a9cd3d966d453afd424d9ac54df414b80073bb51d249f4089185976fb316e254

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ.exeMEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

description	ioc	process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a6c78995-c934-4512-982c-64e1d43cde66.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230405234954.pma	setup.exe

Drops file in Windows directory 58 IoCs

Processes:

mmc.exemspaint.exe

description	ioc	process
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mmc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeMEMZ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
3760	MEMZ.exe
3760	MEMZ.exe
3760	MEMZ.exe
3760	MEMZ.exe
1472	MEMZ.exe
1472	MEMZ.exe
3760	MEMZ.exe
3760	MEMZ.exe
4436	MEMZ.exe
4436	MEMZ.exe
676	MEMZ.exe
676	MEMZ.exe
1472	MEMZ.exe
1472	MEMZ.exe
1984	MEMZ.exe
1984	MEMZ.exe
1472	MEMZ.exe
1472	MEMZ.exe
676	MEMZ.exe
676	MEMZ.exe
4436	MEMZ.exe
4436	MEMZ.exe
3760	MEMZ.exe
3760	MEMZ.exe
1984	MEMZ.exe
1984	MEMZ.exe
3760	MEMZ.exe
3760	MEMZ.exe
676	MEMZ.exe
4436	MEMZ.exe
4436	MEMZ.exe
676	MEMZ.exe
1472	MEMZ.exe
1472	MEMZ.exe
3760	MEMZ.exe
3760	MEMZ.exe
1984	MEMZ.exe
1984	MEMZ.exe
3760	MEMZ.exe
3760	MEMZ.exe
1472	MEMZ.exe
1472	MEMZ.exe
676	MEMZ.exe
676	MEMZ.exe
4436	MEMZ.exe
4436	MEMZ.exe
1984	MEMZ.exe
1984	MEMZ.exe
4436	MEMZ.exe
4436	MEMZ.exe
676	MEMZ.exe
676	MEMZ.exe
3760	MEMZ.exe
1472	MEMZ.exe
3760	MEMZ.exe
1472	MEMZ.exe
1984	MEMZ.exe
1984	MEMZ.exe
3760	MEMZ.exe
3760	MEMZ.exe
4436	MEMZ.exe
676	MEMZ.exe
4436	MEMZ.exe
676	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

mmc.exeAUDIODG.EXE

description	pid	process
Token: 33	4476	mmc.exe
Token: SeIncBasePriorityPrivilege	4476	mmc.exe
Token: 33	4476	mmc.exe
Token: SeIncBasePriorityPrivilege	4476	mmc.exe
Token: 33	988	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	988	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

404 msedge.exe
404 msedge.exe
404 msedge.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

MEMZ.exemspaint.exemmc.exemmc.exe

pid process

1872 MEMZ.exe
4724 mspaint.exe
4724 mspaint.exe
4724 mspaint.exe
4724 mspaint.exe
3588 mmc.exe
4476 mmc.exe
4476 mmc.exe

pid	process
1872	MEMZ.exe
4724	mspaint.exe
4724	mspaint.exe
4724	mspaint.exe
4724	mspaint.exe
3588	mmc.exe
4476	mmc.exe
4476	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ.exeMEMZ.exemsedge.exe

description	pid	process	target process
PID 4908 wrote to memory of 3760	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 3760	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 3760	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 1472	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 1472	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 1472	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 676	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 676	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 676	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 4436	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 4436	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 4436	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 1984	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 1984	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 1984	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 1872	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 1872	4908	MEMZ.exe	MEMZ.exe
PID 4908 wrote to memory of 1872	4908	MEMZ.exe	MEMZ.exe
PID 1872 wrote to memory of 4600	1872	MEMZ.exe	notepad.exe
PID 1872 wrote to memory of 4600	1872	MEMZ.exe	notepad.exe
PID 1872 wrote to memory of 4600	1872	MEMZ.exe	notepad.exe
PID 1872 wrote to memory of 404	1872	MEMZ.exe	msedge.exe
PID 1872 wrote to memory of 404	1872	MEMZ.exe	msedge.exe
PID 404 wrote to memory of 1484	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 1484	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe
PID 404 wrote to memory of 2944	404	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3760

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:676

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /main
2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://play.clubpenguin.com/
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffd34f846f8,0x7ffd34f84708,0x7ffd34f84718
4⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
4⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
4⤵
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
4⤵
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
4⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
4⤵
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
4⤵
PID:2608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
4⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
4⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
4⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
4⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
4⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
4⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x238,0x23c,0x240,0x21c,0x244,0x7ff7b1b25460,0x7ff7b1b25470,0x7ff7b1b25480
5⤵
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
4⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
4⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
4⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
4⤵
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
4⤵
PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
4⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7191067100351445076,10592705009919804636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
4⤵
PID:1312

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\System32\mspaint.exe"
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=how+2+buy+weed
3⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd34f846f8,0x7ffd34f84708,0x7ffd34f84718
4⤵
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=g3t+r3kt
3⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd34f846f8,0x7ffd34f84708,0x7ffd34f84718
4⤵
PID:2644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x42c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
163202a097983b20ce2bc01b538ac220

SHA1
d6687b7a0da5b733e677f7f9bc909527e97ff748

SHA256
031eb7b5db01a3ac72cce6caa1b26a3abd390d0bb06ae09af624088979c9330e

SHA512
dd1323e23848cfc3bc9d025e856bb2e48c94dac3093110356ca9c1fdac2ebd5ea304d0c79424197e6153126d29189c07a2993ce03873392023aaa967e5345a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
163202a097983b20ce2bc01b538ac220

SHA1
d6687b7a0da5b733e677f7f9bc909527e97ff748

SHA256
031eb7b5db01a3ac72cce6caa1b26a3abd390d0bb06ae09af624088979c9330e

SHA512
dd1323e23848cfc3bc9d025e856bb2e48c94dac3093110356ca9c1fdac2ebd5ea304d0c79424197e6153126d29189c07a2993ce03873392023aaa967e5345a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
163202a097983b20ce2bc01b538ac220

SHA1
d6687b7a0da5b733e677f7f9bc909527e97ff748

SHA256
031eb7b5db01a3ac72cce6caa1b26a3abd390d0bb06ae09af624088979c9330e

SHA512
dd1323e23848cfc3bc9d025e856bb2e48c94dac3093110356ca9c1fdac2ebd5ea304d0c79424197e6153126d29189c07a2993ce03873392023aaa967e5345a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
163202a097983b20ce2bc01b538ac220

SHA1
d6687b7a0da5b733e677f7f9bc909527e97ff748

SHA256
031eb7b5db01a3ac72cce6caa1b26a3abd390d0bb06ae09af624088979c9330e

SHA512
dd1323e23848cfc3bc9d025e856bb2e48c94dac3093110356ca9c1fdac2ebd5ea304d0c79424197e6153126d29189c07a2993ce03873392023aaa967e5345a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
18ff809f6b47d0ce84f4aa07b1ea3dc5

SHA1
60228dcfc6145554f5c5f587157c30ce1caec89e

SHA256
854b11193a1a70b464b86b5a17ba79971838479ab27d6b3c9e41f6d25c9a494f

SHA512
97d94b6bb0a437a1011c6c1dc9d3920b1934e55a00ad72c4e033e0af3996a299543c9d3440a8bed816ed83d403c0c53826fd352dd9dc5776fb0810afc5f9b9ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
888B

MD5
3abc43d39b4a5fa3c366946e8aa0ea41

SHA1
d2a956c8e22f4a6d723a070ef1ec3a0751b07bde

SHA256
22e6e87705ccc0e28f69428802854d5268d5d8547633480f7b0277d92e346e3d

SHA512
d953bf71f63739588c226ba95f09ce86377837413138ac216e5111de21d031a69a04bf051592c7d5b565e7b6a4e15655688ae7bc43516131268e7d04f82ec432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe586feb.TMP
Filesize
48B

MD5
a14a8a0689703880c4b9ccf338ebae30

SHA1
a042e01d60bec75d18b9e11bfe5363bfc92a9eea

SHA256
1b692cc9be489d4b0d4234cf4f847bfdad4b95c726f7d1129726a64596545baf

SHA512
74219617a4c345f34ce3248599018e484ec4f3d4d959630b4f6b09a7d8c7f0143362265b2f46dc8d2b2cd1375c6f77e0f1d737ba2fee2e2c360468ef312f7b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
4c99acdab1cd922be9d99a19fb964337

SHA1
2daccc63e194edc38a245b0b2a97d20eec57bbf0

SHA256
e8d077dc5abb81bd03ae577146546594d886379a3f8dab6fbd04d5dbe076cbe3

SHA512
eb306f3b68d209208c2730a93b116acf9a83afd2ed9b7f592b8ebb4099eae4fbc902d9d3dc99ae14fc80b5373b42c0cf295de414be47d0e7b917b3c929a08b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
443e13706f0fe466be90bc24b2aba38f

SHA1
2d8f8023dccdaed26ad88e16f5ab7efc94643fcc

SHA256
144a196793cdd89f26999e17b5182156ead032026c41b281e6fe3cd845ab7884

SHA512
18570034804518fc078bc135ef6058a1c49396d3a958c038becd4d3176751adb81a9424786e409f81427925070caec534d6d61da8478344d5d360c070fa07d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
fc82bf462db4fd56dca5614964709ef2

SHA1
58db9fbe1cc83b36770e931c8e4d53daff6e161b

SHA256
e579e0e6cb78de4361bc264b2f8e3e6831b1af70460db8f64ed0b0cb5e7bf733

SHA512
a876b376e8c2568460bd58f6ac40527d41ae6aa1ec6421b4ee4540b5bf718d664adcf6daf9e7f9404dccc2a8ac3b99a0def459dabfbcffec4dc0fcac9b53cdbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
89c9920afd17be0c571e502a04361a82

SHA1
e30bbbeff61d2f4ca81f2c24ed59ae7060a13c2f

SHA256
027295acc711e22137118c17fd76df21800157fcb2b49301718b824ea18eed11

SHA512
987af86ae997df91595d78518038fa5e26b46ac8f73a8c48e16557b9ff5038da7678d7bd865865fa6dc283a86877114670fc1623433e182471da51a6303cc5b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2ed478737f87662a1e58c7671c493d33

SHA1
c5ac88c9696450f7f39a95a327fe8eff52034b17

SHA256
02818c9062f35ab74a806bf9a975f49df1c0f50cde73fb6c21914c6eb6cd806a

SHA512
780cc710422687ea39ab9df98e42a0ed9b49e7263eba23807ff1f2f8633f7456cd9f4e42fd4311569d74d1885a7f35b3eb41d892381330499cdff1b38e245fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2963906265473bb212535556ed8b4c05

SHA1
2f11ce3a911159c2ef7c5d3a354e99c57dc7c4a9

SHA256
6b900b155d3a79a7174bf89be635472a7b58e9e5d581a67800697d6557ad5d6f

SHA512
d054f3e852a631777537e7fa27d04f1d3298aacfd8d922512daa46a9b4d81e8ed941b90f99b4f07a76de495a9a0e10392a4449fcc238e994e3b43fbd10c888f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f960dbc2e9c72a017570b933cb497905

SHA1
1d18c28113b0b2a778a9b2fef9504ee490d24e74

SHA256
4595f2261c63b79a0a15ded5accc971195c0b6401f2b5ab97dcf70be71b5e9fc

SHA512
447ece1647c11391e01577e316e406e54416bbef8f31d7a545dd1fbf10937895256d30f4fb40ede913172f44803057163b21eee9a4494fb8a6345987a6f8f1a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
90B

MD5
0ec13051a2ffde5ec034ee1e79aebb10

SHA1
e54ccd4449f59c734136cd0d7bff5116788dc4cc

SHA256
13c9841256501f6e42273cc42ea25b95f40e68e3688017e2fceb4a99730b6b1a

SHA512
2ed2e1ac0e89ab32ff7e0cd350bff7e3e43a416a56f4de3580328f64af48d764a1714dbd6ff374be070ba7c617510d86634128178db8d8db8f8b5c88f18a246d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
372B

MD5
31e8d25779996557f11078378e2c648a

SHA1
12f910b8d1682441828ea9c525620e127c035336

SHA256
d93b2d80996fdfb73441fd44c7904a256ee43a3dc32fff9a9d061b6ccaafda1e

SHA512
8298b7d699a8be8ada1f496beedddf19a3d34dfb90c3175e73053cc17cb4da8ef3d4e3aa1af1da299ad5f3e3f7bf6a65e53a1995229722ad28c9f03fc6ef03b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589f0a.TMP
Filesize
204B

MD5
726f71e66820b9d65e2b70434e7f24ae

SHA1
803ee89f6338693fc6ef791eb71bfba788b3b07c

SHA256
589c161820845eb8e6725e2ef0fe51aa0a71ed60db9fd5a5cdaa5708f5bd63a9

SHA512
2bd23e573bba7358c5c1fef0b8da1a0275d1a02ea09b1d1890a6641c94e03ae174f7d5913db5d67fe1f28f66f8fe7225e8efc5a6af32e3a455474a18eb892ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
1e50fcb44f49c43595ccb6086417b108

SHA1
218b6207a9eae4974cc691e663a1bee1bf266c8f

SHA256
4dba489e880b7a00942b6ddc96cc44b9f8faad63adceb8696e5810697ee3868c

SHA512
e1472bc16d76d176d0303dd529cd8a29474c3d72442ddd0a2773fea92cbb680120e80f24c9136b1e713db4dbf7f3f1acbdd2410205e4188a4586b7010c907ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
0be6dd4079d237165674417ae3df4dea

SHA1
e663998ef35c99f6e5c1f1f77651e070f5c6b838

SHA256
2a03521c82d041881233e3ad42bd656be08bde6d03eab16a50d92a1881133d41

SHA512
5cabed33171d8cf978a4f52f316e54aee0d588df4c4508ef4b07203275e08e16be12f61f5b2354585992f95a8c45ff7d58e80d64cfeb2a2d2f3c75ed596283ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
a5653268c1656ef5e15e91bde1fcff4c

SHA1
efe9b1f171f1c45ac7ad70069d2101df491fce95

SHA256
e5426e98cd9e360a59d46d4124b8b320b99d2738a809e92678207a0665e514cc

SHA512
fdf1c96d9ad92c49a6e938c8ab509516a57a3989014cc157470334d1411cbd30310c1ee070b867fc9fbd97b7fcc0f7ed2ef5e184969daabe6523701e9590ba11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
c0bcf9263095ca395be817d3655bf0e7

SHA1
6a64f40f1165ea17e9238f35be92b49c04fd73fd

SHA256
046977f19ad484e37875bd657bf0a72934076b2304496e4b0ade680f07c24123

SHA512
3bafab46d2a2a17ecc4a933a8f1899eda7f4c4cc5b179ab3b45c61c70ab58ea402b8a30592effc509d6e8a840c8936b8b20f2c5a6541b9ea3b302895d93e9770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
8a6417d3e76c0842e645469ccec84bf1

SHA1
e7cec38d74b1047a9a4924a2d4f7f5ece2f77988

SHA256
dcfe1d6bb2ae02b50036f624ca97bda9c7d32b65e6d078688ce2151eb411da34

SHA512
78ab1b581e8479094198c56860bdcc57d2a10c4a5c768494d68979c8f8c82680536d44ac8e045c6a9f7853989e544d66db318d4f1b535e0e395b58727d95108f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
96dfe9f3d3e6258ba704650b046a195f

SHA1
2ab6787d9bc8ffc3f38f38faa2da49442537e797

SHA256
1a668952ee5f6dcf3dd524e08b67498459926866e9cb85329ad4edc8b2a7f988

SHA512
8e6099b5b10f1ebe0d4dc9e6b6e1a712317336674989bf82672c429f07e4cdf55875f3ad000352764c50a2c17e869ebd35dffd417d2fac0301a2c8401ee01d60

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_404_ZUPGBVCEQRBCCYTE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit