hxxps://drive[.]google[.]com/uc?id=1jRDzmkTJb7XndvluIP_b1roA7-HqaKcJ&export=download

Analysis

max time kernel
709s
max time network
705s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1jRDzmkTJb7XndvluIP_b1roA7-HqaKcJ&export=download

Score

8^/10

bootkit discovery execution persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	MEMZ-Destructive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	MEMZ-Destructive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 17 IoCs

pid	Process
4396	7z2408-x64.exe
4808	7zG.exe
5280	7zG.exe
1000	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
1856	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
5468	MEMZ-Destructive.exe
4948	MEMZ-Destructive.exe
5408	MEMZ.exe
696	MEMZ.exe
1144	MEMZ.exe
1648	MEMZ.exe
3008	MEMZ.exe
5880	MEMZ.exe
2628	MEMZ.exe

Loads dropped DLL 5 IoCs

pid	Process
3464	Process not Found
3464	Process not Found
4808	7zG.exe
5280	7zG.exe
5584	cscript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
11	drive.google.com
203	camo.githubusercontent.com
207	drive.google.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\x	cmd.exe
File created	C:\Windows\System32\x.js	cmd.exe
File opened for modification	C:\Windows\System32\x.js	cmd.exe
File created	C:\Windows\System32\z.zip	cscript.exe
File created	C:\Windows\System32\x	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 487802.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
2132	msedge.exe
2132	msedge.exe
4960	identity_helper.exe
4960	identity_helper.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
4776	msedge.exe
4776	msedge.exe
4660	msedge.exe
4660	msedge.exe
3004	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
1856	MEMZ-Destructive.exe
1856	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
1856	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
1856	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
5468	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
5468	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
5468	MEMZ-Destructive.exe
5468	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
1856	MEMZ-Destructive.exe
1856	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
5468	MEMZ-Destructive.exe
5468	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
5468	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
5468	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
1856	MEMZ-Destructive.exe
1856	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 48 IoCs

pid	Process
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	4808	7zG.exe
Token: 35	4808	7zG.exe
Token: SeSecurityPrivilege	4808	7zG.exe
Token: SeSecurityPrivilege	4808	7zG.exe
Token: SeRestorePrivilege	5280	7zG.exe
Token: 35	5280	7zG.exe
Token: SeSecurityPrivilege	5280	7zG.exe
Token: SeSecurityPrivilege	5280	7zG.exe
Token: SeDebugPrivilege	3648	Taskmgr.exe
Token: SeSystemProfilePrivilege	3648	Taskmgr.exe
Token: SeCreateGlobalPrivilege	3648	Taskmgr.exe
Token: 33	3512	mmc.exe
Token: SeIncBasePriorityPrivilege	3512	mmc.exe
Token: 33	3512	mmc.exe
Token: SeIncBasePriorityPrivilege	3512	mmc.exe
Token: 33	3512	mmc.exe
Token: SeIncBasePriorityPrivilege	3512	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe
3648	Taskmgr.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4396	7z2408-x64.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
3548	OpenWith.exe
1000	MEMZ-Destructive.exe
3004	MEMZ-Destructive.exe
1856	MEMZ-Destructive.exe
5864	MEMZ-Destructive.exe
4756	MEMZ-Destructive.exe
5468	MEMZ-Destructive.exe
4948	MEMZ-Destructive.exe
2628	MEMZ.exe
3680	mmc.exe
3512	mmc.exe
3512	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 4652	2132	msedge.exe	84
PID 2132 wrote to memory of 4652	2132	msedge.exe	84
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3912	2132	msedge.exe	85
PID 2132 wrote to memory of 3636	2132	msedge.exe	86
PID 2132 wrote to memory of 3636	2132	msedge.exe	86
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87
PID 2132 wrote to memory of 3724	2132	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/uc?id=1jRDzmkTJb7XndvluIP_b1roA7-HqaKcJ&export=download
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc4cf46f8,0x7ffbc4cf4708,0x7ffbc4cf4718
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6052 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3724 /prefetch:8
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3456 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4660
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,11951743136396542562,12924751577857333403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:5512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5376

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap29654:68:7zEvent274
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap11748:68:7zEvent23853
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5280

C:\Users\Admin\Downloads\MEMZ-Destructive.exe
"C:\Users\Admin\Downloads\MEMZ-Destructive.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1000
- C:\Users\Admin\Downloads\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3004
- C:\Users\Admin\Downloads\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1856
- C:\Users\Admin\Downloads\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5864
- C:\Users\Admin\Downloads\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4756
- C:\Users\Admin\Downloads\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5468
- C:\Users\Admin\Downloads\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\MEMZ-Destructive.exe" /main
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4948
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3132
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    PID:3648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=bonzi+buddy+download+free
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbc4cf46f8,0x7ffbc4cf4708,0x7ffbc4cf4718
      4⤵
      PID:1824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
      4⤵
      PID:4100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      PID:3460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
      4⤵
      PID:5452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:2544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:6096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
      4⤵
      PID:4240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
      4⤵
      PID:5108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
      4⤵
      PID:2372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
      4⤵
      PID:3544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
      4⤵
      PID:3372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:8
      4⤵
      PID:5308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:8
      4⤵
      PID:860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
      4⤵
      PID:6008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
      4⤵
      PID:5504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
      4⤵
      PID:5892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
      4⤵
      PID:2316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      PID:440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
      4⤵
      PID:1680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1884 /prefetch:1
      4⤵
      PID:4576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
      4⤵
      PID:3064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
      4⤵
      PID:4508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11738143276307308471,9160707373036740341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
      4⤵
      PID:5756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
    3⤵
    PID:628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbc4cf46f8,0x7ffbc4cf4708,0x7ffbc4cf4718
      4⤵
      PID:5688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
    3⤵
    PID:1312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbc4cf46f8,0x7ffbc4cf4708,0x7ffbc4cf4718
      4⤵
      PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\MEMZ-Destructive.bat" "
1⤵
- Drops file in System32 directory
PID:5656
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:5584
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5408
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:696
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1144
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1648
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:3008
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:5880
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2628
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:5200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=bonzi+buddy+download+free
      4⤵
      PID:4428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffbc4cf46f8,0x7ffbc4cf4708,0x7ffbc4cf4718
        5⤵
        
        PID:6024
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3680
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=internet+explorer+is+the+best+browser
      4⤵
      PID:2632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbc4cf46f8,0x7ffbc4cf4708,0x7ffbc4cf4718
        5⤵
        
        PID:4352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
d346530e648e15887ae88ea34c82efc9

SHA1
5644d95910852e50a4b42375bddfef05f6b3490f

SHA256
f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

SHA512
62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
692KB

MD5
4159ff3f09b72e504e25a5f3c7ed3a5b

SHA1
b79ab2c83803e1d6da1dcd902f41e45d6cd26346

SHA256
0163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101

SHA512
48f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5d936b1d43351f7842948c340cc534ca

SHA1
7d22b26039f6ed476c04aebbf771b770ef28091f

SHA256
a5748fb829b32d3ffab390823066f319ee677a0776d760a7376df4cbb2775ed7

SHA512
2bd75042ccffc65407c3f85af3fdccdd160137068dcdec81d4c33d9b0d78b110294900393e1a5265e1f1364b4c58875277ea1cb0d2477f98bc9568351ae8f77c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ffc39812e2fcd5adcd109fff6e72c856

SHA1
927e636b225729179e43d8d731e3e4552a4f6405

SHA256
0f33fce94f0ebc3522f3d32883771a853a9041a4a59632a70033f12ec352d754

SHA512
da84d9e272245762fd8eb693b83b1beca59d513477e99f798c34f3ce7aeba263ad97834f8c315eb9fcade7d21c1925c13083d411f7fac7bf18594b860c57d6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
38KB

MD5
d4586933fabd5754ef925c6e940472f4

SHA1
a77f36a596ef86e1ad10444b2679e1531995b553

SHA256
6e1c3edffec71a01e11e30aa359952213ac2f297c5014f36027f308a18df75d2

SHA512
6ce33a8da7730035fb6b67ed59f32029c3a94b0a5d7dc5aa58c9583820bb01ef59dd55c1c142f392e02da86c8699b2294aff2d7c0e4c3a59fce5f792c749c5ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
72KB

MD5
7c244372e149948244157e6586cc7f95

SHA1
a1b4448883c7242a9775cdf831f87343ec739be6

SHA256
06e6095a73968f93926a0a5f1e7af9d30ecca09c94c8933821ca0e45732161ed

SHA512
4ce4d73b785acde55a99f69ea808a56dec69df3bb44ac0d049c243fc85544db4c020412634da52a069b172e2484a6f2c36799e38adbfb988bcb5703fd45b3601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
caccf20e1365cc4a59e42b88c1da18bb

SHA1
dce77e036c76a101ec8800226652340459d3d905

SHA256
603909e9ea1a51d4ed685e53bcf677e06f6dc40229e7831e3e5579fcf5a79ad2

SHA512
480239130d1dd0e328ad631a3bf3b3b254a57aa5c2ea891da43657acbb915a0972504cb24293e82097c1502e1717dd027e8d547d0388aef554fc6b21bccb73f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
302cf805897e32145a3915f9840ca584

SHA1
a38220d6da3961460905758ac8e56d2eb67ff56f

SHA256
c17b4800bee310b6841bab0da8c8ac3c63b9ab346b8a61e09b82319cf0d4b943

SHA512
5286eed1511d675b15f2df3aae75cf0b08c6463d635d4bdf65b2b08da5d80580886063d4d209eb9109cfb7ebaaf31201303cf56cd3648dddef15ce167ca0d284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
bdeb537edb95ae31fb4e5ced4aefab8f

SHA1
7676db5729d2861da920dd9b4ef53d10308cc043

SHA256
c6aab72da96f8b11e5e9b0ae937d8e73b12dc4d16e17c21ecd112be0cec366e1

SHA512
f4a141c9c7348c596e9b2c54124153780f653ee13a0335199385dea2ca37ef2217edccbf54e1fa0f93cfb787fcde5a0f9dd364ebb24470e85f160d10de04f7f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6dcab3e03935a53d12a69fae2f0d1ec7

SHA1
1758cec72b8b976d3480f05e76c4cde9714127c2

SHA256
136e82b1a6215aa2b287f38f350e1036e238336f305cfaa821c080fce058dca2

SHA512
37bb574ecbaed921db81d8500ce59d5206adc3e463ff4a740bc22a40b5eb5ccd020795ad4f456222b25109d4ce7617615d3bae2f85e4ddcb24cfc1981bb482a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ad4c69ddbf580d548479650780bb090f

SHA1
c4f058f309946a4944f064b0449a69a165365d12

SHA256
46fb3999324124da0cb63b405aaf3dfdf8062db907474b51d9c11a7f089fa4c9

SHA512
65fe6beeccc15b2c5fb2e174e08b413e390a9e98b1f73c9113ba9910c6ad1924ce2d6b84607c670b90d754b6f219c647286bc78b336c1499c1d18dc3718b9052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9f32517c233cf93e2a71ac8c108637cb

SHA1
c70ff7d3f2b27d735320d8af50175c77e6e3d944

SHA256
ae6f96c7435e9566f46f27859a4f88c953c9ea373bac90c2ac46b246c0a8d515

SHA512
ba5f137ac404577c49b0a14faea77882844daa5a2ef80e00f131e0037b1bde872744de75e914f0b2f6197e3b16cd48af5dbc9322d7905499907a833529d1007b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
766B

MD5
cdbbe464753d990a9c9c19c26fb80c5a

SHA1
fdb41c0202d9bd2d484a346a988409bb998c182a

SHA256
076727ce067be1c19b5f0f6b1fd34994da755abb4891014ce463d8b3d7fed95c

SHA512
58e312fbd149062de093fc9ecac6e3b4efe3c4bbfe016dc4243d1691efd4b7b95bc7746955c8feae71cdc133b0cc98bf4654af301d771d1d084983450a15736a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
76ac8fea362f0f19a3f3063da02305b7

SHA1
bdbe679562ba2319fdd60f0ac6b3d01153eb0c1d

SHA256
537eadbad759c19a04a6d80ce7cecbe126d3609fd2ada663df09fb36f3e518d4

SHA512
3b5b80948874ff34fa46f598dbf5fdc68ff3277ff597dbbf10cf40b7f972d80d6c43f115ac8db14f6c580eb0843a5f233222ef33b1ba11877ad9f9e50b043f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a0d626faff1193218dafc434f988616a

SHA1
3853665b8a6e818cdc4772ce71f86cdfe5a842d7

SHA256
8e429ad5ce398b404c3c7e80d70f7b214cd138e83a1c5f8441e042078d5a54f2

SHA512
ab6cd83d1d2a70e4bf62e547b40cfa7ceb6f6ae27bee83aa263ddcf4206f1cb75df4e1c873fed9853d8251d6026244300b238c083d26737edac0bbed9eee278a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e5e889fe93b07e763aeedff6d47873eb

SHA1
f2c7d43cef5459edfe4463684e23aac934ace7af

SHA256
3254f9ab3146bf2a9effaab5e5262d61aed1ee1154b13de491b3fd745d91f90b

SHA512
9e5ff4b850e342a819a748d59ef78dde1c31502ebc070df95e56add5a43f9ea8dea84761e0500d2a71f8bbd2a6e2625178a0b11072ebe1eb038e31806fa56779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
c39372febc4fa6bbebfbfb8b17669d84

SHA1
2d4e7bb0fd199724e36b705438eb3679b0815fd8

SHA256
69ea0b49f8573598720c5ab88260ecdd73197a4466fd04430e51d6e1f4a4c032

SHA512
12919f563e8144029bd91ce35973a5529aef869e3868ee3d4c3a8e994051ae322be7e76201cd2639cf3cad84f950d1bb071dec3843d66b564d87f73a8a1f2e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
0e0e73fdfcd4222d4946233f1b5d420b

SHA1
28de174e7411dabbd3e7f9d68ccfde932015bc1e

SHA256
75621279fedfaf5f1f5e10d42210cbde53e2207a515400cf465dbebc510ede47

SHA512
b79299bf11d1ed013191bf924b026d162d7a46e03036f1f4cad1aaa7ad92a26d62233ba8cd705481c90a97542db5284c4325be38e56523264ca044ddb030189a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8da1d4e09e59d62282750a453430621e

SHA1
65de43fda3dd962ca74ce6149dd7196c500483cb

SHA256
052087bb32778befe144832bd8506d042cff9bd1164509ae284755d9cdca571c

SHA512
a658585e354e4c4ce29e36218af4c4378a09bbd48f7a6aa8be48420cceadadf877c8529b6361e9e61219fd4f6599f0ef10e28b48252384b4cf7df7e25bae0e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ca67316a5240e34ef2d6e3ad352e736e

SHA1
9536ca2ffe612054579e80a138046a6ddb23d322

SHA256
a2f09482b7aab1b9e134856ca18dd8b8ea9d987600199ce072b02eb44ee11acb

SHA512
bb9802cf413cfbc9c6e3a3b14be7c1176f654b9f2d4467f0f835fb9a76b18053197178d52d2c1a841a810712b9c7a0a732a36a06bc356831bded708566d80850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b5a0bba99fbda975570908772daed322

SHA1
05f3946f14825e267655df8aacf3936272b4a7fa

SHA256
24c36f38a94c2994d37b5ff1976c1acd686686736c1b0f89fab1cfa0b686410f

SHA512
8c6c5ac6e1705017e4b4dabc58f2146c999b8aa44881dbe135fea4409954e4b367ec39260c725a3924316f83d66be9b99d9c00ecf3ceafc90cb39242b716280d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
548923a6741f43c8c7545a1a05b3c216

SHA1
45820f771ef1f5eb5346d96a985c4ee80a9fe8c6

SHA256
a1dc33efba1724889c5310416fffa9e0f3d39939bcc97818172882039f87185f

SHA512
7f16354d9aa9728231d259c4bd85a178c70c32f2b4a92bb4af18c0f53ba7427b4db79bf746b3ccb5c51f926cf23d6691042a98356f5b0950a964c7348b6be554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
772c6c8f06cd6b9c4d3e718020c853b1

SHA1
8c6dec0300c6667885fb3cdb21c086c9270d70ca

SHA256
4a505f79a802eb95e18da41c95511531e436bad88f68f6bb4aef30f0a8c74061

SHA512
c374d2a33b8f98b53b61f9378e77f03e79b97d080cdf9e5ae6d50bcabe6d36721ad8da35270667c72bf36b3eab2f91f34c7f6d159982ed07da43971bf2b7cfb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dddadabce387c4bcb261937d6bdcbefd

SHA1
deeee2f7e5ad3ffe75d2413ee6bd4509f18cd44c

SHA256
4287d24698e84475819519ff517ab7700e5e601eed02434fd66290baead30398

SHA512
56dfed2e9697df00692084b7ede3d95b6f6aef6aadbeae1b1ef5fda5637234621a1fff7c7771d276731dddebdcb6beaab1278e20ac126bd03d748acd06c5d9f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
79a7fab87c15da24dacdcec20e6d44f5

SHA1
43293324d1c2facc572f005b196d02f39adf3b0d

SHA256
124305bcbe9e44e1bc4678144aab9407c952518d0b4914a65e9ed7b061bd0835

SHA512
bf136c4c3a00002508047590839720e0573c5470a43b6eaee176b0f92560f243f67e574ae1d7db5043bdc04404b1ff5f6b3a425acd3811f9fd3492a31e78a681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
cf542c06c48b07a58d70fd372cb7ec5e

SHA1
e205c2e03a9608a8900b95dae8b70d349fcc492b

SHA256
6b49792121a4bf660f277dafc9ac9629c361a7f59db12648d53ba9ad8c911f18

SHA512
90a9181a5924549e19a423ae6a7455bbd97c5aca9595a16befdef71a90d3b1ec8c234f6c13fa434bd122d6503f170f62b8c70dd9cdbb841c82bc0cf08daffd2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
54afb8c0c9cd9d55c94182ce39e25d3c

SHA1
bbee67fa18b33a8aedb56d83fd297656f4a8544e

SHA256
3a418b10a2c05e1c2132dcae944368c0479fdcd8aad5c35fff86333463645505

SHA512
d8258727428bfccf2d23c3d923bc57f207b9e767a990df0e9f0deb5a5719c0a74e667bc89867fcfdf95310029de8b5653a956e1d2f9845d7306ef1c197c3231f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7e89edbabff16b7c0433fd7a2ed80fb9

SHA1
5f8749c9a192e1f866f59db869513c95f05b6743

SHA256
8fb2bfa0ae7113c383e035bc3760524ceebca6964b120f9beb11115eed4ae83f

SHA512
94f8e7e9912befd2b04c3b337b4a11405b9757ed93515301d37038cf04e4f02b6f3dc8ae1b5cfc144f926e036eaa7e92bf3a59837f6af6195731d85a6bb3e50d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a79b38b8206f187ce34a57139de36664

SHA1
6905bce2a41e70c1d9ac0fad76ab62d9a57ec46b

SHA256
8f376fae81f05e991f2755026f4ae209d485325664cee17ece831a8a195a8460

SHA512
fe82016e49873391846bbfa25ea02b54dd5d7634b2c4cf0bf8b27d0d5225e04dae24f6361ea9facde8f00572007dfe8a689d00d72a592efa4e7e4495549fe657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
748c2fe935823a86aa37e7a76245d1af

SHA1
d85fa882918f44bf709fc2d0d476573e09007dd9

SHA256
8632f977c561f147fb846216d5ea2eea97ee1c359a673aa89dc9e2396821b917

SHA512
ad13af0fa25d663f2495f2dd93dca8b54bfe804ad723b26393cecb5314958f1eff1b19790c344d798df561e1e29dbb98d3be182c7d1f8aac0a90398de2f9387d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bfc886fc0ddf3dd8a195979787f4cc89

SHA1
b0a1857cc5f1ea94564024754fa9bfb05c70eb9a

SHA256
e7c3903fd9e2671eaf0272c2811d19709e86851317fb9a66b80794d659d3e659

SHA512
fc7236994908034ef3d0a471ca65d9316dca14ef97ebe6da4b2bfc6fb3960345a33b0bdc715ffdc37d6fff4b53df93185a24a576642dbc37acdecc5a88e18a51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f00fb362ff6ba6c4ed1f92d04fe998eb

SHA1
c62cf24892c0ac32a08b7ec653bff558d60adbaf

SHA256
5e463eb5be6eb940acaba2a89e583a4115e1b3663c6508bc1a64563de07cfb05

SHA512
ba9679a24ba26f23bffe2a261273685abefb72461acb5ef7d6917d1858f2d80b6737128226ed4576cafeefdf257779c5312b738dec0286fc91e5e3244296d9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b5b41d680218110ec4ec2e53fcca040e

SHA1
e9e3054be112c00bab8b5334a8569bf8bbaf0f68

SHA256
653ce70581094518ec73f4c94007d3cd9a933e2f0a30594543d4b2f4d5c31457

SHA512
b87e991afe01a6347a29de61f8628088aafd92a4389cba1bc20e58ac123e38f3470bb69f7ba0f894a5d18fc7d672da2b0654e4956e782e5a320eddac3d8832cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4483bf971fa56243c3e415c541c913a4

SHA1
a7377ad69c4bc9d05329e3992dccf4170cd168fd

SHA256
3a949bbc9366c2d452f9ea143ee02c9eebac6b7c47c0eff4788cfa4419a8c59f

SHA512
6aa3cdd68f792e949ed892b8a767adfe7a41e4d013080ef6ccc125b314e894420f61c3ba3f175377edd287916524ae7a507170cff0d0ffa78bc35424266a8cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4af5acd9d84a5e29cffb95d7062f19c3

SHA1
e00576ddcb094cbb363bc1c261fec78da655f5f5

SHA256
e9c479d69e4dca7fb8e7d6c1f5d36ba3750a3dd4d7bf410288baf64584a371a9

SHA512
4fc63bb520b47eff927b7da3d01ff83eeef44fe4e2e1176c36da4f328a251b337fc5e911d166e2feab9f8119bbb799f92ebc2ff4a5c664d29000ffafa6aa7cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
745fd63b5fbbefac9299795f74751933

SHA1
119a67532edcb5eb135038d3d25ad2b9d178d11c

SHA256
c6a08e2fe24acf79bffbe26bd6daeb4b7b1af6567e62bd591d156dad379bede1

SHA512
134001a63c731e6f6c6d4c27a964a083d888d88bde1da8731789f9830dd566e74bf36a3350efe840aa12feecfdf601a035179dd16966abaa17e165e4497bda0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
dd0aace778a6ba81cb859e4121e94f62

SHA1
3646dd99233c5ed4728836c625e2c78b766d19d9

SHA256
c654a36c69bc55a372e2dea6e8db7e4f9d720d8712404a80d90b58fffd490586

SHA512
1eecef8680d04203d895fa4c228b569a3dd2c7c940e07381bc10eee601ab2195e996a3327e593a2411d8a531022dc9a71a2eea569ca14202512cf4ba5d97193f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
dce81cc61d34958f8a383f833838c271

SHA1
c9ddeef4c10536831115d4ac89aad07f4c3cd88d

SHA256
eefed74254a3ea1443f2707c09e8f208dff0eb5df20f0af2816ea148ee947917

SHA512
0dc1006d4ff809570271f54f265864f6a8d6f9044cdd0358dae8103b7ad7c0f7b288eaa0b9da1b7687c57e73df80d838cd45228fba3c2327bf56cb81efafd5ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
60e4e27716f6b24205b6e6de78e2bd95

SHA1
0d453b93b6f02b7b01c2d7915354c9d35615a153

SHA256
32f709fd58d45c8feda8b47e60f872aa5d7e51280875e096ecaabc822ebd95af

SHA512
7fd7e488142aa9771d2fc2e2a6d7532f36e199948ea4e49433bf0d0ed3c482b2698e8f4d37a6125a2f5b235759c4e66d4bb5918689d348cbc3cbcfd97cc49a07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e37ea612fe50ed274943c9258c5834e5

SHA1
025935714d096c149cbc0f9bf8c479addf444bac

SHA256
9db54e5ebadedf0127603a1481080e2fa11b7d5d5f557bfd40dc12798fe1c762

SHA512
5a04ee54b7a1641e9c9d81af357d52c15a21f5a68370faaaac3dc68079dc20469cfc029587a61414ca23cb78417fc4774fdccc563bfa438735c239f223340607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
163b72868c651c4e0864fb5fe9045208

SHA1
a8d3683b179d2a9062e1f402dca351df6ced8fec

SHA256
f40d8feec10e5166f34270c96ed0037af015d8734e6bdd517ac9e580956e244e

SHA512
64ce23eff6abe2823ef994aa3ccc56c27f2f6756333141147a4783069e9176ec70acd607f060941e1db7039982c76e2b6c1b6214d0943f6dcbf59abc17c2f74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8079e55607631d175977c7560e0f3436

SHA1
0831043645c10aeda89fb4d18d7b463307a8d9c1

SHA256
d63dfca2b2f0d73283664c362463990f1d7dd48f8db278e24c0cb77c01e76f8e

SHA512
3a108cdc8d655755f12bd51dc76aaeadc34019f762a98306d6a85416f83617434ae45c77b83eae49e5c0ff68d36b4bd951592c74a381f097196dc01aa2dbe8ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
93d1ab98a058d849cede3fb152147294

SHA1
2d1035341962c06412b87148c024ba1393c47f6e

SHA256
da3419a7587be0118b2ff1f1f2ed421369421019a9a9a803ee4ecd0e5d99d6f1

SHA512
2a796051296e64f328ab728c68bab59f9921457bf818485b4d3c5ee6c418fc68d296a3a837218b69b944a02a004e44946e0861b469f5391b698ed9d7536a1f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
3f6e0b86072c97bafe44071d8a47263b

SHA1
85f0db0bf0703fdbfe55d1c9867e0be7d0352505

SHA256
c96a4e6461ebd972830cd53a3ea00d5bc8a13920dd0cbbd8faedad224120f780

SHA512
fc666ad560a333a6bc5f3ce2b8c9ac2db1907aafc8a1fb8ca0c5b18892661a91a5b0b3bf224678223cca3c1e364be4b448e1fdf16c034e8e5ba70f2f9d7b2fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9eb7c8822eb847f347ef4359ba83c244

SHA1
978ed15e9b87e8856731bffb1d4946dc48702064

SHA256
22c17f7f31a2482916339058a0bd93fdd8245f2bf5557ada604e0439dc5c7b53

SHA512
7bdb620266271f54148cfe2366b14619ca143af164600f4c6197fd2dccb58f2869ec24642a987ff1d3000c1f2d595baf4d4b25410ed81a61116ab39713003591

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7d9449a67ab61517313cbbb47a4dcc59

SHA1
a0e974b27ef67f8989d5e181ce131e062a92aaf3

SHA256
6374f62e478a32a8d3cfa0c0de6995d6a024faa6f6b0f5ce7074b12787093549

SHA512
d625fbdc3bc4a040387e90be16225c5390800f54cba1fc24c93624b6f21db25784aa736ad572fa2a02d0b0459e3c8d9b29ecddd29a6da8ef39701d91a95e8646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8348d9f785c46f8cfe1549a910da016e

SHA1
0ab8bde6cf919ab7e27a2b17748dec6c4bab7000

SHA256
ef5aa821ec2542bfbdbd3417806a034f71776111e9e24a37c55a0ee911f8556c

SHA512
3c621df5bfc92258c3c239f2b2457fe891f384ecb2c4e0d5872f5f9147a31f7dc8a619a4efa134b79313213c0b419ae0d79d3b6b065e07a79141de6c21d88d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58db19.TMP

Filesize
204B

MD5
618592d1c49dfa6062f975dc08c94369

SHA1
e6e3d958d91c1d2af990b37b654ad9eea17adee4

SHA256
e454414f7d1ec22774738cf07a20d1a8923c05b07ce43e02d65b2d9ced47f54f

SHA512
b9cf2bb6d3d4251cdbbec5bc2ed0f592c0e396dd19f5267862a710c636e18c243bd970c9a596d7defdd00bce1af3cd6742e1c1a6249b38ecfc1542de6d597f88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
92acdbbf32db3b7acc74c49b29ebe91b

SHA1
7f71309bd4dec481a9c279a9b90174bcbe263086

SHA256
f434858a15756152fa9c3d15bd06d14b79c2a93282ff109d2c09eed5e1f79974

SHA512
ccc6705304a927ef3fdb6b05d4af27f5127416db4626d622fbe17595838267daf08907c106ef63ebc3ecce124c3f85cb336dad58b0c5f7623c996bb20f0b0673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
23e0a4cfc47d41dadf8a2c166e95ead6

SHA1
1c2cca5c315601cd8f2b788af9223bb1e82dde48

SHA256
19b5e633c36c9b55d908772056b445caa6b92085e22d34483463d28b05f188ca

SHA512
c28091d280950b1a09f61f8840d4e622d5449a8db192856c27618932001bdacf54062f7b34e1f2aa0cc4c82259d82748638e502fa34ec263afb3994a5bcffba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
58d5a038ae0addeafbc4e896b3d4f6ca

SHA1
bf832439bc15f85d46e6a283ae4c374138e4add7

SHA256
cba7d6101976dbc41a3c81ecf9757bedcc933c1493d190c9cd041e707a432fb3

SHA512
e5f7ad1326eb4f6da0f7173b0eee2e1b33e915a98b3c8e34155ce323e7eeb7dd13e8ad8a5217fc5efee9c74c529c603fc9f29d58fbee4ffde8fb5eb4ad010398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
630a2bf4e6ecfc8b599439b2f039ec76

SHA1
f5e2c7616700917d8c9593e1f0c0e8a6adb59afb

SHA256
008667ff8c40b28beffd30acd842baf8867da575195aa308c0529e34604f8e31

SHA512
d333e0345f18de61f0602db743b25de7e68a5d1de5fea63486a177460db12aed20f874dde0d2e64a4aae7f6e69e28462dfcaf03015363397d3543154e4239ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2976413a336010b7d2d326c991d9f3d2

SHA1
f012b13d360795c029890ab3b5e56db2b8bcc8be

SHA256
5c0a0bddaffd1aae3e99a8fe76f5a8522559f32bfce747130b08630fe3cdfb06

SHA512
cbb2815802bc554af54680de84bad9aa46a780f13afa35ac17f4349be430cb8ae4ae11028d93573b3d0bb6ce2f99b735968707fb3f114142945ee5da8e17a70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9679eb0fae42210546161ddc1bd5e0ef

SHA1
44d39156c792bb0f483dc262bbd169f283c3eede

SHA256
ebbb1f339888de81dd3dd9abe9a100562154e0b81d876be5a83c405ee3a9a758

SHA512
12e549d1eaa6e99ab82428b06584f5de4477628985382fd56d9b7df9ee4cf3460d7390766b1473f2d080c2c7359cc77f5b4420faa504fad8c46bf0a6433b3d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a31eb7ef1640da74ab5de183ef8d63e5

SHA1
a86f414abc761ab86091741bb63d79a8a9be154d

SHA256
b24b49dcd022e75f010e5aabea6da00c7c90ec1355557765338a087dc37d5580

SHA512
f450dd99170bab6ab37d3041cc2714ce057a1c09a5ca34f32c0601ad9a47c58548cff1230a23823debbc7b3eb5006d608d32e9be974d91e54a0298f60cbc120b

Download Submit
C:\Users\Admin\Downloads\MEMZ-Clean.bat

Filesize
9KB

MD5
bbae81b88416d8fba76dd3145a831d19

SHA1
42fa0e1b90ad49f66d4ab96c8cca02f81248da8b

SHA256
5c3fde60c178ed0306dd3e396032acdc9bc55c690e27a926923dd18238bbd64c

SHA512
f03ac63bbb504cb53dc896c2bec8666257034b1c4a5827a4ad75c434af05f1cd631a814cc8689e60210e4ca757e61390db8d222f05bf9f3a0fa7026bdf8c4368

Download Submit
C:\Users\Admin\Downloads\MEMZ-Clean.exe

Filesize
12KB

MD5
9c642c5b111ee85a6bccffc7af896a51

SHA1
eca8571b994fd40e2018f48c214fab6472a98bab

SHA256
4bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5

SHA512
23cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c

Download Submit
C:\Users\Admin\Downloads\MEMZ-Destructive.bat

Filesize
13KB

MD5
4e2a7f369378a76d1df4d8c448f712af

SHA1
1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49

SHA256
5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad

SHA512
90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e

Download Submit
C:\Users\Admin\Downloads\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 487802.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 837987.crdownload

Filesize
26KB

MD5
01a6ebf12323106a7198f263e7ec8035

SHA1
8b26cbaff6d6a51bf09d7e4666c80f8926c90034

SHA256
2d184aaf67d614bb106319ab1a80a5c0d8bfebd513e3fba51acf217ea527ea02

SHA512
eff9fb5303e9f6f602d6177dcf6f8660f18a2afc2771d1abc05fe2af7ec0a9b3e9640e1273de80b312947f7cf40431819359db95bc885aa9e13f71136d69146b

Download Submit
C:\Windows\System32\x

Filesize
4KB

MD5
214f98cb6a54654a4ca5c456f16aed0a

SHA1
2229090d2f6a1814ba648e5b5a5ae26389cba5a0

SHA256
45f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037

SHA512
5f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873

Download Submit
C:\Windows\System32\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Windows\system32\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/3648-1412-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3648-1414-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3648-1415-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3648-1416-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3648-1417-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3648-1418-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3648-1413-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3648-1406-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3648-1407-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3648-1408-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download