Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 20:58
Static task
static1
Behavioral task
behavioral1
Sample
MEMZ-master/MEMZ-Destructive.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
MEMZ-master/MEMZ-Destructive.exe
Resource
win10v2004-20230220-en
General
-
Target
MEMZ-master/MEMZ-Destructive.exe
-
Size
14KB
-
MD5
19dbec50735b5f2a72d4199c4e184960
-
SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822
-
SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
-
SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
SSDEEP
192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MEMZ-Destructive.exeMEMZ-Destructive.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation MEMZ-Destructive.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation MEMZ-Destructive.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ-Destructive.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ-Destructive.exe -
Drops file in System32 directory 1 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\133c0091-dd3c-4012-a176-51b2d8104746.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230331225931.pma setup.exe -
Drops file in Windows directory 57 IoCs
Processes:
mmc.exedescription ioc process File created C:\Windows\INF\c_diskdrive.PNF mmc.exe File created C:\Windows\INF\c_media.PNF mmc.exe File created C:\Windows\INF\c_fsantivirus.PNF mmc.exe File created C:\Windows\INF\c_computeaccelerator.PNF mmc.exe File created C:\Windows\INF\c_linedisplay.PNF mmc.exe File created C:\Windows\INF\c_fssystem.PNF mmc.exe File created C:\Windows\INF\c_camera.PNF mmc.exe File created C:\Windows\INF\c_holographic.PNF mmc.exe File created C:\Windows\INF\digitalmediadevice.PNF mmc.exe File created C:\Windows\INF\c_display.PNF mmc.exe File created C:\Windows\INF\c_netdriver.PNF mmc.exe File created C:\Windows\INF\rawsilo.PNF mmc.exe File created C:\Windows\INF\c_magneticstripereader.PNF mmc.exe File created C:\Windows\INF\c_proximity.PNF mmc.exe File created C:\Windows\INF\c_ucm.PNF mmc.exe File created C:\Windows\INF\c_fsopenfilebackup.PNF mmc.exe File created C:\Windows\INF\ts_generic.PNF mmc.exe File created C:\Windows\INF\c_fscfsmetadataserver.PNF mmc.exe File created C:\Windows\INF\c_apo.PNF mmc.exe File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_volume.PNF mmc.exe File created C:\Windows\INF\c_cashdrawer.PNF mmc.exe File created C:\Windows\INF\c_fsactivitymonitor.PNF mmc.exe File created C:\Windows\INF\c_firmware.PNF mmc.exe File created C:\Windows\INF\c_sslaccel.PNF mmc.exe File created C:\Windows\INF\c_fsreplication.PNF mmc.exe File created C:\Windows\INF\c_fshsm.PNF mmc.exe File created C:\Windows\INF\c_fsinfrastructure.PNF mmc.exe File created C:\Windows\INF\c_barcodescanner.PNF mmc.exe File created C:\Windows\INF\xusb22.PNF mmc.exe File created C:\Windows\INF\c_fscontentscreener.PNF mmc.exe File created C:\Windows\INF\c_processor.PNF mmc.exe File created C:\Windows\INF\rdcameradriver.PNF mmc.exe File created C:\Windows\INF\miradisp.PNF mmc.exe File created C:\Windows\INF\c_extension.PNF mmc.exe File created C:\Windows\INF\c_fscompression.PNF mmc.exe File created C:\Windows\INF\remoteposdrv.PNF mmc.exe File created C:\Windows\INF\c_monitor.PNF mmc.exe File created C:\Windows\INF\c_scmvolume.PNF mmc.exe File created C:\Windows\INF\oposdrv.PNF mmc.exe File created C:\Windows\INF\c_fsquotamgmt.PNF mmc.exe File created C:\Windows\INF\wsdprint.PNF mmc.exe File created C:\Windows\INF\c_smrdisk.PNF mmc.exe File created C:\Windows\INF\c_scmdisk.PNF mmc.exe File created C:\Windows\INF\c_smrvolume.PNF mmc.exe File created C:\Windows\INF\c_fscontinuousbackup.PNF mmc.exe File created C:\Windows\INF\c_fscopyprotection.PNF mmc.exe File created C:\Windows\INF\c_fsvirtualization.PNF mmc.exe File created C:\Windows\INF\c_mcx.PNF mmc.exe File created C:\Windows\INF\c_receiptprinter.PNF mmc.exe File created C:\Windows\INF\c_fssystemrecovery.PNF mmc.exe File created C:\Windows\INF\c_fsencryption.PNF mmc.exe File created C:\Windows\INF\c_swcomponent.PNF mmc.exe File created C:\Windows\INF\PerceptionSimulationSixDof.PNF mmc.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF mmc.exe File created C:\Windows\INF\c_fsundelete.PNF mmc.exe File created C:\Windows\INF\dc1-controller.PNF mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 20 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
mmc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
Processes:
msedge.execalc.exeMEMZ-Destructive.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings MEMZ-Destructive.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ-Destructive.exeMEMZ-Destructive.exeMEMZ-Destructive.exeMEMZ-Destructive.exeMEMZ-Destructive.exepid process 1064 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe 4512 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 4512 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 4512 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 4512 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 4512 MEMZ-Destructive.exe 4512 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 4512 MEMZ-Destructive.exe 4512 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 4060 MEMZ-Destructive.exe 4512 MEMZ-Destructive.exe 4512 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 1064 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 4752 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe 4892 MEMZ-Destructive.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
msedge.exepid process 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
mmc.exeAUDIODG.EXEdescription pid process Token: 33 3596 mmc.exe Token: SeIncBasePriorityPrivilege 3596 mmc.exe Token: 33 3596 mmc.exe Token: SeIncBasePriorityPrivilege 3596 mmc.exe Token: 33 844 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 844 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 2744 msedge.exe 2744 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
MEMZ-Destructive.exeOpenWith.exemmc.exemmc.exepid process 3308 MEMZ-Destructive.exe 100 OpenWith.exe 5092 mmc.exe 3596 mmc.exe 3596 mmc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MEMZ-Destructive.exeMEMZ-Destructive.exemsedge.exedescription pid process target process PID 736 wrote to memory of 1064 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 1064 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 1064 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4060 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4060 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4060 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4892 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4892 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4892 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4752 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4752 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4752 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4512 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4512 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 4512 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 3308 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 3308 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 736 wrote to memory of 3308 736 MEMZ-Destructive.exe MEMZ-Destructive.exe PID 3308 wrote to memory of 4824 3308 MEMZ-Destructive.exe notepad.exe PID 3308 wrote to memory of 4824 3308 MEMZ-Destructive.exe notepad.exe PID 3308 wrote to memory of 4824 3308 MEMZ-Destructive.exe notepad.exe PID 3308 wrote to memory of 2744 3308 MEMZ-Destructive.exe msedge.exe PID 3308 wrote to memory of 2744 3308 MEMZ-Destructive.exe msedge.exe PID 2744 wrote to memory of 2700 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 2700 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe PID 2744 wrote to memory of 3240 2744 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /main2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=the+memz+are+real3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcdb2346f8,0x7ffcdb234708,0x7ffcdb2347184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7dc205460,0x7ff7dc205470,0x7ff7dc2054805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1068 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=is+illuminati+real3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcdb2346f8,0x7ffcdb234708,0x7ffcdb2347184⤵
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=mcafee+vs+norton3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcdb2346f8,0x7ffcdb234708,0x7ffcdb2347184⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x2c81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cd4f5fe0fc0ab6b6df866b9bfb9dd762
SHA1a6aaed363cd5a7b6910e9b3296c0093b0ac94759
SHA2563b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81
SHA5127072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51d40312629d09d2420e992fdb8a78c1c
SHA1903950d5ba9d64ec21c9f51264272ca8dfae9540
SHA2561e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac
SHA512a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dfeee58d8e9ccc6ffa537d5b4782ed65
SHA1995bd4512e107fe1274eba41e49984403e075f31
SHA2561a35071ba780d220a4e2d5c2c696563b316ba36993191563953059f70f6ae884
SHA5123f598ed40475c4ebc65df2b9d1ce35bd29792cd0bddc2c02ab4a1776cf8a814523261bd130118ce5f5b16f111fe060ec185397fc7a6dd5539f442f8fb1444ad6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dfeee58d8e9ccc6ffa537d5b4782ed65
SHA1995bd4512e107fe1274eba41e49984403e075f31
SHA2561a35071ba780d220a4e2d5c2c696563b316ba36993191563953059f70f6ae884
SHA5123f598ed40475c4ebc65df2b9d1ce35bd29792cd0bddc2c02ab4a1776cf8a814523261bd130118ce5f5b16f111fe060ec185397fc7a6dd5539f442f8fb1444ad6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
20KB
MD5923a543cc619ea568f91b723d9fb1ef0
SHA16f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
330KB
MD5484182367bdfb023b8de920428dd49fe
SHA18f59294124efd5a5cb393da2647fda9c3dbf15af
SHA256f31d604336270be26febb3de5d2445b68f5334160570df8c0bc11995fe9f6db3
SHA5129cb11faeef4e6cd9df44cddcbb21ff07bf3739a3c47ff2232b99e4dbf2a26a86a76189cf094f495bbf2b65dc0997bf9504c193e653cedd7f5b1fe3241528f1d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
64KB
MD5c4f7300442a8f13dddf5c9bd09128727
SHA1d7c8a30cdfe9027cca42c45f44d569627112ae6c
SHA2565decc8ac1f3d26152842e44d1aa103c913711168c968c936bb782fb3cac10155
SHA5123b6ebaff36af22dcc9ae7a7593657b56f99afb242ebeed50d26a33e1e6b0ff31c98ef576b96cf98c277cafc1050fee40b5d4c3fcd730595be756089a980030cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
69KB
MD579f2aa99d3d8b52fed79466789e04e77
SHA11f9181fb8888127785b333cb1347568c5eb84c18
SHA256660441d1e19b20e694e76063a3d275bb4ff0d1c46550ca04f1b60f98dd9b9a54
SHA512d82618c29d6191813d26113ab77c5e50e995e4cc4ad66edfd75c45496cd2ab13aa0854e2fbe15882864fae2326a77ea578621e07389281b74a1b197c7b73ff61
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
37KB
MD547ae9b25af86702d77c7895ac6f6b57c
SHA1f56f78729b99247a975620a1103cac3ee9f313a5
SHA2569bde79a1b0866f68d6baa43f920e971b5feb35a8e0af7ffadc114366f8538224
SHA51272b5296e3dd1c5b4c42d8c3e4a56693819779167b9f02bc2d5f5a626b519a9cf10bee59846d614c929c42094b65d13039f6024f6cb1c023e740969aaefd060c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
864B
MD5830397a810e7af995853c41c724b10aa
SHA19bfe8af63b9440217be54ce8c00f510ae3e44fbb
SHA2567a760a087cf71e2863fb84a44ff9972ad6dfb5ece76ae3dff9b3295cdfcf0982
SHA512ea9836854f7fb5e29d2204e6b5334c3926d7e7888e8e0109c964f4995c1a73ebfaba77c71ee7db6b6ddc79f93eb89a6093269bc09b7aeb9ae14dc841639a3268
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD5eeb4a5e653387d07c4ea9d1fbe86ceca
SHA1372a2b083308fbf6c80d56876431626e8229697f
SHA2563bcaa209b268c968c34947614d1e6a09063ca50ee0c4f9c03ef524bdf1e005ab
SHA512d853c9a2b222604589791aedc14c9c26080d0f6cf6d14266eb05d588836d1d484d7d3490f13562eedf45d953b6856952b92733a9d57a6ba400ba6fdb8ecab670
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD53ec97279070cc8bc49daebc1b63dfa9b
SHA16e9652c78e0b8d923cbb2ba248b60100fc0568e8
SHA256dd99e86f5f20348bec93cfe0731225ea81a7cb285fbab012b823dbb1a268732c
SHA512e640d25d21012b25dd8da05c7e1168570d27a2a1c447b8dc0cbc4eb8f623f6a4b47277c8dec52c4221ccb280139e943df15116ac060af69be1f73c67e5ba89f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD523e179aea7481e4e59af72f9a89be364
SHA17aae058b52415eae737f96141f7fead808e6c4f9
SHA256b30b17240b08b0f2d32f8af46a269f62f170a6c4a4a24e89e483ee450e5add8c
SHA51209629f1eba5d3bf62228a0e7fc95e84eeb3060b00b719b6bfb046ad3a3baa585e134f923058a17887bc8da631c224137531671f4acc1ae724b2f19a231d4c2e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD515cdd12a7c83ea99be6ec6bd66707d82
SHA165de432e07c362bc9e1fd219fa6a29b662e844fe
SHA256ace2f78c182d1405a4954c186acbc3e02aaab27e5652df9e7c45d564986f8053
SHA5122a5be87e197575ebf2d9bf4980fd033fee8f4c814b35c4546dddc63adb43bb375b5a154a29c5fcf5893980171f535e1f02019e0599cbb43c3730c9dfc9aa177b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5664af770a1a3d0ad806b30e37b01fceb
SHA108dcfa518439d06fff4502f503e21725b609ea32
SHA25627643331bcbca2c4c7d08f1848d3659a5982ba575906479297f0153288f5b65e
SHA512a47886d75bbe932eb5bd95a3b93d661468b32582c3bfd3314465cb87f23b7c36d951eb93e62c53c0aa77ba42af3c728393a7b60bcf5adcf82b58f87303dd9f76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5a8e87da62a136f23183e3870666bd3cb
SHA1d6f84d0872a5f1f458697e778df4ae8ea5c9f030
SHA2560a473036a17a646b9a5534de565fd2b47c73dee5b04a24c6d15c50050f976e54
SHA512441c6d9489569fc68a4e78c029b0729f8d7c2bd19b45af1a001f2899a5c55dd4613597a72b2d7557b41f5b944676f8c0379b868920c0d826d411512d8f60fd1b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD529a4cb1317519d25e42be6556ab80852
SHA1f88ddd23bd282a787f549ac1461c16f9e9ef7b5e
SHA256315083a740417b85441e56c77d419bd34ac8749ce039faf9c6f49adba9a1cde7
SHA512b1740be50590cb6711d72de05e1f1d8d9c1a41a1aad82d3d1c171111c24daadcf7d660adce0b0be7fc1a8272ba1346a80a9bf1dd5e2a15db2b959f254b61df4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD51463bf2a54e759c40d9ad64228bf7bec
SHA12286d0ac3cfa9f9ca6c0df60699af7c49008a41f
SHA2569b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df
SHA51233e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
90B
MD519603818061f76fd3d409c6223f8cbc4
SHA10e49e0a3478ed462feed49165885ee530528518e
SHA256a3dedcf98c5d30145b9bee203597fcc9db39767398e7bd7b7072801add4e3a02
SHA512aa75f3714eebeda87853f9b8f92a6d7fb2f9356ef16148f9f3e9cd80e8324a0c098b73b8f5e966dc6a73d6f3cdd6891ea0bc228ad055f293df199955e2097852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
26B
MD52892eee3e20e19a9ba77be6913508a54
SHA17c4ef82faa28393c739c517d706ac6919a8ffc49
SHA2564f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2
SHA512b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
372B
MD5eaae1a14ac7cc7fac41b193ef72dce17
SHA198bf177763a7a4321c6a7c59b0427fdd55f4a469
SHA25626e8aae20067851d99a21945a55062148c581178a0e9d850973806354e7b8e99
SHA5126f7d8f703e8dcc0fbd1b1ddd912b41dcb3a89180a2aa22c01cb2e5fb6ec23d4b102772240ed5e3e9a8962ad9e7454a46f9324c892f262f8477d7d2b7ed3eb851
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b2c5.TMPFilesize
372B
MD5057fd4fef665dbbe18982d494a29a8a6
SHA12f2fb1ec4b540b98444baa2c71aede8e351f1a9e
SHA25647f245857fa9bacbfe3c082fecc05f587b586657d9cc66cdd28d41a9906fff5b
SHA512c70f8adb84c2a8507bfa2754304c9e0a26b3c6d99b38cf6ef121cbe1a4df63b50831acac43d55e503fbfa6de23583b435e29c5d11980589eb3c52615624a5ecd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5cf86b450d6959565e2ece84ab5c1d3e3
SHA1850dd11dd0bcb3b6a6c2940473e76b37b4b06e31
SHA2564d7ea560763ed2975379f4c936fae1d6782015d88bb17471569e14bf3c66a37c
SHA5125b0888dc58942626d6df4c5e97d45f46b6943fecb2a337c3beb388e3b60286dc597b72980183c4b086b48f075ac5eb2d826390bdb1d6ad0873d8c8bbb4321ee2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD50ef3f0672e6329b1cbb2905e68948b56
SHA14cc8b60a1400918713042dbc1f8a659d448df14c
SHA256240cb3def879f4d271c046596a21280d82aa090b92ead883ca55c14f86b9dbeb
SHA51237b06c499e527afc53d105ef5525bcef0910a5179cf124c86c5551d7b86c1876d8838ec198b17a0b687948bda53520a52812c17f2720a83d9d03b77bc67ba220
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5b5691b69855e67f7c708e5cc9bfbf5f1
SHA1a92cc63dc2e0ae55077698fe5d64b6c195760d36
SHA256d4159a37d16c9a7132de8281f014ec0014175a83a4c3e0b23c93ff2b05bb7196
SHA5127a8cccdb44c97ad1015c2392110e6bc3c25554937439db4bc73e216f64d7d414eef58969dd1a4053ba03614d8286f76919376a2401d8eed4abe9cdf7da34d870
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD58fa48a56b93a7069e4339f9193d25761
SHA198707d3ed8a4d03b75c01564ecb6c276a6efc1b2
SHA256c24820578d266dd95287e3b32465928cb24d40e98cb97a4a34ccceda89065095
SHA5122f577148c99109713252b4dc810165cc20e37ff3e6ef2d2c298f89f81cefea068f735ee588a54f413375ad37ccc5b164eb64b6ee7aa076402424a83b285cc486
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
\??\pipe\LOCAL\crashpad_2744_ICOVBNEFPSNXFRAUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e