Resubmissions
25-05-2024 19:39
240525-ydcftagc26 1025-05-2024 19:31
240525-x8n8esfh98 1025-05-2024 19:28
240525-x64kbsfd8z 7Analysis
-
max time kernel
120s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 19:28
Static task
static1
Behavioral task
behavioral1
Sample
MEMZ.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MEMZ.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
MEMZ.exe
-
Size
16KB
-
MD5
1d5ad9c8d3fee874d0feb8bfac220a11
-
SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595
-
SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
-
SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
SSDEEP
192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MEMZ.exeMEMZ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation MEMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation MEMZ.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Drops file in System32 directory 1 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe -
Drops file in Windows directory 57 IoCs
Processes:
mmc.exedescription ioc process File created C:\Windows\INF\c_diskdrive.PNF mmc.exe File created C:\Windows\INF\c_monitor.PNF mmc.exe File created C:\Windows\INF\c_receiptprinter.PNF mmc.exe File created C:\Windows\INF\c_camera.PNF mmc.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF mmc.exe File created C:\Windows\INF\PerceptionSimulationSixDof.PNF mmc.exe File created C:\Windows\INF\rdcameradriver.PNF mmc.exe File created C:\Windows\INF\xusb22.PNF mmc.exe File created C:\Windows\INF\c_fscompression.PNF mmc.exe File created C:\Windows\INF\remoteposdrv.PNF mmc.exe File created C:\Windows\INF\c_smrdisk.PNF mmc.exe File created C:\Windows\INF\c_netdriver.PNF mmc.exe File created C:\Windows\INF\c_fsvirtualization.PNF mmc.exe File created C:\Windows\INF\c_linedisplay.PNF mmc.exe File created C:\Windows\INF\c_scmdisk.PNF mmc.exe File created C:\Windows\INF\c_fsantivirus.PNF mmc.exe File created C:\Windows\INF\c_media.PNF mmc.exe File created C:\Windows\INF\rawsilo.PNF mmc.exe File created C:\Windows\INF\c_fshsm.PNF mmc.exe File created C:\Windows\INF\c_fsopenfilebackup.PNF mmc.exe File created C:\Windows\INF\c_smrvolume.PNF mmc.exe File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_fsquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_fsinfrastructure.PNF mmc.exe File created C:\Windows\INF\c_firmware.PNF mmc.exe File created C:\Windows\INF\c_swcomponent.PNF mmc.exe File created C:\Windows\INF\c_holographic.PNF mmc.exe File created C:\Windows\INF\c_scmvolume.PNF mmc.exe File created C:\Windows\INF\c_apo.PNF mmc.exe File created C:\Windows\INF\c_volume.PNF mmc.exe File created C:\Windows\INF\c_fscontinuousbackup.PNF mmc.exe File created C:\Windows\INF\wsdprint.PNF mmc.exe File created C:\Windows\INF\c_ucm.PNF mmc.exe File created C:\Windows\INF\c_computeaccelerator.PNF mmc.exe File created C:\Windows\INF\c_fssystemrecovery.PNF mmc.exe File created C:\Windows\INF\oposdrv.PNF mmc.exe File created C:\Windows\INF\c_fssystem.PNF mmc.exe File created C:\Windows\INF\c_cashdrawer.PNF mmc.exe File created C:\Windows\INF\ts_generic.PNF mmc.exe File created C:\Windows\INF\c_fscopyprotection.PNF mmc.exe File created C:\Windows\INF\miradisp.PNF mmc.exe File created C:\Windows\INF\c_mcx.PNF mmc.exe File created C:\Windows\INF\c_extension.PNF mmc.exe File created C:\Windows\INF\c_fscfsmetadataserver.PNF mmc.exe File created C:\Windows\INF\dc1-controller.PNF mmc.exe File created C:\Windows\INF\digitalmediadevice.PNF mmc.exe File created C:\Windows\INF\c_fscontentscreener.PNF mmc.exe File created C:\Windows\INF\c_fsundelete.PNF mmc.exe File created C:\Windows\INF\c_sslaccel.PNF mmc.exe File created C:\Windows\INF\c_proximity.PNF mmc.exe File created C:\Windows\INF\c_magneticstripereader.PNF mmc.exe File created C:\Windows\INF\c_fsreplication.PNF mmc.exe File created C:\Windows\INF\c_display.PNF mmc.exe File created C:\Windows\INF\c_processor.PNF mmc.exe File created C:\Windows\INF\c_fsencryption.PNF mmc.exe File created C:\Windows\INF\c_fsactivitymonitor.PNF mmc.exe File created C:\Windows\INF\c_barcodescanner.PNF mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 20 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
mmc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName mmc.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 2 IoCs
Processes:
firefox.exeMEMZ.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings MEMZ.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 4732 MEMZ.exe 4732 MEMZ.exe 4732 MEMZ.exe 3992 MEMZ.exe 4732 MEMZ.exe 3992 MEMZ.exe 3992 MEMZ.exe 4732 MEMZ.exe 3992 MEMZ.exe 4732 MEMZ.exe 2332 MEMZ.exe 2332 MEMZ.exe 3992 MEMZ.exe 2332 MEMZ.exe 2332 MEMZ.exe 3992 MEMZ.exe 4732 MEMZ.exe 1836 MEMZ.exe 4732 MEMZ.exe 1836 MEMZ.exe 1436 MEMZ.exe 1436 MEMZ.exe 1836 MEMZ.exe 4732 MEMZ.exe 4732 MEMZ.exe 1836 MEMZ.exe 2332 MEMZ.exe 3992 MEMZ.exe 2332 MEMZ.exe 3992 MEMZ.exe 3992 MEMZ.exe 2332 MEMZ.exe 3992 MEMZ.exe 2332 MEMZ.exe 1836 MEMZ.exe 1836 MEMZ.exe 4732 MEMZ.exe 4732 MEMZ.exe 1436 MEMZ.exe 1436 MEMZ.exe 1836 MEMZ.exe 4732 MEMZ.exe 1836 MEMZ.exe 4732 MEMZ.exe 3992 MEMZ.exe 3992 MEMZ.exe 2332 MEMZ.exe 2332 MEMZ.exe 3992 MEMZ.exe 2332 MEMZ.exe 2332 MEMZ.exe 3992 MEMZ.exe 4732 MEMZ.exe 4732 MEMZ.exe 1836 MEMZ.exe 1836 MEMZ.exe 1436 MEMZ.exe 1436 MEMZ.exe 1436 MEMZ.exe 1836 MEMZ.exe 1436 MEMZ.exe 1836 MEMZ.exe 4732 MEMZ.exe 4732 MEMZ.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 6660 mmc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
firefox.exemmc.exedescription pid process Token: SeDebugPrivilege 5660 firefox.exe Token: SeDebugPrivilege 5660 firefox.exe Token: 33 6660 mmc.exe Token: SeIncBasePriorityPrivilege 6660 mmc.exe Token: 33 6660 mmc.exe Token: SeIncBasePriorityPrivilege 6660 mmc.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
Processes:
msedge.exefirefox.exepid process 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 5660 firefox.exe 5660 firefox.exe 5660 firefox.exe 5660 firefox.exe 1536 msedge.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
msedge.exefirefox.exepid process 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 5660 firefox.exe 5660 firefox.exe 5660 firefox.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
firefox.exemmc.exemmc.exeLogonUI.exeMEMZ.exeMEMZ.exepid process 5660 firefox.exe 6600 mmc.exe 6660 mmc.exe 6660 mmc.exe 4308 LogonUI.exe 3992 MEMZ.exe 2332 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MEMZ.exeMEMZ.exemsedge.exedescription pid process target process PID 1972 wrote to memory of 4732 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 4732 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 4732 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 3992 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 3992 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 3992 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 2332 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 2332 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 2332 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 1436 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 1436 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 1436 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 1836 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 1836 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 1836 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 4984 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 4984 1972 MEMZ.exe MEMZ.exe PID 1972 wrote to memory of 4984 1972 MEMZ.exe MEMZ.exe PID 4984 wrote to memory of 1180 4984 MEMZ.exe notepad.exe PID 4984 wrote to memory of 1180 4984 MEMZ.exe notepad.exe PID 4984 wrote to memory of 1180 4984 MEMZ.exe notepad.exe PID 4984 wrote to memory of 1536 4984 MEMZ.exe msedge.exe PID 4984 wrote to memory of 1536 4984 MEMZ.exe msedge.exe PID 1536 wrote to memory of 5044 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 5044 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe PID 1536 wrote to memory of 3348 1536 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://play.clubpenguin.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98e1b46f8,0x7ff98e1b4708,0x7ff98e1b47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff98e1b46f8,0x7ff98e1b4708,0x7ff98e1b47184⤵
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.0.1890839742\1546677477" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4726d4c5-5b3f-4626-a939-44dde72ab0c7} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 1848 22d4070ec58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.1.306623089\85078832" -parentBuildID 20230214051806 -prefsHandle 2436 -prefMapHandle 2424 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ead6002-3858-4585-b785-87043706f8c1} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 2464 22d33884158 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.2.1560272154\869837098" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2968 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c37bd58d-5b79-4622-9d9b-8527949f9724} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 2984 22d42dd6e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.3.170247166\138756940" -childID 2 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1b61ac4-c8f7-4b3b-8009-1f0ca70f8085} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 4240 22d3383ee58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.4.696323625\499854828" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 5028 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed13cc4d-953b-4dc9-9346-5966e0e138f7} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 5128 22d47961558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.5.377209984\970821862" -childID 4 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bbc07a4-d1c7-418f-9cad-9856323b42f5} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 5260 22d47963658 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.6.448210298\325103097" -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67985829-79dc-40e8-89ac-17fed160ee36} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 5556 22d47962158 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38f8855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
206KB
MD5f998b8f6765b4c57936ada0bb2eb4a5a
SHA113fb29dc0968838653b8414a125c124023c001df
SHA256374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef
SHA512d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD5d608e8bc2f940641952bd68662a9e834
SHA181577fc792d39e6a89e340d66570c215dec2f413
SHA256750b7e7828bab11e716cd15547441e03c5fc07ecde173f523c5c8225afe6d945
SHA5122db3cc193e0837b8e35e214046c4f02e4d21d52c7b660696a8bdcdcb8caa30e5d42a2305132ef7e7c8365fb0b67ae5378cd6125dbd339a1b6b84cdae1f2b4b57
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
815B
MD586fbaba6b24b4bd42ea9d515b8e43989
SHA1893a38ca9924bf51a68daad80c11046cdec21b49
SHA2568c46fa47727dd5759f9803be8dc32158ae879df7a88e6b2e9ac6dbad4d8f3880
SHA512f30267f60de0e810f29960bc85197a58685865a87ccbbe4af0fe34e4d3a7f8669e40e8a8bdab513d88ef18c785f3a91d6eb3c26fd318866726d21eea2173bdc9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57ab3c34cc3da10c3e0db87aecd335774
SHA13ce82f95ffcade58464a2dfb60a79e53108f2d06
SHA256be081cd6cfe6fd175ade6c24277441f7bf575a20dad4e6351eaeed84f859c64d
SHA51283e60feda724ec694b6fd5460593ec5fa46c2ada424cf459eba8bb717ce3640b35daae1825f26b144b05a4d3f2a08f25342cf7ce2c79ebe895e782ced4f97be2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b0e15996cbdbd330e52fc2278481e4c1
SHA19b541d5cf8160a6d4a237853fda79622b5fb146a
SHA256d1e47043ff054c329465c55c94e0d2212b8f3c9add6662cc1bc660a28601be71
SHA51202667ea030c57161088ae8d9d93c959e4eaff04a03b1ac3b9e34720e1e809f8e5699bdc8a38ba4b98d477b9b542c2794186374e8f3f43b890e8382223d8b0026
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5aecc05022d44394ebcf34df92275af8b
SHA117959501094a875b8da5c0f1105d9fc609fb0cda
SHA256e792f77e59681429321b4fd068f2de1dd02eb2525cae923c232f7977588f1b9f
SHA512a881700975e0f336673d1ad71d7618996aa54606a100c271ca5be069dbc2be179e19c63b0d69cb4823f53dd8bbb98d481d14afa6748e0b4861165484a05d7671
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5d8a1a5c68e602f7559aaaa1de43d8088
SHA197c78a4b6f1beef8bd6b9eb0af43ebfbac5619df
SHA256779bddefa3ee8155f081acbba429fb7f11f74e20e8d22953ad7e8d5f5f57a434
SHA5122f0eb8a7ed0cd65e7a94b4a3f41568537e5afb836afc97c5c07a1bd72641114686ee22d729c48e228fce1ea74f3acdc96c5332971c3a12bcece534af91735518
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d512fd324406320b44e0c78f0dd3e7f2
SHA1e7690041691cb3e2853a81629f0d2b13d6595e05
SHA25684f1de9a7af3d7f0519f1ad117c080354e57fd1f79137022e265b2336732c827
SHA5127f159f9bed48554e64c8643e4946018d8a964aa70990415725693bd4ededc7afcbac30e0a152e85ba6614ed88bcb4c378bf7337193d3425e165d03c36d999dad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD54c179d1893d8de07dc1998029927de08
SHA1af638097ce8ce51673db8ed11d377102c14f2c6d
SHA25695db1a949897b7b625d1a212c6b6442c8950eb3fb1d78f2475eb8c86cb6ec9d3
SHA5125c5b10d98203130342734acec39618806936d122f566b7f2758a7dd37ef9ecfbf8c76ea760a803d09bfb71bbe2af26b3ac8ca530d57c66d688a4613688744cec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD51be365f0b5066c169d11fb8723415759
SHA19ce0f0a132eeef316f6e2bedb2222b1ba265f5be
SHA256e0cf320922dc5c0f3b9bdf15388b63d5e760e9c3a118efa6a47bdef227db465e
SHA512de7c92e414790185f43868cf630c3953ffb63bab549e3918e097b1c0c93a4e58cf4b7c47558fa6723371dc919edf8f031f6cffda36738d1c4f40853778ce6a85
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\activity-stream.discovery_stream.json.tmpFilesize
25KB
MD54a6175c2fb38c5c84781378a3c675a1a
SHA1125e538b72afcaeed18b6b1220d3dc28c2225859
SHA25664f6e996e3fedd01f6e753a0fcefcc2a0813ee8b46b9490f1763e6e0bfec4332
SHA5123198d46af4c91ad4fdacffff92d19af362a583abfc1f24776b296188ce4212a619a0e6203215634499848a3504fe649f102c6576f093b0151336ecd56ada8fb1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.jsFilesize
6KB
MD57528000a8aaa8ae61b9acb42a5e3bfef
SHA1f234fea8371e504dadfbeaa6c1e29e678ec89460
SHA25684fb6de0c434013c496ea03b6945a145c2afb0fe96f991e711c085c96bf353b9
SHA512f6ba1119553dbb3c2c907fa2c84e2af29e292dd6aa402918469c76d884bd8a4ab714da2305016899a823377a280b0508db91c3ddda7f77f29d0c3ea47de9d5f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs.jsFilesize
6KB
MD5b3461e0a274131835e8633ebbf381411
SHA1ce231f20de97602b7b98623b97bd36d6892bddcb
SHA25628c16bbb0d7475dcba6a88aa9fe5111698458f5f02b8194dd8fe3afee75e6649
SHA5129af2c7e687dca270a61c082842a44225a19e7d630dbc6b6e90a23d81bdccefdaaac0023708ac2c2bd48e379855ff7d212a66e51746eff18b93ee0c3fabce1292
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD5e7717defccf2de895b127af893287661
SHA102b511d757a4627c387c6c15bb81a2806fc02a08
SHA25615a813e51b0630302262418304c2a2a44f16de24101748806ec9eec1a7aade93
SHA512071a14b5b19b020ceb2cb6a9b1c471f39e79537f14633687b0e29a462fc7691993dcb2bff0f63d76934e6ad249fc98cb42aa35c2814c4d0ed063675afd35fd75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore.jsonlz4Filesize
913B
MD5d2347a1e1dc16048bd159f835840fc43
SHA15909676d5ddb4ce57d957faf9967d68375e0d1ef
SHA256b2126a5d0f4ea7c23195a63eb22b4ee9d1e777e5f13e8df38d600dba788bba1e
SHA5129bcfdbaa8041ed5c81062b06fa54ded7c26a1cad73548a91f50395438e9c09837f7f60d9aa1b0edaaebbcd3285e22642daaa1c74d44038163d09d6f205882071
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
\??\pipe\LOCAL\crashpad_1536_TIXDBHOHULLWSKYNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e