Resubmissions

02/03/2024, 22:47

240302-2qrcaaab3z 8

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/03/2024, 22:47

General

  • Target

    https://github.com/Dfmaaa/MEMZ-virus

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Dfmaaa/MEMZ-virus
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ce8b3cb8,0x7ff9ce8b3cc8,0x7ff9ce8b3cd8
      2⤵
        PID:4436
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
        2⤵
          PID:2836
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1356
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
          2⤵
            PID:3808
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
            2⤵
              PID:3104
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
              2⤵
                PID:4984
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4208
              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:5088
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                2⤵
                  PID:3700
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4696 /prefetch:8
                  2⤵
                    PID:3832
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 /prefetch:8
                    2⤵
                    • NTFS ADS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4332
                  • C:\Users\Admin\Downloads\MEMZ.exe
                    "C:\Users\Admin\Downloads\MEMZ.exe"
                    2⤵
                    • Executes dropped EXE
                    PID:4968
                    • C:\Users\Admin\Downloads\MEMZ.exe
                      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      PID:2944
                    • C:\Users\Admin\Downloads\MEMZ.exe
                      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:1620
                    • C:\Users\Admin\Downloads\MEMZ.exe
                      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:2036
                    • C:\Users\Admin\Downloads\MEMZ.exe
                      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:2420
                    • C:\Users\Admin\Downloads\MEMZ.exe
                      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
                      3⤵
                      • Executes dropped EXE
                      PID:1340
                    • C:\Users\Admin\Downloads\MEMZ.exe
                      "C:\Users\Admin\Downloads\MEMZ.exe" /main
                      3⤵
                      • Executes dropped EXE
                      • Writes to the Master Boot Record (MBR)
                      PID:3372
                      • C:\Windows\SysWOW64\notepad.exe
                        "C:\Windows\System32\notepad.exe" \note.txt
                        4⤵
                          PID:2380
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
                      2⤵
                        PID:4432
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
                        2⤵
                          PID:4184
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
                          2⤵
                            PID:4064
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
                            2⤵
                              PID:2580
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2908 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3024
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4300
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2332
                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                                1⤵
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:3968

                              Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      a0407c5de270b9ae0ceee6cb9b61bbf1

                                      SHA1

                                      fb2bb8184c1b8e680bf873e5537e1260f057751e

                                      SHA256

                                      a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

                                      SHA512

                                      65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      ded21ddc295846e2b00e1fd766c807db

                                      SHA1

                                      497eb7c9c09cb2a247b4a3663ce808869872b410

                                      SHA256

                                      26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

                                      SHA512

                                      ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0d7ff94b-6e27-4ac7-a67e-c7af65daba89.tmp

                                      Filesize

                                      1KB

                                      MD5

                                      745439d01e6c68524c7f5b87f5df4744

                                      SHA1

                                      160385f657cea1e3c2e32d8220beaffc678fbaf0

                                      SHA256

                                      11a8a6bef59dad89b00bbe6300d3e40dd6227cbfc9efaf2a8d4af85288df754c

                                      SHA512

                                      d00e0dd5d1a034c0799deacbd9ce3a9f92736299551a691bdc8adbcd280c2e1224f151b625157aa4f852dfe1fc58cd08b5ddb549045555ad1e12d5caf2b23de9

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      2KB

                                      MD5

                                      3cb3bb9eafd8802a8bf7895744d2a3ca

                                      SHA1

                                      102642e083d9bdf9f11a8cbb8b43e2c8776f7ceb

                                      SHA256

                                      39e755030ea9bcfbb1ae781d82273c14ac2735191a73119bb6c39c86134ce7f5

                                      SHA512

                                      ace304a0b71b3de554e89d74532c123cf5ba16641f68fdbb64246f07397891f459af79356f2ca47a584eee8cdb3cbb51ffec1f292d68004c64a2fcac932d099f

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      4e45fcb9eab42b81adada9ffcc4a6fef

                                      SHA1

                                      5708d5f21b82261969504d9f0fe47a42e637a9c0

                                      SHA256

                                      a7dfc5d2b4a5d5c5fd45d0aff8116cf45de5ea43e617a5c1b048d7fd2a5d66e8

                                      SHA512

                                      a80ed3fdc3d37f817d09adb7b8fa20d9ef153f682b7f689dd6ac386db01f0959fec53d58887369f93cfd54809e14ce8cd00ba29cc5f1c75784f6a43afd626de8

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      bca95696d4d5383cd67888a0b5e8df88

                                      SHA1

                                      d71e1ead28fac70a521f04fa79bc62004b5e11fa

                                      SHA256

                                      7ae71f548f0d5ac2d4d2f1392bcbf8fa8da7ea03778f7fcb94ba3a2d150ca154

                                      SHA512

                                      438d1251adc21e554ba2ada25e98882bdee1d6ac7e8d423cf7fcaaf32b10d1fb58b80e5b50ec118687a526561b5863dcc2691ecebf94e88699f17801f223f264

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      20ea4725c3deed89767158b2e47141f5

                                      SHA1

                                      1abef9cd54ff7d857f6ce18351f81306f2ba3a58

                                      SHA256

                                      eb3435134f1c7d057ab9ad065d87284d09e00c2cccf51b7321bc6e7c4fe0b874

                                      SHA512

                                      f8b054443fe5f198bae444d655887b20145828f15334aec087f8187b9cd58a4a7d326d767ab2025e3df623baef7f0b14d722c8890efa48a582708635e801d9ee

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                      Filesize

                                      1KB

                                      MD5

                                      1d8d5e919c83ad2151a479ba9a2afc91

                                      SHA1

                                      b0740daf02b84d151b084a2f247d5036200ffe9a

                                      SHA256

                                      734d392b23c74d55e67cfcaca9f002f834bb0c0aa5e6b51544789c616eac7720

                                      SHA512

                                      598dfd832457dcf609d004e24e744c21db9ad030aec5db4d23e9cb2d3ed8ac342d7d6c3b20cf0fb6b40b799719c06654567c519948a2253d17c213bbfe7f7386

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a43f.TMP

                                      Filesize

                                      874B

                                      MD5

                                      9acc5c3d2c4cc5015eb8d8126f44adb8

                                      SHA1

                                      1c67c66d3923614ad47afcedbf881524295ce05b

                                      SHA256

                                      a40616f296bfe5da821f49b00da367f16c6b3a33b310a3b2e635ab7488440c3c

                                      SHA512

                                      91cea42e4abd09d851fc5ed59affc37420c70f60f15eeff1ea241f6c8b0c80b528ce740c8bc24af5c6f049330522d10d69bf6b33e3af73391894c35ba18d2d2f

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e6a8da60-d2ca-4a25-b2ba-e76ba737820b.tmp

                                      Filesize

                                      579B

                                      MD5

                                      46fa4f5f7344089589d117bd7599b3a9

                                      SHA1

                                      b6cc1fe19e527d4a372c97e4d195ed94eee40030

                                      SHA256

                                      223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

                                      SHA512

                                      6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      a6c94296aa85da14c8a6ba33bff0c3a1

                                      SHA1

                                      95b933d4a784756ccddd5b5afa6d0e6cfe80a410

                                      SHA256

                                      b767dcc77ec65bf5e6082887cf0d39c056c70fdd117a42ea90d25d1c50398949

                                      SHA512

                                      cf48671d50feaa5a40b3f7f81a431faa7bd3e0ead6d629fd45ec2595ac8fb3b0367258b73a78c55458bce34a84dee8dab500d643547c40dae46c9171d3134860

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      ef4ebdafec2c1004ae903399dd5031bb

                                      SHA1

                                      e21f1b436d4f1bf08bc557dbda4f790e5a29b25f

                                      SHA256

                                      85818f3e2dcda13e60d65fda67583c7fae47893ed65c2500b748c8d39ebabe2b

                                      SHA512

                                      83044591e6e0258dd39dcf88edddf481005f1151615956dd8db7117d709739d9c5ba2f725aa0feb4e27f43475863c9720fa698d756fab37b130191b15f2e2dee

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      78a3a046fc9cdbfa5a403cec96167255

                                      SHA1

                                      bbbf3ba408db172605a94be02607615b946e639b

                                      SHA256

                                      968679e158aaff8798c3dbaf80cea89b14761b1cae4cc09ced8172e8ff457cee

                                      SHA512

                                      482538b31430822b3f524422b0f3cf82dc28c32ecbd20b286ac490f2bbedad5314638ac616d1b7af79a647a3464080cc09f720a4d6d4b0ae803b2d484a9a3648

                                    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                                      Filesize

                                      11KB

                                      MD5

                                      f2de638a4259125fdc63c3e174803714

                                      SHA1

                                      c2dc76d32dbc368e8b576a5dd9e0a2a7a5d6fa66

                                      SHA256

                                      c76921cb128864fa1ede8f5f96285a688474149a4d0ef6f15ae131250649a297

                                      SHA512

                                      625a76f433d1b50172950eea73425706e5be7547d589f0b660d7ffab6440f9f1542acc1944d20d64ba493c15c420593b12b53e6ad8fe181c0134001581aa7b19

                                    • C:\Users\Admin\Downloads\MEMZ.exe

                                      Filesize

                                      16KB

                                      MD5

                                      1d5ad9c8d3fee874d0feb8bfac220a11

                                      SHA1

                                      ca6d3f7e6c784155f664a9179ca64e4034df9595

                                      SHA256

                                      3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

                                      SHA512

                                      c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

                                    • C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier

                                      Filesize

                                      55B

                                      MD5

                                      0f98a5550abe0fb880568b1480c96a1c

                                      SHA1

                                      d2ce9f7057b201d31f79f3aee2225d89f36be07d

                                      SHA256

                                      2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

                                      SHA512

                                      dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

                                    • C:\note.txt

                                      Filesize

                                      218B

                                      MD5

                                      afa6955439b8d516721231029fb9ca1b

                                      SHA1

                                      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

                                      SHA256

                                      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

                                      SHA512

                                      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf