3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Resubmissions

05-04-2023 01:27

230405-bvfhgada5y 7

05-04-2023 01:24

05-04-2023 01:18

05-04-2023 01:16

05-04-2023 01:13

28-12-2022 04:22

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ.exeMEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\483dfb48-e3ef-4ece-b1b0-97e1dda47ead.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230405031500.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4792	MEMZ.exe
4792	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
1496	MEMZ.exe
1496	MEMZ.exe
4792	MEMZ.exe
4792	MEMZ.exe
1496	MEMZ.exe
1496	MEMZ.exe
4564	MEMZ.exe
4084	MEMZ.exe
4564	MEMZ.exe
4084	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
4792	MEMZ.exe
4792	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
4084	MEMZ.exe
4564	MEMZ.exe
4084	MEMZ.exe
4564	MEMZ.exe
1496	MEMZ.exe
1496	MEMZ.exe
4792	MEMZ.exe
4792	MEMZ.exe
4564	MEMZ.exe
4564	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
4564	MEMZ.exe
4792	MEMZ.exe
4564	MEMZ.exe
4792	MEMZ.exe
1496	MEMZ.exe
1496	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
3684	MEMZ.exe
3684	MEMZ.exe
4792	MEMZ.exe
1496	MEMZ.exe
4792	MEMZ.exe
1496	MEMZ.exe
4564	MEMZ.exe
4564	MEMZ.exe
3684	MEMZ.exe
4084	MEMZ.exe
3684	MEMZ.exe
4084	MEMZ.exe
4564	MEMZ.exe
4564	MEMZ.exe
1496	MEMZ.exe
4792	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exe

pid	process
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 2888 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 2888 AUDIODG.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

3300 msedge.exe
3300 msedge.exe

description	pid	process
Token: 33	2888	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2888	AUDIODG.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ.exeMEMZ.exemsedge.exe

description	pid	process	target process
PID 4640 wrote to memory of 4084	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 4084	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 4084	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 4792	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 4792	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 4792	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 3684	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 3684	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 3684	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 1496	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 1496	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 1496	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 4564	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 4564	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 4564	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 3220	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 3220	4640	MEMZ.exe	MEMZ.exe
PID 4640 wrote to memory of 3220	4640	MEMZ.exe	MEMZ.exe
PID 3220 wrote to memory of 1328	3220	MEMZ.exe	notepad.exe
PID 3220 wrote to memory of 1328	3220	MEMZ.exe	notepad.exe
PID 3220 wrote to memory of 1328	3220	MEMZ.exe	notepad.exe
PID 3220 wrote to memory of 3300	3220	MEMZ.exe	msedge.exe
PID 3220 wrote to memory of 3300	3220	MEMZ.exe	msedge.exe
PID 3300 wrote to memory of 2752	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2752	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2144	3300	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3684
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:1328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=minecraft+hax+download+no+virus
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffd93de46f8,0x7ffd93de4708,0x7ffd93de4718
      4⤵
      PID:2752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
      4⤵
      PID:4932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:2144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
      4⤵
      PID:4616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
      4⤵
      PID:1164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
      4⤵
      PID:4848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
      4⤵
      PID:4532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
      4⤵
      PID:3592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
      4⤵
      PID:3476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
      4⤵
      PID:1908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
      4⤵
      PID:5116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
      4⤵
      PID:1472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
      4⤵
      PID:1668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:2140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0xdc,0x22c,0x7ff6ff285460,0x7ff6ff285470,0x7ff6ff285480
        5⤵
        
        PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
      4⤵
      PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
      4⤵
      PID:5020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
      4⤵
      PID:2888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1
      4⤵
      PID:2008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
      4⤵
      PID:1792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
      4⤵
      PID:2428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
      4⤵
      PID:2632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
      4⤵
      PID:320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
      4⤵
      PID:716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
      4⤵
      PID:4612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
      4⤵
      PID:4372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
      4⤵
      PID:3728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
      4⤵
      PID:4780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
      4⤵
      PID:4300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      PID:1532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16227444543407385372,619660793744531636,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
      4⤵
      PID:4720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=what+happens+if+you+delete+system32
    3⤵
    PID:4768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd93de46f8,0x7ffd93de4708,0x7ffd93de4718
      4⤵
      PID:1120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
    3⤵
    PID:4548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd93de46f8,0x7ffd93de4708,0x7ffd93de4718
      4⤵
      PID:1844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz
    3⤵
    PID:3556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd93de46f8,0x7ffd93de4708,0x7ffd93de4718
      4⤵
      PID:320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
    3⤵
    PID:2552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd93de46f8,0x7ffd93de4708,0x7ffd93de4718
      4⤵
      PID:2512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5a10efe23009825eadc90c37a38d9401

SHA1
fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0

SHA256
05e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5

SHA512
89416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1a3c45dc07f766430f7feaa3000fb18

SHA1
698a0485bcf0ab2a9283d4ebd31ade980b0661d1

SHA256
adaba08026551b1b8f6c120143686da79f916d02adbef4a8d1c184e32a19fd48

SHA512
9fc93f01ab4b14f555791d757ffe881787cc697102547c61847552e597e206e70c6d35fedff559c72a0a67d1b95e769095ecb0a8a7d4f07cf58a7a0d57d3e9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c7eb8599cb69ab9c2c93109119c1546

SHA1
ceb70768ad5f085994636ccfac0e123a0e9b66bd

SHA256
386fbed2ec27163dd16df71e9d04b30581431b75e43673ec879bf08740587642

SHA512
b5e758bb90e9adebff06f6189925acfb1a5dda3dc4c6f744ae8d8c9d708541f16abd630127d9a3c249115c4dabbeba432f39ee6b03e530632a0f3826193f5bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c7eb8599cb69ab9c2c93109119c1546

SHA1
ceb70768ad5f085994636ccfac0e123a0e9b66bd

SHA256
386fbed2ec27163dd16df71e9d04b30581431b75e43673ec879bf08740587642

SHA512
b5e758bb90e9adebff06f6189925acfb1a5dda3dc4c6f744ae8d8c9d708541f16abd630127d9a3c249115c4dabbeba432f39ee6b03e530632a0f3826193f5bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c7eb8599cb69ab9c2c93109119c1546

SHA1
ceb70768ad5f085994636ccfac0e123a0e9b66bd

SHA256
386fbed2ec27163dd16df71e9d04b30581431b75e43673ec879bf08740587642

SHA512
b5e758bb90e9adebff06f6189925acfb1a5dda3dc4c6f744ae8d8c9d708541f16abd630127d9a3c249115c4dabbeba432f39ee6b03e530632a0f3826193f5bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c7eb8599cb69ab9c2c93109119c1546

SHA1
ceb70768ad5f085994636ccfac0e123a0e9b66bd

SHA256
386fbed2ec27163dd16df71e9d04b30581431b75e43673ec879bf08740587642

SHA512
b5e758bb90e9adebff06f6189925acfb1a5dda3dc4c6f744ae8d8c9d708541f16abd630127d9a3c249115c4dabbeba432f39ee6b03e530632a0f3826193f5bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c7eb8599cb69ab9c2c93109119c1546

SHA1
ceb70768ad5f085994636ccfac0e123a0e9b66bd

SHA256
386fbed2ec27163dd16df71e9d04b30581431b75e43673ec879bf08740587642

SHA512
b5e758bb90e9adebff06f6189925acfb1a5dda3dc4c6f744ae8d8c9d708541f16abd630127d9a3c249115c4dabbeba432f39ee6b03e530632a0f3826193f5bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
162KB

MD5
b81d6636c3ad72c63e532e5180eaf7f9

SHA1
ddcd059999fff6218e98af62dbe3fa9c885a0de8

SHA256
2fb4351c49b47b7cdaa9516237a8b1e690e4448339d09d70a84c658729e461ef

SHA512
4f0b87bbf60061a8efca4906554f958b7c28cf582452e01a8316d8c5ea8c98beda6c3230afff207f0b92d316c4c2e0ca1b4631e7d7364344b4a76394115af06b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
257KB

MD5
28d7546dec789d4f27f1f29f6786825b

SHA1
c9aec66e33513ec352378ec5e085b1155eefd626

SHA256
7bad2704d665ea318f232a14c31bdd27f79a17a66353be6ad4cd41b7f1e96946

SHA512
7204740cccd9bc95c1ccaf9209758321b52bfa1a33360b81981574225dc28edb680eb7f1de9394f2863a8d6ce8ab39eb6c1667249ef6134d138fa16727973947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
36fc9d60a5ccec3cc04876389cf9f86b

SHA1
e5cbb2bef9e2a94e214d83fee46870966252466b

SHA256
989fa7ccc5ff775e399b81c1614595098a6dfbb435c4837f24fb1f334dd5a39f

SHA512
994cff6d388ef5ac900735fcd551490ec91285dcda9a34be2fa4c53ff85f4f8cd368e5a89a2fd5ddc1455b4ca0f32154dde940b1a9166b58f477f202a0935ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
527a2f72fd80351005ed32766fda36bb

SHA1
981fc298d3f3c5a972da6aac3e6133b661f83b2e

SHA256
bc17503cb356e527c213c54bbc852d546b6572f80472acc2d58d8e17d2a30024

SHA512
041adee9f1af54d4d042ab66f83e5d2b7da9c5e7993edd75071db50f7c0d7df108ef07883c8420f1e3f43a0320f77b433c285b586a9d1b0e50879670429cd0fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
c1b5fc44ddf7c33d7d352d4641b09bb7

SHA1
8a4a7f0cf20a36cd995d6e849bacf3f9368d4f80

SHA256
c7dd60716dab8406224a4e97209e56b9ee9c257a683e05b7eb9a4304b4d634c8

SHA512
1f48ce3a32aea5de50d293553a1599d76737dd42a4bf9b285dfd8ff8d6e6d3fbe92ca3357575e223574804fe02a14c26a9f9e428035c5bfdbc3a7728226d9da6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
5ce9ecbdc9ff5f8fc3b56ec9a5dd316b

SHA1
09f3b7355346d72fac68258d1f09b37911118cbc

SHA256
5d2268600107e5530eeac1a26a0fb9163904fecbfa79f9b97257485db3c3aee7

SHA512
6664e4a2c608aaa7a35bd014eefc2c54e4ce07725a1f418e0e1a36d240ea599f88dac432a6c59846684b429d14b7de6b1cb23955915aacea64ae5b22fdc1782b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
52f31b28513ddce01b8a788a0431b3dd

SHA1
a7ed3e993649f59dec492f839b35a8cc9d3949c8

SHA256
51b055cb6ac207c8dcbd1904cb2d963432b290d4675bd874b6935b612ed16cfa

SHA512
42a059fe9ed52633740ec2796e52ede36b66b21ef2b85d7073891b7b1c8fe3480337593350d4899d6262484fc96696d7b4ed579c53e1ad5344b555d494ab30de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
24dbc8550faaf9d52a337aad2ada2d3c

SHA1
2eb69d254ee1e97bd08cdf9b84295f8a33794486

SHA256
8f70bb56c94714fc25189926fa49efa7cd47d61e29738bdab4558dc82b547781

SHA512
371887867196d317c75545b2033920b8048573c2b49f0f5113ab53ff041f5cdf84dd86dc514ee700b09b0172a6d213c74baf11d3d72311d24511d2414394baa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b61eac64a5b8a3934ad7adcbb7745e8b

SHA1
6c540c98470b9f539bc7820f0804c7eddb8c8f30

SHA256
0a95f8bfcadf3f0a4920a24f5cee364821b0854178c5987f544e62eced9e64fa

SHA512
f1c9a1f626a7ac0c8952b9e458e93b9a56848dc42f44bbae5447598caccd0a678a476553b85eb5cd4f81db9494c0f99b7aac55bbb96c5a72c18d754e3afe3b8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
540255691632adb4590cfb41eb51d9e8

SHA1
66203dbd544990bc8d591d2e3e7789fca7226d28

SHA256
6718d45a3f92a9a2aac943c1b5efa25eba224e5628e056c30dc1314b477b02e9

SHA512
0cf46badd356d600cc8b6de4a1a56123889a70402e5271423390e8bd56c0b6bc5a8e3230f91ae34688c0454fe8af3d996572c853a7f657f8352d42f605ca991a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a1efc4dc793c605ffd41125ef67dbcd

SHA1
92f61ada8084ab9169c13fa69a2068151df17ac2

SHA256
6f79c34703ed885c8288f561f49fbe3eea95ebf83ee3c55255e6c069918fd527

SHA512
b8dfbf13f960a155357199fe6a010512043e0ef7918ba257ce707b53bdaad250e06fceb7c98614786098cf7f23252d7e5409d33376c846eb05b907565d994f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3f9ad17b862542c44a8c420c8be60a19

SHA1
09521378b44e1219bf3e46edb0b7c5708b6764cd

SHA256
991ec572e551573f191ec67d27882421b10dd23605783d672c720968222e04f6

SHA512
5c0b4aa28ab0eca432980fded8ac22e06e149c7257a44e24f1c1a19975120140896386ce2f4cbd8abcb219b39176f3639c11f87a1b84c73c2957549259fcf7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5971b1e84db4850cb849b02b99fa3bc0

SHA1
83a004dfb12c4c2b7d2797a1fae2ee750808c0a5

SHA256
3c0878f57759be0fe01aed29066918d4b5186f45c98b81edb7c1be96000ad051

SHA512
1743cddbf0e23ad971ff717e3c34d62b01778ec3b39cc56ecf32f4e6990cd41523cd31acd31978703ec82511594b154bbf552c52958da2baa5997d0f8c971f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bd7b92f6219a4c3ef9fe2f64d31321cd

SHA1
878d589131b63bcd909d8faddb31a914dc2f0c86

SHA256
7efaf65a91b0a1cc0a194df55b17483b21018cd310bb165d1770ce7739fea355

SHA512
9b68f9129c629f3a6e12447fc19be2b527a976fb5ba81c6ad5170e5a851761b5ba3007548db77f788edb441cebd069d5e081302b6585ab9e2bc64c1f1302e3cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5edab6d3ffbeee247ccb4423f929a323

SHA1
a4ad201d149d59392a2a3163bd86ee900e20f3d9

SHA256
460cddb95ea1d9bc8d95d295dd051b49a1436437a91ddec5f131235b2d516933

SHA512
263fa99f03ea1ef381ca19f10fbe0362c1f9c129502dc6b730b076cafcf34b40a70ee8a0ee9446ec9c89c3a2d9855450609ec0f8cf9d0a1b2aebdd12be58d38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2415ec8b9dee87e4e22f25a95db8a00a

SHA1
f8c94e68f042f4672de03b62835d2c4d0ce2b0ed

SHA256
da3bf87749f8514fb51bc2e8fc19109f181a7079543621cb4bca2a05aed9c5fe

SHA512
cc0c52444a5c7d15231e9a1e46ac279d3605f5de3d0869220b64e3b9b9de04745eab018846cffeed30034744d9a20e93638ea0316b0e965b98e9750a22e724b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ec8561627d0ebbd13cdda0e0b2e62fa8

SHA1
200100e95dd6f0fdef3e47ac3f37452a50f60b23

SHA256
172da5d315e9f087c503f6c0e5c6219c52fe6bdf75127758ac8820c4cddf14a8

SHA512
5b864bad919c6e537b6ef673c34f5025b31bddad6315d6c368dd3b4255d7e1a993e403e7a29963a748c3311fdc22383b1fb5a6ec618f79ced6fde6e09ee774ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5886cf.TMP

Filesize
1KB

MD5
092917f179fdd67525e319dc52948fba

SHA1
5e8a83cae9d57004a335df3bd5ee75667ef4f818

SHA256
58a2a7bffa484cc9bc9c610a837a87bf33f049c83efebcc6d229fdfee97e4f4f

SHA512
49bf42b5d830e6d6617383b3da5cb3e717cb51f0d7118483ec27bf8c77a287c672724a582b47454d88ef27369b7f75cfe1ee8d056345242b4672cabb217d3fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
892948584c756342749b06261f046381

SHA1
6546fb6cf3d42eb710245fb6bd25a33254ab575a

SHA256
df33aecb37e971b3775f5787dd7b77b342957b347d84e857b5112deebd5092f6

SHA512
ca58f43c1d49c45cecc094658b54a9dc2971a6458c5d041866e89e015f8730aa0dada366c8c830daa0d0e5c2e6c254a62702d93673efcb0cd808122faaf4089b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
67e325569220ff97899c713850db024a

SHA1
1dbf0415e7319a8bbc556bb3c1f8c0a456ac189d

SHA256
5ebc05eb67d32ea25859c4842508cbb45116f09e925a821bf5d9e0e078d62c29

SHA512
db02de1dbaa3024c245dbef4b15239cb8b77407e3721ab702565bef5d1d247e2c824e72e8bf11f242df017ed7b6a1a00cd2da61679b8e55129d8554046b40f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
aaba07119067ea1091638f9dceff1d38

SHA1
e2a4b0b542031e7c6424428e4caf08fe054e064b

SHA256
e8af25348b41d84373481045382a0b8b0a04d9d119d7b9a74103bd2c61525dd7

SHA512
36dec91b95f9bd110a16f0421f9c26a327e1229775a5b51f41e4492763b49218193fdb91ea20b6261328690f27856042cd3648a4a0cf7d89d1bc0714975d1b4d

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_3300_UBSIJVFLUAJHKHUB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit