d94750830fcd3dadb1d2343135f5136042d63451712272a2d7c496d50940efaa

Resubmissions

13-12-2024 20:04

241213-ytcrhszkhq 3

13-12-2024 19:58

241213-yp8cmaxqh1 10

13-12-2024 19:57

241213-ypg6fazkfr 4

13-12-2024 19:55

241213-ym6e9axqgz 3

Analysis

max time kernel
300s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

8KB
MD5

be3ab1d1fc19b664b3de254beb3086ef
SHA1

e944fdcb2d62e379c71624fa6e2815afd3cf7fba
SHA256

d94750830fcd3dadb1d2343135f5136042d63451712272a2d7c496d50940efaa
SHA512

bb9ba4db70d7315c21ee1497178418f0a6cd3a27f406595621f0fee4643168c9dd806d5dc01178004cd498224e093778d17faea78be1f890e8580b1d23c5c3e4
SSDEEP

192:PN2x2BpZge0zxfu/phJmw1fx+G4xrECBk1GVDSkXybwN:Axi0zxfaJpVlARGhwN

Score

7^/10

bootkit discovery execution persistence phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: currency-file@1
phishing

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

pid	Process
1596	MEMZ.exe
3308	MEMZ.exe
4484	MEMZ.exe
1256	MEMZ.exe
2308	MEMZ.exe
4640	MEMZ.exe
3064	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
248	raw.githubusercontent.com
249	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 763202.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 424997.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4556	msedge.exe
4556	msedge.exe
4912	msedge.exe
4912	msedge.exe
2308	identity_helper.exe
2308	identity_helper.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
4328	msedge.exe
4328	msedge.exe
3308	MEMZ.exe
3308	MEMZ.exe
3308	MEMZ.exe
3308	MEMZ.exe
4484	MEMZ.exe
4484	MEMZ.exe
3308	MEMZ.exe
3308	MEMZ.exe
1256	MEMZ.exe
1256	MEMZ.exe
4484	MEMZ.exe
4484	MEMZ.exe
1256	MEMZ.exe
1256	MEMZ.exe
3308	MEMZ.exe
3308	MEMZ.exe
3308	MEMZ.exe
3308	MEMZ.exe
1256	MEMZ.exe
1256	MEMZ.exe
2308	MEMZ.exe
2308	MEMZ.exe
4484	MEMZ.exe
4484	MEMZ.exe
1256	MEMZ.exe
1256	MEMZ.exe
3308	MEMZ.exe
3308	MEMZ.exe
4640	MEMZ.exe
4640	MEMZ.exe
4640	MEMZ.exe
4640	MEMZ.exe
3308	MEMZ.exe
3308	MEMZ.exe
1256	MEMZ.exe
1256	MEMZ.exe
4484	MEMZ.exe
4484	MEMZ.exe
2308	MEMZ.exe
2308	MEMZ.exe
3308	MEMZ.exe
3308	MEMZ.exe
4640	MEMZ.exe
4640	MEMZ.exe
4640	MEMZ.exe
4640	MEMZ.exe
3308	MEMZ.exe
3308	MEMZ.exe
2308	MEMZ.exe
2308	MEMZ.exe
4484	MEMZ.exe
4484	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
996	cscript.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3064	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4568	4912	msedge.exe	82
PID 4912 wrote to memory of 4568	4912	msedge.exe	82
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4396	4912	msedge.exe	83
PID 4912 wrote to memory of 4556	4912	msedge.exe	84
PID 4912 wrote to memory of 4556	4912	msedge.exe	84
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85
PID 4912 wrote to memory of 4748	4912	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc1cde46f8,0x7ffc1cde4708,0x7ffc1cde4718
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1700 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7616 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7672 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,749122880591620323,10668305721956230478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\MEMZ.bat" "
  2⤵
  PID:1636
- - C:\Windows\system32\cscript.exe
    cscript x.js
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:996
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1596
  - - C:\Users\Admin\AppData\Roaming\MEMZ.exe
      "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3308
  - - C:\Users\Admin\AppData\Roaming\MEMZ.exe
      "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4484
  - - C:\Users\Admin\AppData\Roaming\MEMZ.exe
      "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1256
  - - C:\Users\Admin\AppData\Roaming\MEMZ.exe
      "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2308
  - - C:\Users\Admin\AppData\Roaming\MEMZ.exe
      "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4640
  - - C:\Users\Admin\AppData\Roaming\MEMZ.exe
      "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3064
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\System32\notepad.exe" \note.txt
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
70KB

MD5
807dda2eb77b3df60f0d790fb1e4365e

SHA1
e313de651b857963c9ab70154b0074edb0335ef4

SHA256
75677b9722d58a0a288f7931cec8127fd786512bd49bfba9d7dcc0b8ef2780fc

SHA512
36578c5aedf03f9a622f3ff0fdc296aa1c2d3074aaea215749b04129e9193c4c941c8a07e2dbbf2f64314b59babb7e58dfced2286d157f240253641c018b8eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
25KB

MD5
d458599825f1991b12515799ea5c21ef

SHA1
473f5e31b20136c270cb4c53b4ccdc8ea75b1afc

SHA256
095bf74a4d0ea0c8abbb03e1371ed4c85d26e49d7218796934b784a08138e90c

SHA512
dccc6fe06a766f706441638487424e5d11648b2fa549dfd0f2282d5d2dfa554a2e4190de01397402c49c4e394676afb8a3a3def150ea066fbe8b86d3a7bd7e3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
98dd08e3d756869877e97df4f0517c88

SHA1
ce172ca23e6ffbe0f2bd4cd592f183f7ea4ee772

SHA256
612cb9a0977e7e3f7fcfa44f1a8615395ec3ba96df0eff204c79b5c4b49e7db4

SHA512
c1c4ee2a7abb342a13bb5945d4f17719991d37186f459ab7638ff5cc2f6c21fe50c8a86b4dd31d18de7246436e5534b798ef92ab0e511461ed1727504e0c2436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
70f9f9c638218a00e0274211ecd67789

SHA1
27c32c8cf7ef32fcab4306b9e86a595879eb94f9

SHA256
5bb741dca886e673da27f3ee464b94276ea559e61cdac7d75dd00a9fa4c59238

SHA512
460c551784bf105410b3ba2a53dd09b6d300f8aa1ea8a5b4c7f98a4cdf59027167b470484aa7b347743a83ef7a2bcf5ee69e68ed8d7049b8884516e1744741e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ed2870bf431a489caa762eef377a2e27

SHA1
e2fe767c9397e8cd0ed7db19f0536a33838ea2bb

SHA256
4ae051847f53ac1f4166f5c313e7f80e7aec97b93cfc524e90540f8c99b537ce

SHA512
ed7fd5519d8fbdae1f4acbb9bbb3a7822f363ef43274c7c4511416ed0d37087dabca5081f3a7033b1e193f80c1a129d60537b9faca4216978a4bed0f3dc4bcb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ac2b0fb17c754e907864834cd6463b80

SHA1
95aa46c57f0df2b611f30d4149d85732f5cd99eb

SHA256
2f9aa697cc8aa31e84177b2f23c0150f0230dae6bf748de2e44de1e590f30469

SHA512
b0b65200531a81c39547fcb7512af2fd2ad80b5dc3e7ffef44f3d086f9d9aa97de42706dcae270e2e7ded4a45741717ee09a04d994d4f80f22a2b7f5acf47594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
557ecd9b5d2efdc7817d5d04f93c2414

SHA1
8d410a927a5ffe9196b2a12e2d8125bb695cef61

SHA256
3abb34e1c2091eb337f1023b683bc07052ada8a3bee1625945c1bbfcbed57f5d

SHA512
4df2c82bd24f615394de4bdf267eb121facc986a21b6c8571df12d530ff74b324d86ba9eabb94e0cb3b1bbbed684d8ddff82dbdb230893d1776c32a83b03d45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2db4a86d45b0468500cab6d2cdf91d24

SHA1
6d180e423787c49273b34dd9f8bda2d5808ccb41

SHA256
bc7791b373d083e5cdd7e2bd0541742e5ecd40f810787b27555b7eb441e7615d

SHA512
9ecad95e18edc34bd062c0b9d99dbe200cb8f3f647a13343291d91acfc3c9f484b87a2a8e2f1509385ef2ffb89406a8e4a5f99ee6d469c81b9f4be89427fed9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c851ecf4321f942a761a0206fa7b4f52

SHA1
f3c32ca4cb7ad167b3fb5e645053b7943e352750

SHA256
86f4ae19f35bce38572c8fab3b3014b8d2991dcedbd3cccf45314a38c6dcc44c

SHA512
75addb11a14cea3be46b2143b6723aaa3f418dadf3818d1f15e08d8f6a2df4fa06d5810b236ac2ef05bea43c7bae5d8050925a93f054f1366946c43350e35029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
885a6224b60ec721628af2f36c2ef43a

SHA1
c5296c85407915e7c1036818eea5b00682b7898d

SHA256
73df5b087ce71622aa6626acf1153d2b42441b9a10eead46db7a89e03151bd84

SHA512
2358fd365d840b9d157a95429d4ac235c9bcb224bc3644e383320f6ff212b0553dfe127b04684761f9b20b44dbf775ea82d02c86c2040a7ea9ad5a68989ae804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3097b1eaa14dad3eab9ee203d9eef8c9

SHA1
f0d6093aecfebbe34240f3451f4b4e129ed1a7f8

SHA256
e45bead1de50ad71bb8bd1bf7ee0c71d434a55d690e0c3af9f6c4e1150a8b652

SHA512
0a5873c9e25231d78d0af1858b1404ed5655f214f50ca353f3db7589d45151ab6926488377138188355aa1307977c9293e94f3b52e233e012c0e37ba0d0b7459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ee3ebb5a947e19d42ef596c00f5ed0cd

SHA1
7bbefcc0a0dbc441f2db4ea24467dd6211a64110

SHA256
21d14057f1b3e57271f8092a0ea4c6b865f80ba7b47aa00a19ad4a851573b498

SHA512
8cf5d36d0c45c57fe5f6aba3ee326c19fad453cbc573ec19fa974327544f6cced2e99bf9a515b74be14357262a5bdd0e15cdb11f165e616026772828f485e8ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ba0b5f9c7a7a5a1fdc672366bdac3343

SHA1
5ad4dda4381ac26979fc968336c9dba9e27f58ff

SHA256
e85f5a61cb8b31eddd6f5ed9d9a4751a4f04495bff1bac74a8b9e313bc018adb

SHA512
faa6f777a452b00935cf585dbdfa4731ea788d5f16b1853d70c20d718ea7a9981b87a4ccd35ee181f3dea782a610ae8f794f999bf2f7e54c8f059777e577385d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
436aa962f4b3470339f3610534b3eff0

SHA1
03eee9eea3a848eee46ef19e98b4a8f8d3825f5f

SHA256
41b3b0d02076ed79af3c88686b75e86784d6bdbb63bdf29dfa6e718ad15be5b3

SHA512
a051358bdb034b04f068bff641fe96f4179951bb8e0fda0c54c94e92660ae5c88b269c7cfce21e0ee1c62ea5f68d0575c30fcd87867cf4d31e00437eed302d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b8828.TMP

Filesize
1KB

MD5
ef6874e7a5e7ba763498d9413615a36b

SHA1
1addffa6a6a8cfa13982baec683bf248464f823a

SHA256
ea1c44c1e070c7e128ca5458eb4ae82b2b6c358bb5a4b7ff3bdff72e146f523e

SHA512
5342576ea2fe0dff40eea80a4a6c672584a19e39695f7eafa383c549e289a3af6a31cd82c6b6dbd649bacce94ade57c2e386151ed971403f1fe9647d75610b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
594bef40fb0c44c8023b8e9f82cd473c

SHA1
db015232311e399ae3f52342643e4af087bf46b0

SHA256
0a20376e57aaf9ac4b4b6fe0a44f64f6c5cea9af13341b0dd25e9f76f40005fc

SHA512
de13f84922ff95d85470c461aa83485a0cd8077c0cc9817ec812b666684f67b79ee9a92cf05d9d8fb8bb27346a23d3416d8e2d78800b50dd6670c131e7ff4f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
df65d34fe45799884cbb9e21f3f545e4

SHA1
25ac892626e9830e040dbe8b8a38133037a75be8

SHA256
d2d88c7fa87489e3fbab81d4e359b7d90aa317b272917713a5ab81b2caf84567

SHA512
b73d0c7e5baa2d6f2553129b997ad4f859b99da03786f333d01d0508d89765c2b8c04b521d9cc5dfc3d6f9d826834b1ced55693724b05bf91d21d9c68a95097d

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 763202.crdownload

Filesize
13KB

MD5
63c6ec6b042bcb00d2d832c0e4f25dca

SHA1
a904a7c3fc89ff497e91384a63db3282e00d31ce

SHA256
dae968f47476ef79b122e771ccd0a2bacde2ac3535f68047239682fefa3dfe50

SHA512
1454cd79a59f0603ae083abb7f3b1438e18c7858ab04dfc3df1a725cee72be48274c289d5c0a44ce415f4bdf8a2c316312453862381fdbf0f4af97a62234e41a

Download Submit
C:\Users\Admin\Downloads\x

Filesize
4KB

MD5
214f98cb6a54654a4ca5c456f16aed0a

SHA1
2229090d2f6a1814ba648e5b5a5ae26389cba5a0

SHA256
45f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037

SHA512
5f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873

Download Submit
C:\Users\Admin\Downloads\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\Downloads\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\Downloads\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit