2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

17-01-2025 20:14

250117-yz7h3s1qfw 10

17-01-2025 20:12

17-01-2025 17:25

17-01-2025 17:21

17-01-2025 14:16

17-01-2025 14:12

16-01-2025 12:52

16-01-2025 12:50

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/MEMZ-Destructive.bat
Size

13KB
MD5

4e2a7f369378a76d1df4d8c448f712af
SHA1

1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
SHA256

5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
SHA512

90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
SSDEEP

192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3

Score

7^/10

bootkit discovery execution persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

pid	Process
5040	MEMZ.exe
1912	MEMZ.exe
4388	MEMZ.exe
1464	MEMZ.exe
4524	MEMZ.exe
4776	MEMZ.exe
576	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1912	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
1464	MEMZ.exe
1464	MEMZ.exe
4388	MEMZ.exe
4388	MEMZ.exe
4388	MEMZ.exe
4388	MEMZ.exe
1464	MEMZ.exe
1464	MEMZ.exe
4524	MEMZ.exe
4524	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
4776	MEMZ.exe
4776	MEMZ.exe
4524	MEMZ.exe
4524	MEMZ.exe
1464	MEMZ.exe
1464	MEMZ.exe
4388	MEMZ.exe
4388	MEMZ.exe
1464	MEMZ.exe
4524	MEMZ.exe
1464	MEMZ.exe
4524	MEMZ.exe
4776	MEMZ.exe
1912	MEMZ.exe
4776	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
4776	MEMZ.exe
4776	MEMZ.exe
4524	MEMZ.exe
4524	MEMZ.exe
1464	MEMZ.exe
1464	MEMZ.exe
4388	MEMZ.exe
4388	MEMZ.exe
1464	MEMZ.exe
1464	MEMZ.exe
4524	MEMZ.exe
4524	MEMZ.exe
4776	MEMZ.exe
4776	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
4524	MEMZ.exe
4524	MEMZ.exe
1464	MEMZ.exe
1464	MEMZ.exe
4388	MEMZ.exe
4388	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
4776	MEMZ.exe
4776	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	5520	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5520	AUDIODG.EXE
Token: SeDebugPrivilege	5616	Taskmgr.exe
Token: SeSystemProfilePrivilege	5616	Taskmgr.exe
Token: SeCreateGlobalPrivilege	5616	Taskmgr.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe
5616	Taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
576	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 484	4660	cmd.exe	82
PID 4660 wrote to memory of 484	4660	cmd.exe	82
PID 4660 wrote to memory of 5040	4660	cmd.exe	83
PID 4660 wrote to memory of 5040	4660	cmd.exe	83
PID 4660 wrote to memory of 5040	4660	cmd.exe	83
PID 5040 wrote to memory of 1912	5040	MEMZ.exe	91
PID 5040 wrote to memory of 1912	5040	MEMZ.exe	91
PID 5040 wrote to memory of 1912	5040	MEMZ.exe	91
PID 5040 wrote to memory of 4388	5040	MEMZ.exe	92
PID 5040 wrote to memory of 4388	5040	MEMZ.exe	92
PID 5040 wrote to memory of 4388	5040	MEMZ.exe	92
PID 5040 wrote to memory of 1464	5040	MEMZ.exe	93
PID 5040 wrote to memory of 1464	5040	MEMZ.exe	93
PID 5040 wrote to memory of 1464	5040	MEMZ.exe	93
PID 5040 wrote to memory of 4524	5040	MEMZ.exe	94
PID 5040 wrote to memory of 4524	5040	MEMZ.exe	94
PID 5040 wrote to memory of 4524	5040	MEMZ.exe	94
PID 5040 wrote to memory of 4776	5040	MEMZ.exe	95
PID 5040 wrote to memory of 4776	5040	MEMZ.exe	95
PID 5040 wrote to memory of 4776	5040	MEMZ.exe	95
PID 5040 wrote to memory of 576	5040	MEMZ.exe	96
PID 5040 wrote to memory of 576	5040	MEMZ.exe	96
PID 5040 wrote to memory of 576	5040	MEMZ.exe	96
PID 576 wrote to memory of 4184	576	MEMZ.exe	98
PID 576 wrote to memory of 4184	576	MEMZ.exe	98
PID 576 wrote to memory of 4184	576	MEMZ.exe	98
PID 576 wrote to memory of 5092	576	MEMZ.exe	101
PID 576 wrote to memory of 5092	576	MEMZ.exe	101
PID 5092 wrote to memory of 3988	5092	msedge.exe	102
PID 5092 wrote to memory of 3988	5092	msedge.exe	102
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103
PID 5092 wrote to memory of 1540	5092	msedge.exe	103

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  PID:484
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1912
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4388
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1464
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4524
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4776
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:4184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+remove+a+virus
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa5d9046f8,0x7ffa5d904708,0x7ffa5d904718
        5⤵
        
        PID:3988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
        5⤵
        
        PID:1540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
        5⤵
        
        PID:4688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
        5⤵
        
        PID:4320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        5⤵
        
        PID:2892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        5⤵
        
        PID:4812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
        5⤵
        
        PID:1588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
        5⤵
        
        PID:1016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
        5⤵
        
        PID:2464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
        5⤵
        
        PID:5040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
        5⤵
        
        PID:1740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
        5⤵
        
        PID:4456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
        5⤵
        
        PID:524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
        5⤵
        
        PID:4368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
        5⤵
        
        PID:4400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
        5⤵
        
        PID:1112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
        5⤵
        
        PID:3580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
        5⤵
        
        PID:5140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
        5⤵
        
        PID:5488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1
        5⤵
        
        PID:5500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
        5⤵
        
        PID:5668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
        5⤵
        
        PID:5752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
        5⤵
        
        PID:3944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
        5⤵
        
        PID:5008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        5⤵
        
        PID:5684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
        5⤵
        
        PID:5108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
        5⤵
        
        PID:5948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
        5⤵
        
        PID:6100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1320 /prefetch:1
        5⤵
        
        PID:3764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,700051620115067573,685909703582304328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:1
        5⤵
        
        PID:5780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
      4⤵
      PID:2328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa5d9046f8,0x7ffa5d904708,0x7ffa5d904718
        5⤵
        
        PID:4892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
      4⤵
      PID:5232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa5d9046f8,0x7ffa5d904708,0x7ffa5d904718
        5⤵
        
        PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
      4⤵
      PID:5156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa5d9046f8,0x7ffa5d904708,0x7ffa5d904718
        5⤵
        
        PID:5180
  - - C:\Windows\SysWOW64\Taskmgr.exe
      "C:\Windows\System32\Taskmgr.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3928

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\408f67ec-a35a-4d40-9325-ad8628f8db89.tmp

Filesize
10KB

MD5
1b1120edbb212cb57cbd3d50d1ef4311

SHA1
6452d0af6ef84c1448eba2fb886693583dcecbec

SHA256
53c8b182532a5b890e8d7fd19b0d1d04ebd597e8108ae787be2cad1d47215c76

SHA512
6445dfd84cf97869bf0d9cac58ab1d8697dd4ae9ec6fe2a82e7e82e56b1c48f1926a26b0d617e81667e65e1db6ea10ce2885efa543d399f47eed4bd8a8161846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
98KB

MD5
c0fc67fbc5c5eceb437b516b4365aa86

SHA1
6b5a02dc604f8b87eb9d456969b12b45dda79baa

SHA256
0b8baebdd76118229f6b486ab07c66d05b104fcc8a80df53261769f80ea093ea

SHA512
e73b48bd36052a2f31aabf40b32ada01fb8c92345a20e22126bed271bcab08ba0a677fd9fd29cca23e98379b6c1e0601bdae9f90c38d9369ba32f292450886d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
181KB

MD5
9f2974b002503518b4aa202ea711f449

SHA1
1fef5a59a10bea577607980a3f416b01fd1f04fd

SHA256
951e9c9b0b597ecbddd5ba82577b5e0210454664a870460c03b695826f36b104

SHA512
b6f7753756bea7a9a4514f2750e56a0d2100748a8894fff967e4ce994888401c7b97d9aec2b1088a47534f01a9a24388de58d2891ad7f9782319ec8b199790f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
18841444e95ed18e5d7d39f8c8bc5e09

SHA1
2656d19c32075737bd670f4e7a09b17911aeb3de

SHA256
6a5dd4d908e01bd5f1e99e95f48c2380804aa00a6c617e10c58ef502ab7b808f

SHA512
c1fea2cb67d784400a510cf9d8982e45f67f26c68425c3d06ecb3089bb80aed433c1f0fb576ec40d8ae384885ea055d97dd4ee64c6eeac2cc77c2e65dc9c9ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
ebccd9907a535132d8e8891d91e7d343

SHA1
fd3f0bc616240fe0db0ea517040f1c5356411460

SHA256
f231269c2f614cb88c4e7ad89907ff47534fb0952f331ef0afa9ad8ac29dd3b4

SHA512
c64dd924dc7508bfaf1a8a3562365a52dc9fe55c4783b3e8ffcbe657775f7f72f7d7c1ac0304cae97eccbd2f0bcd56a62e2b7052ed3e9af0e347af225964276b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
703b81bdd1060aeb708c33aa069c2337

SHA1
f2481d01f7b39af5b9129a5ce38fbf300f1637eb

SHA256
94853f36178e62988376337cf9d9f4df2d690de77a98752c67c22d79a2ca7f4d

SHA512
7921220d35c9e6dee05fadfb158a986646f1074adbdd8da6297dd8d444271c1115a4a0785016f7dfbcaee60ad242e7014052e46a833105ef11dd2fa06c27c92d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
6b8963fb008a83959b6d5a0782ff2dee

SHA1
4f174e44518f47f2d79da7e404326ba7745b90a0

SHA256
dfeff567b1dd3d201894f2a8a22fab92272f3354ee53a7f9f1c01f88c56c97aa

SHA512
6f5988b5a3105abd707f843d28474773b4dbf56771498cd25233bb29498dfd14020896f016014ebd2e4451bb6a1312811485bcd6f20d016154736a7e1c5b5cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
62269524de5184862965b7ea0568d909

SHA1
642501855b1ddb71faa9f42004b1f07ba98ab86a

SHA256
95c793d750df51d49e06bde25609d32f6ecfb53a94eef4518f4c70a9204a4b25

SHA512
ee3b79ce2d0d04955c05960232c0e2e8402a5dc26a34520936504ddf64953b380318a5575c4c92b64020a172bcffa9b2d2e9184600ac6a81f13f176a739142cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c79605d5c19b8e9bf8aabe25e756baa1

SHA1
807bbc37c8f44ac4d994cb3f01b34f68a2549867

SHA256
a1e4f87ea6e49094ebdc4917b4beb234de065d61e7df5e0426f753e2498690a1

SHA512
b55e58df6555f19b817879a88d5f4a41e6b2152a9ae41c0624691898f0631cf17704ecff30b88802158679675fc1e86e6062f93f0f998bdf9e16bbeecb775516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
56523f955bed2888a37f2115c1103fa4

SHA1
60398a957c7cf9949ff165bc6b734aef44a4ef0a

SHA256
cedb617c7d2a7f1cd8afe69067663adf3c29ff537928fd2cff632398221a9436

SHA512
950a6139e047fa80ea29bf7bfd31cef72bcc190aaa09d57a825b42ef51d4469de9c1c303b88327c72ebb4ab8aaf48e3d31d2a52d8357d1702a851337fe539774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ec53f5db0d3b805ca4c74cf37832154d

SHA1
4c9de2df3b7f25c9e142adc65e5bf0b4c5b8c18d

SHA256
6af80038279c18e6fd4ae3f0810f1e67a9eba62dd0d8e994a038636d7fc77eab

SHA512
bb747c8c8d979007094f48e3a63cdde02da65695c2a35896d2f7c396abd924325a91de34440944b9f8353a404fe507df77cdf869bc57db4a92889c64ebdf9799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7e1b8bd4aa901c7a8dd112783a0a3eb6

SHA1
2302bc2f669b93050da3b1092e91ccf9dd20e20e

SHA256
8cfb4392a49eb86744ce90f574097816543a50360433445249b3e7a0becbf97b

SHA512
e709b1effb90e3fe93d420b9f2402bb97eb9d4bac1452278a8f0619ce06db9ce49361c16f17a4a7a36cf5d42a7867ffe8488ebad19a1fd23f96c6d1077465418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7e5374bb13190bef597a1ee2173c652b

SHA1
bc79ca7fa7e5388b5472e466cb2a31c3b3bca569

SHA256
d58cb94e0d5a0d25349a3731cacd2bd36198b714ea2a518b68229b4313d2655d

SHA512
1492cb00cdfac264fb30fde4c8f71570e4630a798285c88427612fd4015396cc3e039d9d24453915192801bd653bb3bda691dba9607ce216dedc56e161574a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
545b810cbd58cef89d82e9a440c92ee9

SHA1
7e6ebb1577fbd7d499bacde0846a2f8cf404c39d

SHA256
96f995d8599fc4c204429cb935fd3efc7e83975cbe8ec04f5048b4e7cb6ee6c1

SHA512
579530efa80c2768a157d7bb77daf45765d29da1c9b48787e63af86dc3c95c093d8279d8f37e06e594b3e47dc6115e5d1aeff8e5cf519b78db7aed1ca24033be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9213a1bd878e37bf9ebdcc2c58271e1a

SHA1
98b9eebfc24eca18567aa53a8b2dd15815bf2bc8

SHA256
4da065dcd6362eedd94ecdfdb6fa94ee9b78bbdf207bf1b421c5c9404baea572

SHA512
c08d22f37e8c29be1eb437f27e38b8afc0eecaf5d5cc4be510c7ef9788bfac4f3b96e556848ae5c0edbe1f390712fb32181c64e8e5179319f6e11d8fd81e904d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9a6df4ff8188b28b2ea7bcdb8eb115d3

SHA1
33de924a28aee159cbd3088e7a0a9f5a9ac204af

SHA256
12f5c8103a2a832f4282a960c228b5aba9584622c8a66761349c92f68594e2b2

SHA512
c97aa84cca3b51c566f4ea7cd40877bc85942ed3b836b339c8e8aadc75c53c6c993219123d832433788fb27f6daa9a2b14e89a729809c9f7f527bfba48377ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dff61e7911d9a3be77aa033446877004

SHA1
45163e710ec493c544a77e527d47a7353af5b003

SHA256
eb3db98417738bfbbe7c93ee5e4d14e5a19c4828f529ee70c41cf9f3182c29cb

SHA512
08419026f44b209161ae6a6a83215fe40a69603af0dc58616c34cb55b81f560f16583cb07e8882469a9915d96faf7ee962fa9c7d0a2a1eae017e36d095dd251b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59551b.TMP

Filesize
1KB

MD5
cb46c3c9433d2bec3f34591c37a6b683

SHA1
ba9e7343dedaff779381c8cb5b44aa8526be0534

SHA256
d1dc2ac15d1fbdb440b2444d5fa08e05b6c2fbef24b24654b46365cd15a2e212

SHA512
008101a10887e2b4fed98d2daf870858a2869d7f9ababe9a7c2427f555106d7a07f8593355e5f8d06301571df8b899e1fa0201ab56db9491d84f33aca2e160c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
4KB

MD5
214f98cb6a54654a4ca5c456f16aed0a

SHA1
2229090d2f6a1814ba648e5b5a5ae26389cba5a0

SHA256
45f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037

SHA512
5f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/5616-628-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/5616-627-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/5616-626-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/5616-638-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/5616-637-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/5616-636-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/5616-635-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/5616-634-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/5616-633-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/5616-632-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download