hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ[.]zip

Analysis

max time kernel
88s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ.zip

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
50	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1012	msedge.exe
1012	msedge.exe
4156	msedge.exe
4156	msedge.exe
4948	identity_helper.exe
4948	identity_helper.exe
2172	msedge.exe
2172	msedge.exe
968	[email protected]
968	[email protected]
3248	[email protected]
3248	[email protected]
968	[email protected]
968	[email protected]
3248	[email protected]
3104	[email protected]
3248	[email protected]
3104	[email protected]
3104	[email protected]
3248	[email protected]
3104	[email protected]
3248	[email protected]
968	[email protected]
968	[email protected]
1400	[email protected]
3796	[email protected]
3796	[email protected]
1400	[email protected]
3104	[email protected]
3248	[email protected]
3104	[email protected]
3248	[email protected]
3104	[email protected]
3248	[email protected]
3248	[email protected]
3104	[email protected]
3796	[email protected]
1400	[email protected]
1400	[email protected]
3796	[email protected]
968	[email protected]
968	[email protected]
1400	[email protected]
3796	[email protected]
1400	[email protected]
3796	[email protected]
3104	[email protected]
3248	[email protected]
3104	[email protected]
3248	[email protected]
1400	[email protected]
3796	[email protected]
1400	[email protected]
3796	[email protected]
968	[email protected]
968	[email protected]
3248	[email protected]
3248	[email protected]
3104	[email protected]
3796	[email protected]
3104	[email protected]
3796	[email protected]
1400	[email protected]
1400	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	taskmgr.exe
Token: SeSystemProfilePrivilege	3584	taskmgr.exe
Token: SeCreateGlobalPrivilege	3584	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
3584	taskmgr.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3520	[email protected]
968	[email protected]
3248	[email protected]
3104	[email protected]
1400	[email protected]
3796	[email protected]
3908	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 224	4156	msedge.exe	83
PID 4156 wrote to memory of 224	4156	msedge.exe	83
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 4940	4156	msedge.exe	84
PID 4156 wrote to memory of 1012	4156	msedge.exe	85
PID 4156 wrote to memory of 1012	4156	msedge.exe	85
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86
PID 4156 wrote to memory of 3396	4156	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb78b346f8,0x7ffb78b34708,0x7ffb78b34718
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,14921122127249441866,15722595502990350645,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:4320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3092

C:\Users\Admin\Downloads\MEMZ\[email protected]
"C:\Users\Admin\Downloads\MEMZ\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3520
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:968
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3248
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3104
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1400
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3796
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3908
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb78b346f8,0x7ffb78b34708,0x7ffb78b34718
      4⤵
      PID:1888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8834152220496718388,14134038700720641710,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
      4⤵
      PID:1524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,8834152220496718388,14134038700720641710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
      4⤵
      PID:4956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,8834152220496718388,14134038700720641710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
      4⤵
      PID:1132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8834152220496718388,14134038700720641710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:2644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8834152220496718388,14134038700720641710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:4516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8834152220496718388,14134038700720641710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
      4⤵
      PID:1328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8834152220496718388,14134038700720641710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
      4⤵
      PID:5132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8834152220496718388,14134038700720641710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
      4⤵
      PID:5224

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cce9e9f4b9fd8e0f9ef79f48c6dbaec4

SHA1
4fe453b717b00775adec43b84db8955e1108d8c8

SHA256
c4191c0180a10c00ab5e70dbb4c01173954a481f48c2202f59257b277868e637

SHA512
ddd6475da132aff41462af588dc4ec8702e2ca6e029f30f42f2410b061530cd535b559a4a5a3ab219e8cfdff388dbb3a25503a4d8d9fd155d9f7e80065fe5b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
c7f64f32a2ebde24212dc4cb696673c7

SHA1
d82a45ab7d7f4bf9185989ce17dcabddd1047aad

SHA256
3f85055458344b57d516a1727770aefe61a0c1c78f6fca64667cfe17bc20d800

SHA512
92e865690bc78fce6e025076dddd8370c1ed6b0fa399e20e07034581d8d95479233cc35071367a7117a2b4086582a610d53013359293e61f229b480b5670e8a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
4a2d84f12a040b1519c0b8c402038fd0

SHA1
6bdecd821b980f0adc7ae62a5b2cf3ae56f734cd

SHA256
9e4f9bdf23eeb8bc3bed6e2f79b57ef343a4719afabb1aabb1df44bdcfdf361e

SHA512
b7ba0ae65b6dc36c0b2c50375de292e38ee89cc30118df02603f0e31f7efce399d12fd8bc68085f261c425efc780604c854a1025e747192edc229876ad9da2b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
50a949612e79f706e7b13ebed958d7bd

SHA1
83ef3e469352c9f816effe7fe95da0c121cb36cb

SHA256
306bce05f25ad06ebd48760fc60df712fe78029ad510cb2b41de4aaef28b8513

SHA512
901983378245a86998d6526939c1e714f494e1dcac44a95927985101a1d32dbe5924e7c0b6076d7b002c130ca8809324f1108dbb4591a56f7c72636eaccce8f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
3fa61c00373be2e28aec6e75b6fe6d07

SHA1
4b2618875c6722c6e1f5a60f39a5f0838c385120

SHA256
f5ea6077e8a01f1e6ee1b78bd9fc6e4e5f1aa84a4441c7db78330af0a12244a4

SHA512
bb822c9d758cabf9be499c3d7ef95b75ffc8173d541f926464cf5fc502fc861bbee23e550b701880a59eca6d6e1155e8eb48f6412a68961b08f5542c1a489c14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c97cc5b9cbc1db3fe5ec8789e3d57d17

SHA1
b2c2464a0990638d4c3d06ce2b0075d4d29169cf

SHA256
faa2f4172ca407537408ec961736c15b927d737925a19589aac96b25fe6787ae

SHA512
4681fa232f408214611b41a89dd48a6f312faae6f8f95783d0dfee88ac86823f3deccd48252b37396a76f080ca1b841e833df6635d7318847a8f692dd9b9a8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
6d17e1070e056d60d352e16cceefe673

SHA1
5fcf8e0f82ccb121a635dfa162c9c502250c45b8

SHA256
9980fff59183e4c885741402af553f1992ecfe29cb962c376f4844db5919f588

SHA512
fbdd707a75fd6eccc1fd8dcc76aea3edf250595763e50f306ff8a388adc989dd2d01db09792390bf70aa1bff60bb2f6bc34b4d3769401b336a3d2e4343c7ccaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
155180d3ca13e791f9c6cff4931123ae

SHA1
c414d423c09b637f34e7b9bac8e92bc28646b499

SHA256
0cd588611e66fcdcdec29d293c0250afba701a8970c05913d0d48c1a2ede5eda

SHA512
f818f062089621e2a2d47e242882eb4bfb5ad0d2c63fcf5318beead3707d408b2216e465edf139b886b50f240ed9fbc37c345211952c2f32cc1b318b19ee2686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
1c33c853c51170b1d4b7177b83daf1db

SHA1
6452cb6b219a8ad7230577f433c544216ac6fbaa

SHA256
69578db75c62af106584bd8aa0226fcd7a5fb71c499bd645582bb1622f615528

SHA512
44185ee9ce20e7cb024acca123157213ca21ae95996c85c6237b3af7f098ec37da8da18de043a16dbf5146c11d5f81d751a5472f41c17df9d106a1bda2215e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
b9d182bd8d673f4cd6a038134067221a

SHA1
0d2193ac444f47ac72bd9e419b15a66152be6707

SHA256
d46611128d0f180844ad9fcc4422c7759edf210ddcf0a468212ace3fb324f0de

SHA512
e06fab02f2d157771a5222b2c07cf691b9ad8a9331bfd564a5c0c188f13a605ee6a0fbe5fef04d664789177624148f1b3cd9cace39d191b0f3664e1f0dc4bad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
cd60b684f3b45d530e7f64f2deb370a1

SHA1
1f6b058d4a9c6d3b383ece8f2f573ee6630dbb5c

SHA256
bff93a6b3fcb01f96fab06aa4650cadea6f085aa0b21896e485edb27f37ed7e4

SHA512
1bf4e06fb583d5a9a0968346da56557e74791668d480bd39ff9fbbd5de4e36208f4f474535701dc1429ae3b6134088c6a231d09fc59ce5300130d5fbf0577c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
838B

MD5
8ea4de796ec0cac3c2b0c5611f979910

SHA1
8ff81c77595e7abb38f1b748a6562e0e21217a3c

SHA256
8e9568a7846c5853efaf37307eb8705d004b3abed374029547db02288f593a64

SHA512
3bbc8e2673d2c771f8c279e16f9dee21f706c033edc00ef713174f0c3c64d54932e55f5286ccb9dba90d5bd239ced1feceda602739cf6cc4f84f5df77814e748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
d87a08bf7769dc8875fe27094b5a3626

SHA1
3265c6f21906a9cc6f6c5eff785378c2bcd4000e

SHA256
82f77361a9a63ddd37bb041eca750cc4f2a9af0cf67579ceb68a8a37fb559441

SHA512
ebc5edce24de4079bafeaf255e341476db6af3c1018b8f390b70aeb30617eba9acb36cd295c7666cb4b91629d2f308275a4e1a6fb7e3ace3891a6446826cde99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
11KB

MD5
44909226b3138c73976619b29b4b7a5c

SHA1
894fcf3474690e656065faf0238958078bf1ab48

SHA256
94190881b7be5bf96ba0d6813f9c74c98eec7bdbdefedfb505a5fa4ca9774fa4

SHA512
11d0496dfe6c43dc905811b56377222676b5f97ef11daae8fd5e97579304ee85a6bc5ea2a8ac0f41b3f228a75c36f130835d90c0807d122c92aafa9ac54524e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
2967ea66868584cc69bc6cda1884ddb9

SHA1
3b2f75f2ddfa96111cea950d7af5709b0f947f7a

SHA256
f9f1a78017be1c4141c64427567a295c95e02f95a4c8c3805afd8e4cf4249ee7

SHA512
14112df19b43593d56bf505103805dd7670eaddeefb211cdd224e6195ffd39d0988ff2efb36e7df3305800d773fa2c1bb1c1d86f8a7f9d1665f2d8591f4e9b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
492B

MD5
9a6ce27b8d0b8451401204291e83d579

SHA1
0a94eaae0e37289b3ab5c634d886579f01f8cbab

SHA256
475dd5afca6828b19833bdabdc3d287a2a147dd8d6e8abeb42f5927e3ed903af

SHA512
bcc5cb6b95208daf67402adbab62269fa29f6406d88c5759344887c109285ab59625f94f139fe92fa4dcea2151d7e3d2455484272ed6399370e4452724497785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
492B

MD5
d39090d712dae41674a6c4c2e281144d

SHA1
eb315a93b7867b7ce822e763ff950210a920c87e

SHA256
fe431dcd29d088cebeb4398d26fdf8c1edc6d6fa762c183dff3afa16ffec386d

SHA512
cba8945d1e71f4e213a6ebffbb1a1e202428b423ba94d33b3881b0ddb6e1ace8032bb0b09e54d98b86302e77a35347685f401ab164bd91ae003ab6a9c29bb0fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
61aeb3c0077ad8de33a5d962dc5c8b7d

SHA1
4939620a4ff28e665875b8e0bd2e7e11101eafb1

SHA256
025664a4eca1b95ae48d770d2b5cb19d22269bcd364506cadd5e12e0d685a2e4

SHA512
a6c6cf6130ac142cde2426f8146722cd35b356f2072aaee6e2bc919e482bd71bc52c666d4ef23eb47305a8a374b50b2490afd0e0c33cb178fb30925ba2dad6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89afe49d9d0852ec9bf25d42b735e948

SHA1
0ee16a17ef6b2e86dbc905e6ee6bc01a39824962

SHA256
8e7f99440fc9037478d5ce100981bc9c7e91f3d3340e7a2bd26c309d5dfafd48

SHA512
0959097bc2dbd7625f66dfb2e8d0c7c7a918f6226964fab9440340012fb49ab80cab3d4b20b48c42e35db285a4f31717c3aaed273012eb66932d8a2d271f9c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f1f3be5191109157a2fb7a55aa238155

SHA1
e2805d8e3effab767b72ac93ea83ad536b63267b

SHA256
8d1070636bb1b89ce644388e57a1c861d66f432d88be87dd441f5e8ecf1f126a

SHA512
72485d1b8648a8105e1b3d75bf8a66288efe7134bcdbc7648fa83f2993da57ba6f10580684462680fab22e3c74d760d09aa6733953b880247180c49dfbf78f38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b3e38cb9b35420c0415f7492e28196f

SHA1
d3afd4a64af28866fe685b0d3f93516e96c2a366

SHA256
7ce6cb46f55656ab0509a12c839ceb7b4caab578396d50129b6dec1b04ecb9d1

SHA512
7941cb6d3874daab75c4bdd435c19715a71fd07f127b950f73af0df48e6812242b38fae6e6a01c943a38bc965f203c9fa941dd369c8390d1d419d5a9c36f8457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
415B

MD5
4944be71c784e20c50569cf555b2dba4

SHA1
7712883b4654feb914739c083416e6fb0821cae9

SHA256
3bda3a5f3865bba415d056babd3b59f63e8711554c7cf66110705310ad917e54

SHA512
a258eb156252a2e92d35e90751386b398ef00d7a3a7744caf045787be45b14057e90b6bb5b7fd9642d6efd983db05d80f5acab90479b671601a7355083bf0efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
7347f36c0f76aa122decaa4fd5656f26

SHA1
ca6efb9c9123ca60449aedfdef24a9575627db7b

SHA256
bc303147bcb20eb6f4a1215edf37c320aaa2104a29fe0e964e9c9dfe73815ff5

SHA512
345031f2fda9473b6b1309c18e64d62b3218e1c9c354428a06747f30be9aba61c38e6760ecef2f957d9166ffc748fd6bc3c083074c90c4ae9e3a7d357c979d17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13376646476334547

Filesize
4KB

MD5
c4f0dabb5f307f429c1f6569d233c3f0

SHA1
9c8a9e7b71884e027748ab7612cbcff6ada7457d

SHA256
ddcf852bb15b8590328bf6cafd5fbe9215cea38368817db0affd691a7a9c2200

SHA512
c71e28269f7ba421cc94b7d085b1b4d45774286fc01cd13e358dd61b0466e27b0ccfe70e75d634775c6be2b545ca2d3a2510b7a4786a1fa6fde5abe59ab6d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13376646476559547

Filesize
3KB

MD5
885f4cfacbe70dc197896d368fb43017

SHA1
321903f402b0f1d36a0fdf04dcd898bb6f116e00

SHA256
4731a4f28c1c636ab54864bf1c325633dbef052fe46f150566c782e2178ab50e

SHA512
b0d15cac77b3010a5e400fd7fe3cce73352ec2a96cc3cde296cde30ee76f956621882ad90c657c8692f298b3f05e8542790f30c15b1c8e81a6eed1a5d32ce61b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
6dccd62bb3f6cc8a4f6ff06c1a75a398

SHA1
9c1275146878ad0f85c51f2199852cb19dce0942

SHA256
1c95f8fd6b9c4615a190fbe972d626258e8cb32edeb3a5a2ba6b96664c3def3f

SHA512
a0a0da325e21070b2fb12aae327faf251f05bf5a435e624f762893ef2118a9f888882da5265efcb39dc9c85372d3766161bee83a125a2c0af348b10976826a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
6566c1ea4e5650f87d5089384348f5c5

SHA1
a7b7b00cc1900bf381451c90f7870550466b7f56

SHA256
4db1ab98886cfb61e5ed47052f749cd24de245afc05e9007481982a5b1f08e0e

SHA512
4776151280dddcd796bb9235612d10c459919b3e62d49745edc0d9a7044b8e9f1bdbf79a2275fb1dcc9a5225f1e269cedf5f9e2bea83f0a43228073051252938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
df3ed4e57986a8010a9cb91bdac4a7ba

SHA1
32b7d3ac5529e6b0ecc572cc9e34ee005e633304

SHA256
e6b8be0ecd6a0dae2086355810ccc907605d7c4ff055bc7bb317eed35f1d5256

SHA512
8c4baf64e9d57b5a72a49f76869310916e57c83dffe0d7c02391c8fe75a12038f3efed42568f419cb8452b2d17ab37f0267b6b11508353ce4a56432d8a519d55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
9d427ca869cca34b6238494b93a50712

SHA1
20cb42c3c48805992924f9d6043816cb4c69733c

SHA256
864f8a637a975faae1350aa091ec110bb56e31f27dbbba7810e82a3c96252a30

SHA512
f4a3840509061bd0d74786f3f16a8dba5a81ac4305a859964e777caf74077384cdbbf904c83acb79d6993d98ef94faeb630da86ccfbf83831b9a31ac9c32cd9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
ba03ec0fca205c3b1e6570d436cd8caf

SHA1
243c8103b3c89f3658d822a9aac361d2d70dda1f

SHA256
f8b70ce654dbd82e364502d8d3c7c5005b8daf633abba41b08b087d8f6bdcea4

SHA512
4bca2bba07fbd7c7fc92e704b4c61bae1f62eaafddc3bfcc71b1547f5aaac68bd97598594993a161e0bc5e81310c0adf3ed6e33cc1723229ccc4dc15942d1ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
60KB

MD5
3dbdb2e5fb4e7cd440415b64212b6360

SHA1
0f81ed64796214d918e4238ae7fa912b8a5c13ad

SHA256
feb29d0cb65b535e65a62eaebd95a6d8d6d89dac262cf5a9c316623380d8d344

SHA512
085a5f00929b1d414626be43cae1a01b614950de13ff20bb87c0e06d0522daf4488c8677e7c7ddf642b66c94745700356bdb06664bc0a4c878ff498ada4df6ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
2KB

MD5
db356c80d01e8af2e531b01be3b9be39

SHA1
9bff11351be8693e94311a4a54bc408bc807db1e

SHA256
e29613d0fb6d25e5d132ec3c80770635e55885fb64920fce4a8bed16a433b6c0

SHA512
0f16b3f3f993fb4f69b64d17c9a4dbf2c639bfb4088ba660d64c83712229e5a20f94b74855834156ddbb4357e3f919d73e67158a9b8475736cb88b2d8301e97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
98d86107461ac04f4024bdbf896cbec8

SHA1
c2cb996ede9094fd7705f0ff8438aeb08eaef3ed

SHA256
177eeba7cf425e3ca1af97294c1b0f702a60703d224147c080444ed7bf7eff85

SHA512
261fe1fbf0d38856120e63c3f6c3331598fb002321add057b497a3cca2ab1c3773a902c9ec1c3198c8f126ec1226ec17e4bf553f4e1bd547bbbb4497a5e3cb43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
c05057963d9d5caf3cffa4fb80c8e36c

SHA1
3f43db46b547c2db7ac6671d95eafa66c77901df

SHA256
1febf6d8f77e47a02d6ec176e2da4bb2317b8f3e4239540776af0b4adfbd7a69

SHA512
92a142757b9e2bffe5c65fed281d544c7a30c684bf2ea4f13be3f3462b510db0928e8103de8cd689b3df1158c4c00c8156dbb5c3c9a761b8ee3b025448244c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
e0a34c045e76efda22dede7df34cef55

SHA1
9cf5dbea800f43a49fed28ef876f86e47915f17e

SHA256
c98275844649268a046c2c2c6fcd2f5bec642cc9665eb0261dd67760e6af1e90

SHA512
3808d2d50e978847a25bd5b616e5bfdfa27678c58d9b2ed7afef32f45eed265ec3185218c53aa2ab153f01e56a572f87ff430e332fac74f2fbeb152f70a5eb9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
4d8fb4baff3dd3a40bc4660aced4f5ca

SHA1
379ee0a3b94a1622587fb6705aaebf9e3dfc831b

SHA256
62b6fa54fe5868a3851644059be36181f87faa2a16f5767e399f7b6cbaf2caab

SHA512
7fa3da0da508cf63a0878f7b262b257214c13cad8bb5d5974630677be064810f95a82d2ce2c9e96c540f6608a0ac624090446b3c9962f68e10374d5f55db36f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f7e0592bf2febe8b6a247e4fb7719190

SHA1
aa4e33e4759faba8905663535b5ae9988a1c94d3

SHA256
05fe59dded18cedfdf027fbb336e4bbfcabc3e06bdc092fcf54500a552869c34

SHA512
7eab9771baf5a65803f035d3e9e60067dd8d83172bab5343a104117907232cf7b33f2ef87b0cee75b30a8e2483b63e7a28501ef5ce6c9b5df598eb85030a073f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
c7aee2d8f25d5b9e342d7c739126d9df

SHA1
09f171f43e5b042534dc9358135abea804787c43

SHA256
22a80b0d65b8e215d7a91cb58c43e749449d5099c72f7ca24fdcf7111bb7c545

SHA512
314bd70b8c04b77c98862802236027f23a7003c98f5a413a8f60310b59f17306d05c84b818572cf38194de9e76bb6f9b540095b8db3523439df9f898809dc07e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
17KB

MD5
6bc4851424575eaf03ebe2efee6073ab

SHA1
2d014fe2feb929d03a46322645a94556ca5c9e96

SHA256
abaded8e235fdf329521806af30a1cc7701eaca3fe2efccb9da760ec6d8e5e4e

SHA512
af3b7d93fa2243475d74d4bd7f918ce2706bf6eca28029b9e49869f5f793e483efaafdfab1fed6306d5fc77a5ed3b27097b27448cd04560bed4df6fa3268ccf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
17KB

MD5
fc97b88a7ce0b008366cd0260b0321dc

SHA1
4eae02aecb04fa15f0bb62036151fa016e64f7a9

SHA256
6388415a307a208b0a43b817ccd9e5fcdda9b6939ecd20ef4c0eda1aa3a0e49e

SHA512
889a0db0eb5ad4de4279b620783964bfda8edc6b137059d1ec1da9282716fe930f8c4ebfadea7cd5247a997f8d4d2990f7b972a17106de491365e3c2d2138175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f30942865e2b9ccdd43dc1d200c35a72

SHA1
2a100175380257eb6157a2fe6d21671d8b684cb5

SHA256
13b05893865179afa1dc17ae75aa7a95003e8382a4049ce8374d1ae711f266a1

SHA512
815b6cc177bfb8d49812165783cccb7b6dcfed3fa7f8163762a2889587bedd33deb8507284bf455e9503360efba4826f241fcb7dadbfc2baee67c703f0512134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5db8499b6bc56292f7d3dcb456508b84

SHA1
e765308b9f1a955902fedeef0604f10120d4119b

SHA256
283ab59124d93f7cfbf68482182f1ab351b59c6e27f001ec9628084113a788aa

SHA512
bb554fb00b85236fec0d8f01645a4e3c6725add94a3a9e468c89a0c3489c4c744cc77a56742409745d5558680b627b789c41f0d6b0ddc340f1f6093cddf3aaa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
2bab266492471ea2e972d6837b4f5c7c

SHA1
dc018ed7b79487af29497d076fd3985eed194697

SHA256
a56a0bbd56f374102a5722f1974e75519f3c3939db8c8366b5f591620dba641b

SHA512
68f55a8697c25ae64e8241f9f86eeb903edf289df08e5f0cc231358c89dba94378c5fe24cb7bdf780ebf929cf8103e1f614d5124fdfdf1c0894374d748a16231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\eed1254d-03dd-41a1-8ba2-40c2dfecc40b.tmp

Filesize
10KB

MD5
aa7df44359260c07cc2e493de651dc1c

SHA1
f899b5e282f6f6cde1d605e602d1aa98f86fb63d

SHA256
b03efc7519bd68a292b037ab19e504cd6907bbe19b8bf6c938d245f5c0ea7114

SHA512
2f2f78f4e1f1d5afc71a79e68498cd1e866fe085a1b71e2e27c5c102e8668668150b1130578c59c15384dffe82a407eb8afc8843313f7e2546b85867700aa82a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
e96de233821c5a0ae853a51b92c43f7d

SHA1
aa62a0c499bf01f79eaf1195312a2501a273f86d

SHA256
5aa64d6b77ff8180608ab3f9267cb6c077e6ed68b67e9538d035eea2d561f6e2

SHA512
318be719e4eabdfa473419e3868b698cdcf67faa878daaf9ae67aaa8e9cd7cc4142227e91e9dc6cac8ee268a3c17d5780cf08c7bba0db6146ac950082ac85f9d

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/3584-351-0x000001DB5D2C0000-0x000001DB5D2C1000-memory.dmp

Filesize
4KB

Download
memory/3584-344-0x000001DB5D2C0000-0x000001DB5D2C1000-memory.dmp

Filesize
4KB

Download
memory/3584-355-0x000001DB5D2C0000-0x000001DB5D2C1000-memory.dmp

Filesize
4KB

Download
memory/3584-349-0x000001DB5D2C0000-0x000001DB5D2C1000-memory.dmp

Filesize
4KB

Download
memory/3584-354-0x000001DB5D2C0000-0x000001DB5D2C1000-memory.dmp

Filesize
4KB

Download
memory/3584-353-0x000001DB5D2C0000-0x000001DB5D2C1000-memory.dmp

Filesize
4KB

Download
memory/3584-352-0x000001DB5D2C0000-0x000001DB5D2C1000-memory.dmp

Filesize
4KB

Download
memory/3584-350-0x000001DB5D2C0000-0x000001DB5D2C1000-memory.dmp

Filesize
4KB

Download
memory/3584-345-0x000001DB5D2C0000-0x000001DB5D2C1000-memory.dmp

Filesize
4KB

Download
memory/3584-343-0x000001DB5D2C0000-0x000001DB5D2C1000-memory.dmp

Filesize
4KB

Download