Analysis
-
max time kernel
97s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2023 12:43
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://discord.com/channels/@me
Resource
win10v2004-20230220-en
General
-
Target
https://discord.com/channels/@me
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MEMZ.exeMEMZ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation MEMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation MEMZ.exe -
Executes dropped EXE 7 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 5956 MEMZ.exe 5536 MEMZ.exe 1968 MEMZ.exe 1676 MEMZ.exe 3936 MEMZ.exe 4336 MEMZ.exe 652 MEMZ.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exeMEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Drops file in System32 directory 5 IoCs
Processes:
cmd.execscript.exedescription ioc process File opened for modification C:\Windows\System32\x cmd.exe File created C:\Windows\System32\x.js cmd.exe File opened for modification C:\Windows\System32\x.js cmd.exe File created C:\Windows\System32\z.zip cscript.exe File created C:\Windows\System32\x cmd.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d841b935-e003-41a4-97db-3d04021d45c5.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230403144339.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80c0bbb43a66d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31024698" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a04ab2b43a66d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\discord.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2983116461" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31024698" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DCCC0A82-D22D-11ED-B7D7-7E7B9EA57A36} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c884d0db6b01394f84d012a5eedc1d2d000000000200000000001066000000010000200000003501b12d007810471facd6fc2cccbe278cd1ce0bb8259adb6a4d602535767db0000000000e8000000002000020000000e6828f24b91cf4abf4ea674bf1e48fcb92c876cade2ac35032824e301431fd0a2000000060151b30f87252c063feb166d394c70e3dfc22d2e9acba70776d6bda15f446e5400000006f2e15d66c3ffeecdd45c34498c83b53e206bbbd6ba9ea37a626757b345ee25b70747bc8726962bbeb6c6efa5cceaf65251c22c8dce02d62bd3c827b27f0dd2d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2983116461" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c884d0db6b01394f84d012a5eedc1d2d000000000200000000001066000000010000200000007b4bc6594dbb61cbe49a793dd51a1f828da118d09234c3047a943a157abe19d1000000000e80000000020000200000006cd39dec5b86a6bea36f06dc53713988d7ba55eb6c0e34d80a36559aa5b5c4f620000000617cc7124a259dc2eae7b6ded9a31b193c504bccb61e05392cd87178ef1dc2c4400000000d64bac3a7d9d6c09d83e095aa33a9825dad9eeedd8fb46485e01ac0c09bafdc1898d2b7bef05072f6df6386af1ea1738d858848f5436fbec4a29b5fea2760b4 iexplore.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "173" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 2388 msedge.exe 2388 msedge.exe 1340 msedge.exe 1340 msedge.exe 980 identity_helper.exe 980 identity_helper.exe 5600 msedge.exe 5600 msedge.exe 1428 MEMZ.exe 1428 MEMZ.exe 6048 MEMZ.exe 6048 MEMZ.exe 6048 MEMZ.exe 6048 MEMZ.exe 2904 MEMZ.exe 1428 MEMZ.exe 2904 MEMZ.exe 1428 MEMZ.exe 6048 MEMZ.exe 6048 MEMZ.exe 2904 MEMZ.exe 2904 MEMZ.exe 1428 MEMZ.exe 1428 MEMZ.exe 6048 MEMZ.exe 6048 MEMZ.exe 1428 MEMZ.exe 1428 MEMZ.exe 2932 MEMZ.exe 2932 MEMZ.exe 2904 MEMZ.exe 2904 MEMZ.exe 1068 MEMZ.exe 1068 MEMZ.exe 6048 MEMZ.exe 6048 MEMZ.exe 6048 MEMZ.exe 6048 MEMZ.exe 1068 MEMZ.exe 1068 MEMZ.exe 2904 MEMZ.exe 2904 MEMZ.exe 2932 MEMZ.exe 2932 MEMZ.exe 1428 MEMZ.exe 1428 MEMZ.exe 2932 MEMZ.exe 2932 MEMZ.exe 2904 MEMZ.exe 2904 MEMZ.exe 1068 MEMZ.exe 1068 MEMZ.exe 6048 MEMZ.exe 6048 MEMZ.exe 2932 MEMZ.exe 2932 MEMZ.exe 1428 MEMZ.exe 1428 MEMZ.exe 6048 MEMZ.exe 6048 MEMZ.exe 1068 MEMZ.exe 1068 MEMZ.exe 2904 MEMZ.exe 2904 MEMZ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 5768 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5768 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
iexplore.exemsedge.exepid process 4444 iexplore.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
msedge.exepid process 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
iexplore.exeIEXPLORE.EXEMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 4444 iexplore.exe 4444 iexplore.exe 4556 IEXPLORE.EXE 4556 IEXPLORE.EXE 5488 MEMZ.exe 6048 MEMZ.exe 1428 MEMZ.exe 2904 MEMZ.exe 2932 MEMZ.exe 1068 MEMZ.exe 6108 MEMZ.exe 652 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exemsedge.exedescription pid process target process PID 4444 wrote to memory of 4556 4444 iexplore.exe IEXPLORE.EXE PID 4444 wrote to memory of 4556 4444 iexplore.exe IEXPLORE.EXE PID 4444 wrote to memory of 4556 4444 iexplore.exe IEXPLORE.EXE PID 1340 wrote to memory of 2728 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2728 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 1712 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2388 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2388 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe PID 1340 wrote to memory of 2436 1340 msedge.exe msedge.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.com/channels/@me1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4444 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb926746f8,0x7ffb92674708,0x7ffb926747182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff787555460,0x7ff787555470,0x7ff7875554803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5464 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5876 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,10800591645948842446,16920076455957966647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b4 0x4ac1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.exe" /main2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ 3.0 (1).zip\MEMZ 3.0\MEMZ.bat" "1⤵
- Drops file in System32 directory
-
C:\Windows\system32\cscript.execscript x.js2⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39ad055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD58b82e64a7691fb70aec48c12c37eb312
SHA196084b73e24ced2adea93695f71a62092771ce79
SHA2565e1b36f0cccb94221d862d2fe35c892d699d397a87f74f18a668a57ba7ef8d5e
SHA51236802e6043f76d717a376d762f84e89be4bf5b6675bcc662f9f768dfe6487582654333ede1f871cadaa5b5120ad5147ca81bd79b5092623d38f1fbf4037237f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD589fe8978f15a70c82092ccfa1dcada4a
SHA1eec89677688a5b09040882ae18ff84799dab031f
SHA2566441c3793d2c949a86c163af81fce675ed674af7e8c179801e81928a38878e42
SHA5124be2f678c3adda67ec79bbb56625dc565d66cb854dacab067eb64917e8b8c5cf60f501d8f03dfa8405ebd44a83860efcdfb4bb2c343cd78b5810732e7e2e89d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5aaeb1f5e097ab38083674077b84b8ed6
SHA17d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2
SHA2561654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef
SHA512130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51db53baf44edd6b1bc2b7576e2f01e12
SHA1e35739fa87978775dcb3d8df5c8d2063631fa8df
SHA2560d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48
SHA51284f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\63055a87-f4cc-4fb2-bb0a-a36428706a87.tmpFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD53f7fc4199ac2a19d294a9e5431813f29
SHA15dc60d93b1c19d27e0114860c36cd77a6350b0f2
SHA256d5ddfdcdc573625d6f69c42dcbed39198d614cba3f86d81b126c046839c5bcd5
SHA51294e8adf8eec532442f928dc73e29bf2a79bff4c3e948e367cdd71d25ee5dc8d745db5608789cb2ce049a061771c11828cf843c41402fcd0c7bce5ce4d0fcfed5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD535d6dccb861821c36cd71690396ce5c4
SHA1e9d38fe7c9b7ce42b18b5d6d528eb45c28594769
SHA256de88664d3e453c045ce3659223039d2ccdf346e6ebe5c37008739a46bc2e43e2
SHA5126f3b8abd125eda5a5ed75409d4d53eab2bc3c98bd01c3b4cbb65fc2e84e48daf60077047905054383ba989ef6a032a6a393b7ebc0461d5548768b3ebddf715c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD51f9915450ba9eddacb1a5261632360e4
SHA14cbdab0638415ea95fd67267f3713c5be4e37ce5
SHA256a80635fd324223f03383066f218413bf50d4f8977febc8c19c60ecae6a57d495
SHA512576c84cefe7821a0442c805b6e27051cfc1dde51cc1a5a0dc0702b5ad9c861f1599511a0af714450bf289b1ed519925ad1bb1fc653fc7718026e508ec59750a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
999B
MD5d19da45f9625cdc86a1c4ce59824738c
SHA14de3598d6d5e22a5e71e2efe2d257cbe555a0135
SHA256704e2ab88e2fd019315f3254f5b1c5ba086c020a03e01ea290919cc6ad5cb9c5
SHA51286c76b452e34ebcde25486cbec9a5260f53ebd862dc72f74035655b8a12a30705113a76d1a5de66ebfc405620937148654d0f9cc74ccdfc8166cd70341ff3ac5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5101da6518af4f99f1f4888cee7023b32
SHA152610b5b654bde342d462c5781c1124c582c0c9d
SHA256bf8c46b134fca12716ad4b70cbb1ec9da266f4be1c99f85041996ba3e8eda383
SHA5124673a28bbf523ac4cb7bc597edc5c3ce67b2d639c125d134aa82ef7871376469dc5dbde7264a8168260d1279a770883452f3e40be11ad014866f9801d31d3728
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD55af5d789012d938ad4aba10b5976bbfb
SHA1d00a92a66914be47078a0ac08603031dd7f8cc3a
SHA256d143fab0a81131fa77e806daa32576e4cd1f2abc3e2f39a5c5c7b7a381a96ccf
SHA512900ec20e1e06f5a5e882a61a47be5fe2ba40d28ff3021f32361f95499a1f0583f496ddb6956c9da4b451911cb61ea508c8bf6a5a81d231abad0b2ff3f85b0208
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5d44dcf5e331adfd8d8352487a03a690e
SHA16d3366a92075e158269a5f04041cd423843572b8
SHA2568c9bb96e2bb77fc6f865a005f93f9655467db38c8b58f93ac4e5886b63c6b9b0
SHA512ae00aad3ffb329518cb14a21f79552b56085de843fe70811dde679fd6e1cf728e0f0477d1ab4e2b87e8ed4a3919d34fd116ce6357ffb598e81924df7e65926df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5fe3503ec5558909cb9547d703141965a
SHA144e3e500cbff8849446015bdbe9e4eeaa5d035f8
SHA256e9a4c515e069fc213053dd215c34cc8f6d20cd7643b42c9ccce26742cc347a8c
SHA512aa9e72c21d7e0e26192a9b4a54295b4a138daed7cdcac5c994b8a30bf5bb798b17f8760d9d9ba3bfa8cb62ff71b93ead0e6dcad01a0018fdedde5d35b159d63e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5821031fd646943094092384fc39c11a9
SHA1cf3156609ab66a6942adb785a36dbf65692b5585
SHA256fdd95228dac806efa111ba0b6c24670d1800579710b8210856d2d8fd81a0b8f1
SHA51235e4757487f2039d2b3f65f9237b10f3ccba4e4899377305c993ca5a29cf40bdb9e006f16ea48111a2417ab7b4b7b129333c24325311cd6032f933ba45c142b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD547e94a96372e6f095b8a3fd7edc48ec0
SHA1377b68f34e5964ca8be1b1b0c1507dd7f0e5f005
SHA25615c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e
SHA5125bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c46fe3d9d81e54a992bcbaa21e0950c0
SHA1184dc2b68a787739cb536c7f5207b8ec85dafc39
SHA2561d5885503c392a23c642fca55418359e3049dd888ec955c4ccdd932f079f9a75
SHA5120b1c9354d46e10349062b32ac394897f085af95fd83854215be79377b6a4ec8c050759babba143bc7ec261a4751f70305c57ef80d552df64d4c0dd7d5d9ff222
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a374.TMPFilesize
1KB
MD53fa8f76dd4fd078f5718660f37eb3782
SHA1df66a903386be5b7ef014b4cf2aec804ae0cce89
SHA256f2413d91441f31be45c2d089ff9b9b661e914c95719f7cc34272f3ca754a632b
SHA51287c216f9fe34eb9e5812bd7bf5a380557c0253e78683332b5e10c73072bac90453de4c2c1947f3f6fb7d8404b97bf55ab997d31f80328a1847717e89b54a8aec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD549d115ea74b291d1d04b5da5d408adfb
SHA142d06ad76794c809132da59fa6762841f0192b8b
SHA256622f3d756514522c69c75d0606ab09546f80f12266218d12d611e41b264ed78d
SHA5129ba0d394dc16f9f692a8a385b70a1b9efeabb463a8cc8d617a04aef55a8a5347f6b69b582819131b6132ee072729ee396ccdf1c113394baf644fc2fec399a2f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5f5e9fb45cbf7a2df5f482f34b018473f
SHA13e5253c935be2df093590175e274468205e7c5d5
SHA2563b44b7caf5de650f12d11b994ca79ec0d21dc4fee19ed60dcd6721248b4af6c1
SHA5125b4a060a6ec643b23f5efb5ecf874120cfa0bb8bb4e7fcf2a2a07f5de0a8157084a1763f26a48a4eacc790537c5cd301e5163764f90051232f3be0f4dfd7c1e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5a77df124b25b5b2f055e50afd24009f1
SHA1fb3e4d4d7dd8756f069f073c1ab6f5da3dd623b0
SHA25648d10fd80e495768680fb8272036277cfc8e2fd72e053f33a53c98104d400c4c
SHA5120762b241b450953b9d2571e0f63877d3a3e8476609beba24285f2b6449cace543c38e7814c9e7a1afaa7adab611da753f059fb7497041e194e7d7767ba2343cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD51fa7c2a4223493e1598a1a1610305a45
SHA1704e350b4f9cc3af4610af5a751f13a3892c5842
SHA25666d16f2232061d07a0f9c2963e89a3ad7e94df36666352e0d8a6245512054deb
SHA512fd2d142de61bc56b2d57deb71c8378f610d9926d75ac4fc9055e2fbbaee8b49029ae95280a3e0e4e08b42d744ec421635267633f64058e93ae7ed8af1102b6b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5a44aa87397b6f4549bde343ccb7fe196
SHA1dfb5d4efe5051e46af939364ac4f85b19da6ebf9
SHA25663c53a877663c72d6c57df3c7c903de7c9855c9a357d417aa726ee4867feaf33
SHA51223d6f4f1dac33c4dde77b062caeee051ad409ea277c81ffc834139f97d82bd64e055df982272b362e94eeab1827c48e332d1e1805c9a8558b65473ab805c081d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9afmek3\imagestore.datFilesize
24KB
MD5753da15db91bd7c5333356546bd293ff
SHA1009640a26ceb4d44917540d2a4fade216a85a052
SHA256cca06621008e548c7c30b49c2c52bf6b5babc65c7bb4c61b0b754262f6bb3560
SHA512878cea2d7d850aa6963e64d93660d9cb1d836af442e0f170dbc5d4a547f538ce38c9bf873b4b9b1054557411f91600197a776998ae58e494d5840c20445822b1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\86c157237af2732f6d83[1].jsFilesize
651KB
MD524f4d27ed9549aaf4d47784d6b3a46ee
SHA103ce9eac6db8c63c39ed0140fe1954134341dde8
SHA256e276a12c7f43a48c783fc43cfece89324cc0f45c0c95673f8bc3efda671fbe32
SHA5126c233bc1d7ccd06619984e646d46878f26ffe8815b240a74fefb23f4793ed7957f7d1c4af05b1646da630580e74b0b1e3f0971d200ffa662d0292f44dc3e3e01
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\ec2c34cadd4b5f4594415127380a85e6[1].icoFilesize
23KB
MD5ec2c34cadd4b5f4594415127380a85e6
SHA1e7e129270da0153510ef04a148d08702b980b679
SHA256128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7
SHA512c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5690f335e316dce77624aa85b34801167
SHA165760a4504d3793630ed038e1ab8c69f7e816078
SHA256340da0feb5d76ee63138b5cea9e61ba1a63468e24dcdbf7c2736a08c853fbe18
SHA512754657a00878f7f0ebe29d66bc8d3567c639b0621d2c01940c27d4a805980f59e041f20160cbfb8952a7adef74d278f190dc231ed58b453c6173f6a68ba4cd01
-
C:\Users\Admin\Downloads\MEMZ 3.0 (1).zipFilesize
15KB
MD5230d7dcb83b67deff379a563abbbd536
SHA1dc032d6a626f57b542613fde876715765e0b1a42
SHA256a9cd3d966d453afd424d9ac54df414b80073bb51d249f4089185976fb316e254
SHA5127dff68e3f9be9320872ccb105b2e87f15b23807af96ca195a38a249d868468632c3d5811d9a51295ec89fe702d821c9466f93994993951d1238f07f096fb7d77
-
C:\Windows\System32\xFilesize
1KB
MD5d02c9448e8c913cbfab0313dc44c0af0
SHA17af2e750fc069c3793a84b3258fca72fcd57192e
SHA256416c2f4c07cd056c9cb3d8c5f97e35013eb98bed8d02a48ed27cdefc7af5f0f6
SHA5125ecb494c0aeebca8c5b48c9c6ee8608de777bde14e861f9d70f1ee4fcf635e87cd08e8dc142e74b2498eee5bf86e33e504d273c097cfba373835a5bdf4f3f9df
-
C:\Windows\System32\xFilesize
4KB
MD5b6873c6cbfc8482c7f0e2dcb77fb7f12
SHA1844b14037e1f90973a04593785dc88dfca517673
SHA2560a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1
SHA512f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf
-
C:\Windows\System32\z.zipFilesize
7KB
MD5cf0c19ef6909e5c1f10c8460ba9299d8
SHA1875b575c124acfc1a4a21c1e05acb9690e50b880
SHA256abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776
SHA512d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f
-
C:\Windows\system32\xFilesize
10KB
MD5fc59b7d2eb1edbb9c8cb9eb08115a98e
SHA190a6479ce14f8548df54c434c0a524e25efd9d17
SHA256a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279
SHA5123392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1
-
C:\Windows\system32\x.jsFilesize
448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
C:\Windows\system32\z.zipFilesize
7KB
MD5cf0c19ef6909e5c1f10c8460ba9299d8
SHA1875b575c124acfc1a4a21c1e05acb9690e50b880
SHA256abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776
SHA512d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
\??\pipe\LOCAL\crashpad_1340_OPAXSGLWYTRKIOZLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e