Analysis
-
max time kernel
246s -
max time network
249s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
27-06-2022 02:18
General
-
Target
MEMZ.exe
-
Size
12KB
-
MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91
-
SHA1
761168201520c199dba68add3a607922d8d4a86e
-
SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
-
SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Detected potential entity reuse from brand google.
-
Drops file in Windows directory 16 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 7 IoCs
-
Modifies data under HKEY_USERS 17 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious behavior: MapViewOfSection 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s SstpSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a79055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD52232627db4a5e856f3bc0d3e5b8d9d9e
SHA1f7590de148315446b6b97fa2aa3af79b081a66ef
SHA256040579da7ad446e376b233b9ac1e558476fa9842623d4ef73c8498c4b451a0c6
SHA5125086c40cec4a4f3ecf596c6465a5ae6fb92a7009063947646a7b037b4d3fa761a9320a9e536f0007eb7b97af33e24aa0ff6743fb037e081338a3090ec4323502
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5694d90964a0ed70d58063d633025ccda
SHA11fd0396fa6ae089ffdc8ab6b125be3fc5b130735
SHA2568d353f3662baf6434f72be5a8a2d1be2295793f5a8e51f7f7b6830472021588a
SHA5127f8eb82007f7ddb49c1d9debf21fe591699f06a27d5f7084fa0032e3b64f1d1b4e52356e02d4e154ce7e44ff9c835146e7ace3a5573f0a63655929e05739d479
-
C:\Users\Admin\AppData\Local\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_iecompat\IECompatData.xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_iecompat\IECompatData.xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SKLIIY74\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5e242356cf539b9d9ba269a12e17c1258
SHA10423a100fb1ea1a4e2b49b4052a42009436a505d
SHA2561a341a076c61ab0c4dd1f8c01964d68fc66fe0727c1295a222f493d4767410bd
SHA512a03b6d882208f7dc5d41d67e10680508123cec14f0b1a19b773bf80290737fca00680a79ea11bcb231bb2941cb2c89e6466ec38beac84fe266fe6948b95c8fd0
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD55a11c6099b9e5808dfb08c5c9570c92f
SHA1e5dc219641146d1839557973f348037fa589fd18
SHA25691291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172
SHA512c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_76A9E2B652EAE9B8A1B56A55A3D8083FFilesize
471B
MD574003a625b4d00a7a6505c1c608c9c20
SHA1f5f5085f579edc4570bf0f183a0204f9a8243531
SHA256626474bd761ecf1d6e6275fc98093db91323c8add0c48f92f35c629a40bfd4b6
SHA512e1f252d721e178712839f282c0d14c9ff71b3983ac773aefe71692944f690ead611643501a6f9c74499bf446626b234020d458481614fe38346a72ad040f5cfa
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD555f8f67503123e2e08980a0747cefe31
SHA1f17286578e54e454e50424af301a3d10f474e211
SHA2564715310f8440809a79302d12982f8f1c9717bed21d02ffcdedea08013c17a0e8
SHA512fb69ca0d4338518de6a72adcef94100d5f544a2cb5dd0da142bedd8d26be74551d18ead429f6045cfe039bd56f8cf97ecf7e0f26729029b7adcf7e87d0f62f7c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD5bc4d446b2508ef442416ca1552b46aea
SHA1616ede831d8e98a6247c20fec1c5b848914854d9
SHA2564e6992389d3720b92d9fbb5a73fb25243eaef6004b399c50ccb446638dcdad11
SHA512eb688ad3fdc2785a6c0f22e3d0c60e6d73a69339637e9cd559bea73ee1dfba2c8df1bffee531bdc797dbfe06b4fb6c28fe481a0c9df466fa7b75de3add74243a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_76A9E2B652EAE9B8A1B56A55A3D8083FFilesize
414B
MD575df38f86db21ba9617d9fa817e4ff1f
SHA1a483dc409c6edb12d5d2ec9741a5c2013a79ea13
SHA25601795a00876ce3d19571c4cecb9ebe9c19d8b2d62a09bed5cbb845bf2f50e2ff
SHA512bc6271209c0f6efbc711d9e861bd71496af25679f499d8daaef9bed6cc3da21a62191557d405f4a0dd5d8bb024bdbdec3d88c114ac6232ef2af411937fbcedda
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\WTZA09J3\favicon[1].icoFilesize
5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.logFilesize
512KB
MD51a7b9a1e2148770fe9118e035ea7387d
SHA1e21abdd27662782fc16def4d86385238c4513f21
SHA2567a242b261fa32112377f52651e737a8fed836324324e7a669113f45617825a98
SHA512e3f8ffdaf1bdc911913a095b5a9da4b57c6aac7af469c4ff0588c2b009e5813fb46e527cc46674163999cf8c84e90067588a302251d03a88ef96bc8cbe1a8370
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.logFilesize
512KB
MD5b72857286264a91be94fb561c837e04a
SHA17831c3c8f0d8a51499c050be826a332fc9fe904e
SHA256ce8cb1876967d62e65c7059d478c98c15d96ae365d0bd27b2b3648fa9457ab4d
SHA51211ecfc1cc493345cd410e214a74df81b678dccd1f646d0779ce2acc98fb0b2508599949d2b8400d72f6124049907b1f11d74efb13dfc3eba89521f53ab9fa1ef
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.logFilesize
512KB
MD5f5ffa7f695036b94eda9bc32144f379f
SHA17bb5cb49f6f043be7b0c55b2b7650a92ef333d89
SHA256b740de588ed7f05c9076e62bdebf3e7cba475e42c024a236590ed6d5aab0765e
SHA512b6277f00629d8ee88adc9cacad87cafb8f2f385e48cdddf9657a574ccb65647ba13889e8abb9179c1f5b9e519adab261f5e8ea2693eced391747cb37d1e5fa57
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chkFilesize
8KB
MD505cd7cb5cacb9da6307753b4e2aa3a89
SHA112ef3a5aa54a3f12945ca8f40d9427b700cd6012
SHA256c435b3543a38f0a04ff8ee1ffbecd2b252d873d4b52ac0c713882a052db59d77
SHA5123896a8672e48f7a67ea45a91ec3cb843f37ac871ade0ba949826a8b666e2eea2050d83374cfbebbfb5f3c0cd790fe2614306fbfc162719d0be81b0b5ad59c1c0
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chkFilesize
8KB
MD55668efaebc912b06ac0e3490d7225448
SHA12b648e024d56cd717a65db91cc96bd95b3d390f5
SHA256b4607ef1107a660b3b7f234c701300d74179c2c8a3e1bf6aaabfa50005c45ee0
SHA512f9cf65418d2aa8e8c6cf0a3fbd6d3c5ab394f7329663ef6cfe704dd46cafafb6b7a35408efc345f799d1161406611fa6dcb2cd5c992afa21dba75efcf63e3f77
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chkFilesize
8KB
MD59c1813fe7a0b9b8e62d91459cce24f75
SHA1a04e294e6adab0e207dbad3fbcbd41dec86dd78b
SHA2569d26f1f794ecd5cd398217d43fdf53fd2e4d3b4d619b12e8984482b74842182a
SHA5127ab19816579732e362273e79246e3f0b5b30a74f8b326ff3de88438f3cf6deab239b5918fa05e8a84b391e20178bfc61eeac05319e8d9a98ccd1fe9a4de88a8c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edbFilesize
2.0MB
MD57f34278fd8ebf3b1d5f9e7ccd31679e6
SHA1b9776564481d2b0026ab272caac64cc73a96b67c
SHA256726703bbdb5ad7a7bc79554ba896cc34c2619051aa33cf2944a52cda195bb204
SHA512636fe70d5e59b80aaf56ff42c43f373c73ac283162d10f2fb8a85cda957a6a65acfe85a33ef6fbbca3a292d52edf0a4c3078bede4c2674acbc9f5d6bd9e66904
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edbFilesize
2.0MB
MD57fd64e29dccc0c6eae3eb8889b0b9c3a
SHA1f72d20f458ebb0076bcb1ed39928830f36cd2fd4
SHA256fe56f2eae38d665cb9126d9278870c936889ffd619bca190176623d661eadccf
SHA5127921b97e426651ac98e6fecb50f1ad00f3220732ed258c7b80e89ba163db8635c9a1cca2f2035b90533cc50c631e8793f2f8a71703fd929cde7a51d6df815f5c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edbFilesize
2.0MB
MD55cfaed8878e3c2ba3231d1a6798f8960
SHA164b6273d98a36557348a090690d809e5d771f126
SHA256bb0139688b75b9fc1a874c039b5cf527d576d54b6cd716aa8f90d61f76a7b8d3
SHA51213f457020092cb08f33df4559e572fc8b52bb6de2bf5e1477a9215179c7985eee71626ac4b81be7119aa7b9d3a8a7ccb4316e797e8493df216a6f58e0299d25d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfmFilesize
16KB
MD5e8f31f061d35601ae9c29aba1440e2b3
SHA1b4ce59508c8164683bb3adb89b52f2ed86585f6b
SHA2569ed093fa85d6333f42866eef2197229318ac454619b52362878c7020ffd3ebc6
SHA51257f7550a006ef68ceee30590ab2bdbbe3e01683ba11986895ec95f71aa966cbb5fe9de39e9994d4129d1080710e443bf4d70b3b382cbd014dee685debfb9315a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfmFilesize
16KB
MD5d35d15ae20900429c064007c8441de02
SHA10d18ee5ee4e1b9764d933a925851764e1360d4f4
SHA256de108926ed4bf244520db83564ce50c81ff87eaf033df0760d9fd0fd563e9ef2
SHA512c27ab7ed8a585fff1b407a9a8a590e10c70556f786721ab09bc601e07602e2b8fd341db5d05228cde146b31dc181c9527a8a2c26c46b8e970206d78ddc677c0d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfmFilesize
16KB
MD54debe006f1d6af2548fd3ded7f5628af
SHA15770bb9142c21172d2e2eb41c21fd580e9e42344
SHA2561489e76abe9ed5c93ed5b5d6628f0a9adf93160f5ee43c3597801a62946c86c8
SHA51258b8933fd28b55f9c6befb7daa09f1059d97278b187dbddd36303fa7cfe78f05415f0b19b4a6ddebeb94373802f1b8613d182968134547cf9287c86d5a1ad112
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\r7q5j8a\imagestore.datFilesize
5KB
MD5a7c37c32f3b5567f053c19e3f29c8570
SHA1954129d99f6a51f4b0f59ccf80c54c92fa8e8d84
SHA256d019bb335e2867ac4c013c160446d8e63908a0ca7a56c3d98eee5020e31a5a1f
SHA512ae6ec6c515a70f180090994ae2494b2d008b9ab881bff6de6954422559e52ae8df178e7abddc9bd97df01df35b834e42c99e40dbd8c749dca8a105bc5e5acc9b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{137AA2E8-6255-4A96-A572-EC1CD48D40F9}.datFilesize
4KB
MD5d83eb426d351eab917452bcb9d666a0e
SHA1569a9190c1ba5e2781f209cdd659e852088436b6
SHA256009dbc183824c8e2adb8ecfb3dfb4d0358c7cb7db7b8f418fccb2842a7f39907
SHA5125e8dd9bfb0a438304e7812bcd05cece63dea5675bb25bd4f6df5f23276ce1ade656c6ced832d26a013e35f826d958e0085c08754f69d81d14e9e950fd141394f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{5A53E0ED-C682-4B42-803D-DF51B849D758}.datFilesize
5KB
MD58ee2671d7c15012e6ae876581a671023
SHA1c1a4b12d455e279eb63228fbd243ac16b2532e3e
SHA256d95f22e521cd626b5d548d3953d374efcc7cdaf9a54ff168bd889ba63d765679
SHA51226f0deea35652e1840be82a4ce06fc3fc63d53b0e296d71f420fe96c52ff08bd8e63b5ab1d7947f7d3c925b6c79e3a3317b486f59953ba972e6e336cd3b043b6
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{FE27AD33-4BCA-4013-A6D1-D58DEF51A2CC}.datFilesize
4KB
MD5b2a4c81145dc1ec98b147fc16f94a6dd
SHA1db699320bd7aff541cdd1433a3e091c9cf94c5a2
SHA256eafca81fd594814ea669a16ac904742afc1908bee913a323b4dae6b52953ec0a
SHA5126880c940a587994b5e45a3d44bdfc1c1fb89384d934e4faa19da49888bacc80878705482e9da1c4a1f7f825c722ce50eee223ff3ba67a119529ffe7f20647c67
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{51882CB5-3FD4-4BF3-9805-406C677CB528}.datFilesize
5KB
MD5ba5dd3acb80d176f02a2b1a53f29887b
SHA11144d6c51128cdef85d8dc4d96ffcbc0d5af88e8
SHA256773cb3f436598fd5379a12846532adac546fb43db315a8e1f9363f2dc0c8eddc
SHA512a694206c7c0c17f5209bfee48c43c9aa7a55541248342d89dbb556bd90c903de0a40aa5d192f66e8f8efe9563846e9e314fe36d61455c857b6bc2889c25b9864
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{B1B324AB-B571-421F-8CCB-9268C45B2671}.datFilesize
5KB
MD565ea9ad31e31eff6a53251c7f2efb01e
SHA1883f759b256dd4f74ccbd22b53e8bdf12308237a
SHA2560edf88c7f0e70280c40703e59394515d6c32effae6b4cfec6a9a2772ac52ac0b
SHA512527a948d28b5e89cf2bf88b799f81a8719807db4453f8649de84ccbd9c6c1327513fafe3e9fc33267e102715f14d6b3e3c55d081378a30ad0ee0ffdf54da5005
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{CD7B75DD-8F8D-4202-A148-72BD8E08FE5F}.datFilesize
8KB
MD5f54aebacba10b1ac07c39345b5e18b68
SHA17ca5071f7c4df9aa73cdb0adfbb5bf4767192795
SHA2566fef16938923d768dc3f046967f0aa852d9ca5b9bd217b08217fcfd062b6541b
SHA512ec1993fedef395f91c37264f26fb7c280d724cf3a16167f50ec698e087c66ad56b988f1492bb530613f4c661e04c587ba1f870973c4de0caec89928bbcb665d2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Windows\INF\netsstpa.PNFFilesize
6KB
MD501e21456e8000bab92907eec3b3aeea9
SHA139b34fe438352f7b095e24c89968fca48b8ce11c
SHA25635ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f
SHA5129d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
memory/832-756-0x0000000000000000-mapping.dmp
-
memory/1076-401-0x0000000000000000-mapping.dmp
-
memory/1484-175-0x0000000000000000-mapping.dmp
-
memory/1484-184-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1624-601-0x0000000000000000-mapping.dmp
-
memory/1760-180-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1760-164-0x0000000000000000-mapping.dmp
-
memory/1760-165-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1760-167-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1760-170-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1760-172-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1760-176-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1876-182-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1876-187-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1876-171-0x0000000000000000-mapping.dmp
-
memory/1876-178-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1932-181-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1932-173-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1932-177-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1932-186-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/1932-168-0x0000000000000000-mapping.dmp
-
memory/2192-149-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-144-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-119-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-120-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-121-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-163-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-162-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-122-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-161-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-160-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-123-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-159-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-158-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-124-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-157-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-156-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-155-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-154-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-153-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-152-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-151-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-150-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-185-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-148-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-147-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-146-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-145-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-125-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-143-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-142-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-141-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-140-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-139-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-138-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-137-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-136-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-135-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-134-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-133-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-132-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-131-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-129-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-130-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-128-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-127-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2192-126-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/2564-249-0x0000000000000000-mapping.dmp
-
memory/3048-179-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/3048-169-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/3048-183-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/3048-174-0x0000000077820000-0x00000000779AE000-memory.dmpFilesize
1.6MB
-
memory/3048-166-0x0000000000000000-mapping.dmp
-
memory/3320-799-0x0000000000000000-mapping.dmp
-
memory/5028-803-0x0000000000000000-mapping.dmp