3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Analysis

max time kernel
38s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 06:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1892	MEMZ.exe
1892	MEMZ.exe
3708	MEMZ.exe
3708	MEMZ.exe
548	MEMZ.exe
4048	MEMZ.exe
548	MEMZ.exe
4048	MEMZ.exe
3708	MEMZ.exe
3708	MEMZ.exe
1892	MEMZ.exe
1892	MEMZ.exe
4048	MEMZ.exe
548	MEMZ.exe
4048	MEMZ.exe
548	MEMZ.exe
1824	MEMZ.exe
1892	MEMZ.exe
1824	MEMZ.exe
1892	MEMZ.exe
3708	MEMZ.exe
3708	MEMZ.exe
3708	MEMZ.exe
1824	MEMZ.exe
1824	MEMZ.exe
3708	MEMZ.exe
1892	MEMZ.exe
548	MEMZ.exe
1892	MEMZ.exe
548	MEMZ.exe
4048	MEMZ.exe
4048	MEMZ.exe
4048	MEMZ.exe
548	MEMZ.exe
4048	MEMZ.exe
548	MEMZ.exe
1892	MEMZ.exe
3708	MEMZ.exe
1892	MEMZ.exe
3708	MEMZ.exe
1824	MEMZ.exe
1824	MEMZ.exe
1824	MEMZ.exe
3708	MEMZ.exe
1824	MEMZ.exe
3708	MEMZ.exe
1892	MEMZ.exe
548	MEMZ.exe
1892	MEMZ.exe
548	MEMZ.exe
4048	MEMZ.exe
4048	MEMZ.exe
4048	MEMZ.exe
548	MEMZ.exe
4048	MEMZ.exe
548	MEMZ.exe
1892	MEMZ.exe
3708	MEMZ.exe
1892	MEMZ.exe
3708	MEMZ.exe
1824	MEMZ.exe
1824	MEMZ.exe
3708	MEMZ.exe
1824	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	taskmgr.exe
Token: SeSystemProfilePrivilege	868	taskmgr.exe
Token: SeCreateGlobalPrivilege	868	taskmgr.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
868	taskmgr.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1892	2016	MEMZ.exe	94
PID 2016 wrote to memory of 1892	2016	MEMZ.exe	94
PID 2016 wrote to memory of 1892	2016	MEMZ.exe	94
PID 2016 wrote to memory of 3708	2016	MEMZ.exe	95
PID 2016 wrote to memory of 3708	2016	MEMZ.exe	95
PID 2016 wrote to memory of 3708	2016	MEMZ.exe	95
PID 2016 wrote to memory of 548	2016	MEMZ.exe	96
PID 2016 wrote to memory of 548	2016	MEMZ.exe	96
PID 2016 wrote to memory of 548	2016	MEMZ.exe	96
PID 2016 wrote to memory of 4048	2016	MEMZ.exe	97
PID 2016 wrote to memory of 4048	2016	MEMZ.exe	97
PID 2016 wrote to memory of 4048	2016	MEMZ.exe	97
PID 2016 wrote to memory of 1824	2016	MEMZ.exe	98
PID 2016 wrote to memory of 1824	2016	MEMZ.exe	98
PID 2016 wrote to memory of 1824	2016	MEMZ.exe	98
PID 2016 wrote to memory of 4408	2016	MEMZ.exe	99
PID 2016 wrote to memory of 4408	2016	MEMZ.exe	99
PID 2016 wrote to memory of 4408	2016	MEMZ.exe	99
PID 4408 wrote to memory of 1328	4408	MEMZ.exe	101
PID 4408 wrote to memory of 1328	4408	MEMZ.exe	101
PID 4408 wrote to memory of 1328	4408	MEMZ.exe	101
PID 4408 wrote to memory of 3920	4408	MEMZ.exe	114
PID 4408 wrote to memory of 3920	4408	MEMZ.exe	114
PID 3920 wrote to memory of 4512	3920	msedge.exe	115
PID 3920 wrote to memory of 4512	3920	msedge.exe	115
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116
PID 3920 wrote to memory of 2468	3920	msedge.exe	116

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3708
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:548
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=john+cena+midi+legit+not+converted
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff92af746f8,0x7ff92af74708,0x7ff92af74718
      4⤵
      PID:4512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,8249917499266863385,13951020114491052901,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
      4⤵
      PID:2468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,8249917499266863385,13951020114491052901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
      4⤵
      PID:4532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,8249917499266863385,13951020114491052901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
      4⤵
      PID:1928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8249917499266863385,13951020114491052901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      PID:3788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8249917499266863385,13951020114491052901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8249917499266863385,13951020114491052901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
      4⤵
      PID:5364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8249917499266863385,13951020114491052901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:5468

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e38aae67b28f7c7d951c247020d08b88

SHA1
4c5638071f9f76f184a485c9094be630be0ba4b1

SHA256
541d21891c180643dd204649597ed89cd4e68e513694077ed653e6bec47344b3

SHA512
be2012a742ed2a783a5c242f88ef8d87213ff0d407ea2dde1cb7b6fe39593a5774c76f64b0065eb80556bda5eac926c807d4cb118c16e2d404f08a8fae12d090

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/868-14-0x0000019266360000-0x0000019266361000-memory.dmp

Filesize
4KB

Download
memory/868-11-0x0000019266360000-0x0000019266361000-memory.dmp

Filesize
4KB

Download
memory/868-10-0x0000019266360000-0x0000019266361000-memory.dmp

Filesize
4KB

Download
memory/868-9-0x0000019266360000-0x0000019266361000-memory.dmp

Filesize
4KB

Download
memory/868-8-0x0000019266360000-0x0000019266361000-memory.dmp

Filesize
4KB

Download
memory/868-12-0x0000019266360000-0x0000019266361000-memory.dmp

Filesize
4KB

Download
memory/868-13-0x0000019266360000-0x0000019266361000-memory.dmp

Filesize
4KB

Download
memory/868-2-0x0000019266360000-0x0000019266361000-memory.dmp

Filesize
4KB

Download
memory/868-4-0x0000019266360000-0x0000019266361000-memory.dmp

Filesize
4KB

Download
memory/868-3-0x0000019266360000-0x0000019266361000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads