc63d90c24e711cdb0abaab20ada1e83764ccfcf

SHA256
f6377646f6af4f3074934c27f384f83b6c21821fd2fc34a986be5832ba95d184

SHA512
6b41841856eab9668ddba8e55430a632c8682ca2101e84f05de6ebb31b07fc56d35ff62aa81c8b7f3c37103cbad2842b0a048222cefdfd2643b05d86138e46ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
26669438756b8d30fcda9dc26c0f8a36

SHA1
5e54c089c363acce9dcf8030c4de53f957e26ddd

SHA256
0f144e14b7875c0e02d9dfe5da80b3eed4c63cecf34d54de9fe4f193dbc5bd4c

SHA512
24962a651fbd037eb0dd6417fd5c4a44708a3f6fcf79523ffd7835e122f87a8c518d5ac0aab9de49c8bd890301ae9f66d511928a5d6e16495a117f39478ffe98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9e4e176df5c78b623857d34624c91e76

SHA1
87d988cc420f95142c746c3d4c893c0a5afa2a7d

SHA256
58276a7d5d4f25f77bd44d2bda4ee99a0717f2b5a830dd81f9e55b73411c3080

SHA512
43dcecc279302fee374f06cc567714252a1fd1bbd952a0608c2f75a72c44546f501dce1ce9a8c3e0b99fb65fa67ee81df25844480497dc5a4619c8b59a0bd301

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier

Filesize
204B

MD5
59338ad5fc464ddf09ef156d4a061e73

SHA1
cca59e7873cb9edab4e583aec4fca05b70f950ed

SHA256
a1616abbc383cf06a38894dbae1bb2892729824add55d8e1c029e65589f82ee7

SHA512
420e5eda189ef8ab69e4a0c424f66098034a4622fd13d8925acdc279214fcd62346d635fc454b7eab57ff4493cbdb2f3f291de962eb7c4f8c3e38b8afbacd0a0

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_972_CBZMHNRNQDJVBMXU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4824-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download