319bf6087040d17b87f46cd05f5ee064c291ba9ca46e1910f28d1f4c57cb3d96

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ-master/MEMZ-Destructive.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ-Destructive.exeMEMZ-Destructive.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	MEMZ-Destructive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	MEMZ-Destructive.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ-Destructive.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ-Destructive.exe
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

description	ioc	process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\133c0091-dd3c-4012-a176-51b2d8104746.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230331225931.pma	setup.exe

Drops file in Windows directory 57 IoCs

Processes:

mmc.exe

description	ioc	process
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mmc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

Processes:

msedge.execalc.exeMEMZ-Destructive.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	MEMZ-Destructive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ-Destructive.exeMEMZ-Destructive.exeMEMZ-Destructive.exeMEMZ-Destructive.exeMEMZ-Destructive.exe

pid	process
1064	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe
4512	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
4512	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
4512	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
4512	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
4512	MEMZ-Destructive.exe
4512	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
4512	MEMZ-Destructive.exe
4512	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
4060	MEMZ-Destructive.exe
4512	MEMZ-Destructive.exe
4512	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
1064	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
4752	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe
4892	MEMZ-Destructive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid	process
2744	msedge.exe
2744	msedge.exe
2744	msedge.exe
2744	msedge.exe
2744	msedge.exe
2744	msedge.exe
2744	msedge.exe
2744	msedge.exe
2744	msedge.exe
2744	msedge.exe
2744	msedge.exe
2744	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

mmc.exeAUDIODG.EXE

description	pid	process
Token: 33	3596	mmc.exe
Token: SeIncBasePriorityPrivilege	3596	mmc.exe
Token: 33	3596	mmc.exe
Token: SeIncBasePriorityPrivilege	3596	mmc.exe
Token: 33	844	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	844	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

2744 msedge.exe
2744 msedge.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MEMZ-Destructive.exeOpenWith.exemmc.exemmc.exe

pid process

3308 MEMZ-Destructive.exe
100 OpenWith.exe
5092 mmc.exe
3596 mmc.exe
3596 mmc.exe

pid	process
3308	MEMZ-Destructive.exe
100	OpenWith.exe
5092	mmc.exe
3596	mmc.exe
3596	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ-Destructive.exeMEMZ-Destructive.exemsedge.exe

description	pid	process	target process
PID 736 wrote to memory of 1064	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 1064	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 1064	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4060	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4060	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4060	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4892	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4892	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4892	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4752	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4752	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4752	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4512	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4512	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 4512	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 3308	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 3308	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 736 wrote to memory of 3308	736	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 3308 wrote to memory of 4824	3308	MEMZ-Destructive.exe	notepad.exe
PID 3308 wrote to memory of 4824	3308	MEMZ-Destructive.exe	notepad.exe
PID 3308 wrote to memory of 4824	3308	MEMZ-Destructive.exe	notepad.exe
PID 3308 wrote to memory of 2744	3308	MEMZ-Destructive.exe	msedge.exe
PID 3308 wrote to memory of 2744	3308	MEMZ-Destructive.exe	msedge.exe
PID 2744 wrote to memory of 2700	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 2700	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 3240	2744	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4752

C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4512

C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ-Destructive.exe" /main
2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=the+memz+are+real
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcdb2346f8,0x7ffcdb234708,0x7ffcdb234718
4⤵
PID:2700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
4⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
4⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
4⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
4⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
4⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
4⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
4⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
4⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
4⤵
PID:1256

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
4⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7dc205460,0x7ff7dc205470,0x7ff7dc205480
5⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
4⤵
PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
4⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
4⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
4⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
4⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1068 /prefetch:1
4⤵
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1279760898370512795,13312308587674181157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
4⤵
PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=is+illuminati+real
3⤵
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcdb2346f8,0x7ffcdb234708,0x7ffcdb234718
4⤵
PID:3716

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
- Modifies registry class
PID:2784

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=mcafee+vs+norton
3⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcdb2346f8,0x7ffcdb234708,0x7ffcdb234718
4⤵
PID:1444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
dfeee58d8e9ccc6ffa537d5b4782ed65

SHA1
995bd4512e107fe1274eba41e49984403e075f31

SHA256
1a35071ba780d220a4e2d5c2c696563b316ba36993191563953059f70f6ae884

SHA512
3f598ed40475c4ebc65df2b9d1ce35bd29792cd0bddc2c02ab4a1776cf8a814523261bd130118ce5f5b16f111fe060ec185397fc7a6dd5539f442f8fb1444ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
dfeee58d8e9ccc6ffa537d5b4782ed65

SHA1
995bd4512e107fe1274eba41e49984403e075f31

SHA256
1a35071ba780d220a4e2d5c2c696563b316ba36993191563953059f70f6ae884

SHA512
3f598ed40475c4ebc65df2b9d1ce35bd29792cd0bddc2c02ab4a1776cf8a814523261bd130118ce5f5b16f111fe060ec185397fc7a6dd5539f442f8fb1444ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
330KB

MD5
484182367bdfb023b8de920428dd49fe

SHA1
8f59294124efd5a5cb393da2647fda9c3dbf15af

SHA256
f31d604336270be26febb3de5d2445b68f5334160570df8c0bc11995fe9f6db3

SHA512
9cb11faeef4e6cd9df44cddcbb21ff07bf3739a3c47ff2232b99e4dbf2a26a86a76189cf094f495bbf2b65dc0997bf9504c193e653cedd7f5b1fe3241528f1d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
64KB

MD5
c4f7300442a8f13dddf5c9bd09128727

SHA1
d7c8a30cdfe9027cca42c45f44d569627112ae6c

SHA256
5decc8ac1f3d26152842e44d1aa103c913711168c968c936bb782fb3cac10155

SHA512
3b6ebaff36af22dcc9ae7a7593657b56f99afb242ebeed50d26a33e1e6b0ff31c98ef576b96cf98c277cafc1050fee40b5d4c3fcd730595be756089a980030cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
69KB

MD5
79f2aa99d3d8b52fed79466789e04e77

SHA1
1f9181fb8888127785b333cb1347568c5eb84c18

SHA256
660441d1e19b20e694e76063a3d275bb4ff0d1c46550ca04f1b60f98dd9b9a54

SHA512
d82618c29d6191813d26113ab77c5e50e995e4cc4ad66edfd75c45496cd2ab13aa0854e2fbe15882864fae2326a77ea578621e07389281b74a1b197c7b73ff61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
37KB

MD5
47ae9b25af86702d77c7895ac6f6b57c

SHA1
f56f78729b99247a975620a1103cac3ee9f313a5

SHA256
9bde79a1b0866f68d6baa43f920e971b5feb35a8e0af7ffadc114366f8538224

SHA512
72b5296e3dd1c5b4c42d8c3e4a56693819779167b9f02bc2d5f5a626b519a9cf10bee59846d614c929c42094b65d13039f6024f6cb1c023e740969aaefd060c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
864B

MD5
830397a810e7af995853c41c724b10aa

SHA1
9bfe8af63b9440217be54ce8c00f510ae3e44fbb

SHA256
7a760a087cf71e2863fb84a44ff9972ad6dfb5ece76ae3dff9b3295cdfcf0982

SHA512
ea9836854f7fb5e29d2204e6b5334c3926d7e7888e8e0109c964f4995c1a73ebfaba77c71ee7db6b6ddc79f93eb89a6093269bc09b7aeb9ae14dc841639a3268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
eeb4a5e653387d07c4ea9d1fbe86ceca

SHA1
372a2b083308fbf6c80d56876431626e8229697f

SHA256
3bcaa209b268c968c34947614d1e6a09063ca50ee0c4f9c03ef524bdf1e005ab

SHA512
d853c9a2b222604589791aedc14c9c26080d0f6cf6d14266eb05d588836d1d484d7d3490f13562eedf45d953b6856952b92733a9d57a6ba400ba6fdb8ecab670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
3ec97279070cc8bc49daebc1b63dfa9b

SHA1
6e9652c78e0b8d923cbb2ba248b60100fc0568e8

SHA256
dd99e86f5f20348bec93cfe0731225ea81a7cb285fbab012b823dbb1a268732c

SHA512
e640d25d21012b25dd8da05c7e1168570d27a2a1c447b8dc0cbc4eb8f623f6a4b47277c8dec52c4221ccb280139e943df15116ac060af69be1f73c67e5ba89f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
23e179aea7481e4e59af72f9a89be364

SHA1
7aae058b52415eae737f96141f7fead808e6c4f9

SHA256
b30b17240b08b0f2d32f8af46a269f62f170a6c4a4a24e89e483ee450e5add8c

SHA512
09629f1eba5d3bf62228a0e7fc95e84eeb3060b00b719b6bfb046ad3a3baa585e134f923058a17887bc8da631c224137531671f4acc1ae724b2f19a231d4c2e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
15cdd12a7c83ea99be6ec6bd66707d82

SHA1
65de432e07c362bc9e1fd219fa6a29b662e844fe

SHA256
ace2f78c182d1405a4954c186acbc3e02aaab27e5652df9e7c45d564986f8053

SHA512
2a5be87e197575ebf2d9bf4980fd033fee8f4c814b35c4546dddc63adb43bb375b5a154a29c5fcf5893980171f535e1f02019e0599cbb43c3730c9dfc9aa177b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
664af770a1a3d0ad806b30e37b01fceb

SHA1
08dcfa518439d06fff4502f503e21725b609ea32

SHA256
27643331bcbca2c4c7d08f1848d3659a5982ba575906479297f0153288f5b65e

SHA512
a47886d75bbe932eb5bd95a3b93d661468b32582c3bfd3314465cb87f23b7c36d951eb93e62c53c0aa77ba42af3c728393a7b60bcf5adcf82b58f87303dd9f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a8e87da62a136f23183e3870666bd3cb

SHA1
d6f84d0872a5f1f458697e778df4ae8ea5c9f030

SHA256
0a473036a17a646b9a5534de565fd2b47c73dee5b04a24c6d15c50050f976e54

SHA512
441c6d9489569fc68a4e78c029b0729f8d7c2bd19b45af1a001f2899a5c55dd4613597a72b2d7557b41f5b944676f8c0379b868920c0d826d411512d8f60fd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
29a4cb1317519d25e42be6556ab80852

SHA1
f88ddd23bd282a787f549ac1461c16f9e9ef7b5e

SHA256
315083a740417b85441e56c77d419bd34ac8749ce039faf9c6f49adba9a1cde7

SHA512
b1740be50590cb6711d72de05e1f1d8d9c1a41a1aad82d3d1c171111c24daadcf7d660adce0b0be7fc1a8272ba1346a80a9bf1dd5e2a15db2b959f254b61df4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1463bf2a54e759c40d9ad64228bf7bec

SHA1
2286d0ac3cfa9f9ca6c0df60699af7c49008a41f

SHA256
9b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df

SHA512
33e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
90B

MD5
19603818061f76fd3d409c6223f8cbc4

SHA1
0e49e0a3478ed462feed49165885ee530528518e

SHA256
a3dedcf98c5d30145b9bee203597fcc9db39767398e7bd7b7072801add4e3a02

SHA512
aa75f3714eebeda87853f9b8f92a6d7fb2f9356ef16148f9f3e9cd80e8324a0c098b73b8f5e966dc6a73d6f3cdd6891ea0bc228ad055f293df199955e2097852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
372B

MD5
eaae1a14ac7cc7fac41b193ef72dce17

SHA1
98bf177763a7a4321c6a7c59b0427fdd55f4a469

SHA256
26e8aae20067851d99a21945a55062148c581178a0e9d850973806354e7b8e99

SHA512
6f7d8f703e8dcc0fbd1b1ddd912b41dcb3a89180a2aa22c01cb2e5fb6ec23d4b102772240ed5e3e9a8962ad9e7454a46f9324c892f262f8477d7d2b7ed3eb851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b2c5.TMP
Filesize
372B

MD5
057fd4fef665dbbe18982d494a29a8a6

SHA1
2f2fb1ec4b540b98444baa2c71aede8e351f1a9e

SHA256
47f245857fa9bacbfe3c082fecc05f587b586657d9cc66cdd28d41a9906fff5b

SHA512
c70f8adb84c2a8507bfa2754304c9e0a26b3c6d99b38cf6ef121cbe1a4df63b50831acac43d55e503fbfa6de23583b435e29c5d11980589eb3c52615624a5ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
cf86b450d6959565e2ece84ab5c1d3e3

SHA1
850dd11dd0bcb3b6a6c2940473e76b37b4b06e31

SHA256
4d7ea560763ed2975379f4c936fae1d6782015d88bb17471569e14bf3c66a37c

SHA512
5b0888dc58942626d6df4c5e97d45f46b6943fecb2a337c3beb388e3b60286dc597b72980183c4b086b48f075ac5eb2d826390bdb1d6ad0873d8c8bbb4321ee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
0ef3f0672e6329b1cbb2905e68948b56

SHA1
4cc8b60a1400918713042dbc1f8a659d448df14c

SHA256
240cb3def879f4d271c046596a21280d82aa090b92ead883ca55c14f86b9dbeb

SHA512
37b06c499e527afc53d105ef5525bcef0910a5179cf124c86c5551d7b86c1876d8838ec198b17a0b687948bda53520a52812c17f2720a83d9d03b77bc67ba220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
b5691b69855e67f7c708e5cc9bfbf5f1

SHA1
a92cc63dc2e0ae55077698fe5d64b6c195760d36

SHA256
d4159a37d16c9a7132de8281f014ec0014175a83a4c3e0b23c93ff2b05bb7196

SHA512
7a8cccdb44c97ad1015c2392110e6bc3c25554937439db4bc73e216f64d7d414eef58969dd1a4053ba03614d8286f76919376a2401d8eed4abe9cdf7da34d870

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
8fa48a56b93a7069e4339f9193d25761

SHA1
98707d3ed8a4d03b75c01564ecb6c276a6efc1b2

SHA256
c24820578d266dd95287e3b32465928cb24d40e98cb97a4a34ccceda89065095

SHA512
2f577148c99109713252b4dc810165cc20e37ff3e6ef2d2c298f89f81cefea068f735ee588a54f413375ad37ccc5b164eb64b6ee7aa076402424a83b285cc486

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_2744_ICOVBNEFPSNXFRAU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit