3d4c345b9b6c298b218274cfe2141b2f2842b113534a557100c1671a8b7edb76

Analysis

max time kernel
341s
max time network
335s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07-09-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	Taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	Taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	Taskmgr.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "25"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "103"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	Taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000c33bed377bb7870f4de0b904c4918ef273f97ebc5f4e5271a8ab1a74cc7f6abc6b3f3094804cafd23341f1fd61483c89d1eb7fefb18c56cf22b1	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 077cb8954d01db01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 05529d9b4d01db01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "60"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{892249F5-56E0-4407-9C0A-4504A10C0EB8} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "25"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "103"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "60"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "60"	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
600	MEMZ.exe
600	MEMZ.exe
1556	MEMZ.exe
1556	MEMZ.exe
1556	MEMZ.exe
600	MEMZ.exe
1556	MEMZ.exe
600	MEMZ.exe
1556	MEMZ.exe
1556	MEMZ.exe
600	MEMZ.exe
600	MEMZ.exe
4940	MEMZ.exe
4940	MEMZ.exe
600	MEMZ.exe
4940	MEMZ.exe
600	MEMZ.exe
4940	MEMZ.exe
1556	MEMZ.exe
4184	MEMZ.exe
1556	MEMZ.exe
4184	MEMZ.exe
1096	MEMZ.exe
1096	MEMZ.exe
1096	MEMZ.exe
1096	MEMZ.exe
4184	MEMZ.exe
4184	MEMZ.exe
1556	MEMZ.exe
1556	MEMZ.exe
4940	MEMZ.exe
4940	MEMZ.exe
600	MEMZ.exe
600	MEMZ.exe
600	MEMZ.exe
600	MEMZ.exe
4940	MEMZ.exe
4940	MEMZ.exe
1556	MEMZ.exe
1556	MEMZ.exe
4184	MEMZ.exe
1096	MEMZ.exe
4184	MEMZ.exe
1096	MEMZ.exe
1096	MEMZ.exe
4184	MEMZ.exe
1096	MEMZ.exe
4184	MEMZ.exe
4940	MEMZ.exe
1556	MEMZ.exe
4940	MEMZ.exe
1556	MEMZ.exe
600	MEMZ.exe
600	MEMZ.exe
4940	MEMZ.exe
600	MEMZ.exe
4940	MEMZ.exe
600	MEMZ.exe
1556	MEMZ.exe
1556	MEMZ.exe
4184	MEMZ.exe
4184	MEMZ.exe
1096	MEMZ.exe
1096	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5868	OpenWith.exe
6036	Taskmgr.exe

Suspicious behavior: MapViewOfSection 26 IoCs

pid	Process
4820	MicrosoftEdgeCP.exe
4820	MicrosoftEdgeCP.exe
4820	MicrosoftEdgeCP.exe
4820	MicrosoftEdgeCP.exe
4820	MicrosoftEdgeCP.exe
4820	MicrosoftEdgeCP.exe
4244	MicrosoftEdgeCP.exe
4244	MicrosoftEdgeCP.exe
4244	MicrosoftEdgeCP.exe
4244	MicrosoftEdgeCP.exe
4244	MicrosoftEdgeCP.exe
4244	MicrosoftEdgeCP.exe
4244	MicrosoftEdgeCP.exe
4244	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
3824	MicrosoftEdgeCP.exe
3824	MicrosoftEdgeCP.exe
3824	MicrosoftEdgeCP.exe
3824	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4636	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4636	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4636	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4416	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4416	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2236	MicrosoftEdge.exe
Token: SeDebugPrivilege	2236	MicrosoftEdge.exe
Token: SeDebugPrivilege	6036	Taskmgr.exe
Token: SeSystemProfilePrivilege	6036	Taskmgr.exe
Token: SeCreateGlobalPrivilege	6036	Taskmgr.exe
Token: 33	4700	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4700	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe
6036	Taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4584	MEMZ.exe
2236	MicrosoftEdge.exe
4820	MicrosoftEdgeCP.exe
4636	MicrosoftEdgeCP.exe
4820	MicrosoftEdgeCP.exe
5868	OpenWith.exe
5528	MicrosoftEdge.exe
4244	MicrosoftEdgeCP.exe
4244	MicrosoftEdgeCP.exe
5468	OpenWith.exe
4584	MEMZ.exe
4584	MEMZ.exe
6356	MicrosoftEdge.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4584	MEMZ.exe
4584	MEMZ.exe
4584	MEMZ.exe
6360	OpenWith.exe
4584	MEMZ.exe
488	MicrosoftEdge.exe
3824	MicrosoftEdgeCP.exe
3824	MicrosoftEdgeCP.exe
1096	MEMZ.exe
600	MEMZ.exe
4184	MEMZ.exe
1556	MEMZ.exe
600	MEMZ.exe
1096	MEMZ.exe
1556	MEMZ.exe
4184	MEMZ.exe
1096	MEMZ.exe
600	MEMZ.exe
4184	MEMZ.exe
1556	MEMZ.exe
600	MEMZ.exe
1096	MEMZ.exe
1556	MEMZ.exe
4184	MEMZ.exe
1096	MEMZ.exe
600	MEMZ.exe
1556	MEMZ.exe
4184	MEMZ.exe
600	MEMZ.exe
1096	MEMZ.exe
4184	MEMZ.exe
1556	MEMZ.exe
1096	MEMZ.exe
600	MEMZ.exe
1556	MEMZ.exe
4184	MEMZ.exe
600	MEMZ.exe
1096	MEMZ.exe
1556	MEMZ.exe
4184	MEMZ.exe
1096	MEMZ.exe
600	MEMZ.exe
1556	MEMZ.exe
4184	MEMZ.exe
600	MEMZ.exe
1096	MEMZ.exe
1556	MEMZ.exe
4184	MEMZ.exe
1096	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 1556	4904	MEMZ.exe	73
PID 4904 wrote to memory of 1556	4904	MEMZ.exe	73
PID 4904 wrote to memory of 1556	4904	MEMZ.exe	73
PID 4904 wrote to memory of 600	4904	MEMZ.exe	74
PID 4904 wrote to memory of 600	4904	MEMZ.exe	74
PID 4904 wrote to memory of 600	4904	MEMZ.exe	74
PID 4904 wrote to memory of 1096	4904	MEMZ.exe	75
PID 4904 wrote to memory of 1096	4904	MEMZ.exe	75
PID 4904 wrote to memory of 1096	4904	MEMZ.exe	75
PID 4904 wrote to memory of 4184	4904	MEMZ.exe	76
PID 4904 wrote to memory of 4184	4904	MEMZ.exe	76
PID 4904 wrote to memory of 4184	4904	MEMZ.exe	76
PID 4904 wrote to memory of 4940	4904	MEMZ.exe	77
PID 4904 wrote to memory of 4940	4904	MEMZ.exe	77
PID 4904 wrote to memory of 4940	4904	MEMZ.exe	77
PID 4904 wrote to memory of 4584	4904	MEMZ.exe	78
PID 4904 wrote to memory of 4584	4904	MEMZ.exe	78
PID 4904 wrote to memory of 4584	4904	MEMZ.exe	78
PID 4584 wrote to memory of 4284	4584	MEMZ.exe	80
PID 4584 wrote to memory of 4284	4584	MEMZ.exe	80
PID 4584 wrote to memory of 4284	4584	MEMZ.exe	80
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4820 wrote to memory of 3520	4820	MicrosoftEdgeCP.exe	85
PID 4584 wrote to memory of 6036	4584	MEMZ.exe	88
PID 4584 wrote to memory of 6036	4584	MEMZ.exe	88
PID 4584 wrote to memory of 6036	4584	MEMZ.exe	88
PID 4584 wrote to memory of 4680	4584	MEMZ.exe	89
PID 4584 wrote to memory of 4680	4584	MEMZ.exe	89
PID 4584 wrote to memory of 4680	4584	MEMZ.exe	89
PID 4584 wrote to memory of 1460	4584	MEMZ.exe	90
PID 4584 wrote to memory of 1460	4584	MEMZ.exe	90
PID 4584 wrote to memory of 1460	4584	MEMZ.exe	90
PID 4584 wrote to memory of 5660	4584	MEMZ.exe	92
PID 4584 wrote to memory of 5660	4584	MEMZ.exe	92
PID 4584 wrote to memory of 5660	4584	MEMZ.exe	92
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99
PID 4244 wrote to memory of 3360	4244	MicrosoftEdgeCP.exe	99

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:600
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1096
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4184
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4284
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6036
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5660
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5628
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5188
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6892
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6076

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5528

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1504

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6356

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6088

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5868

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:6916

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4596

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:488

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:1936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3824

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6RMIJ2G2\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LMXDZRQ6\anchor[2].htm

Filesize
49KB

MD5
86c54b7733ac93d9897b837c50a91fad

SHA1
eeae7df6c0ac5cf5221b511d56a51e8ac3107e3f

SHA256
61a49a113cc523f6643415ac8697543027b0547bd3117ee3b6abcd37f916c63d

SHA512
9c239ff13e1c28572a0d514cb6f923121507ed9e958167d38088a5a390ba166ceb5520cf3c9287cc76f14c6baeb9f43d30855bb3f71b918cc633d0119be2ac63

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LMXDZRQ6\bframe[2].htm

Filesize
7KB

MD5
a85a31405bc356b57cb73c50ab89bd76

SHA1
c4368ee387a9b735bc426fddd07a81be881d45d9

SHA256
681b62ba9b259dc08157cc09a053f03f45d98e4454de71c8c61e0d545d33be70

SHA512
ab10161c95e4d86caca2b391e755d3b851b0b7de672b5c61db1a011026ce8cfb2d94ae76ff3b3b88949fddba6a0fd7285904676742b0b0f25f03239396281ab5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LMXDZRQ6\recaptcha__en[1].js

Filesize
537KB

MD5
c7be68088b0a823f1a4c1f77c702d1b4

SHA1
05d42d754afd21681c0e815799b88fbe1fbabf4e

SHA256
4943e91f7f53318d481ca07297395abbc52541c2be55d7276ecda152cd7ad9c3

SHA512
cb76505845e7fc0988ade0598e6ea80636713e20209e1260ee4413423b45235f57cb0a33fca7baf223e829835cb76a52244c3197e4c0c166dad9b946b9285222

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\8WGCV3W4\www.google[1].xml

Filesize
238B

MD5
3b88c0e61f42665a6f98bc28b49743d8

SHA1
d0c9fb5073f506f8a1aef36eeb504d27614dbbce

SHA256
e17a483040f5139008644afc9b263f65cc970d47033a640309d556586b8a9512

SHA512
f0348ce3fd59b4fa1db350c346096e85c5bf439e96e0bd92b5f5bf5ae869c42142c65ccdd669f3061fd3b38ba9b71424c99e63567c5952a0f7ac53bd2b1dc054

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\5Q5T7Z0E\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
b234939b3dc3fff92238a71247d8c017

SHA1
765a3ca5a76e1e7ea641a5df63a3b262f2c54360

SHA256
90f90fd3c057469679d07abd720609d27b9efa863afc08740e6436f2bd3246df

SHA512
6c40427cf56b9e1498d2a47fe70d6be4ab7cd840804351e5eacc9e7669c704243119c720aaf05edab5555481c42c98aa6a992582ea95ef8aa891e20de11224bf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFB244BA498EE27ABF.TMP

Filesize
24KB

MD5
2469f3cad459da5f2980ad023b8bf4a2

SHA1
5175685468c74da46865c9913e11e8494b9383aa

SHA256
2da4ef69415a30877d4789924cafa25027f1c338dc7c486657031e455a7f331a

SHA512
378fc34bf13b8aec93c48c703980d160e19de4b836ecaf03ae4bcef9ef2eb64809083e0377efb5bee8f52556f89002f96af8c0929c1311467b8356182a571b7d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6RMIJ2G2\KFOlCnqEu92Fr1MmEU9fBBc4[1].woff2

Filesize
15KB

MD5
285467176f7fe6bb6a9c6873b3dad2cc

SHA1
ea04e4ff5142ddd69307c183def721a160e0a64e

SHA256
5a8c1e7681318caa29e9f44e8a6e271f6a4067a2703e9916dfd4fe9099241db7

SHA512
5f9bb763406ea8ce978ec675bd51a0263e9547021ea71188dbd62f0212eb00c1421b750d3b94550b50425bebff5f881c41299f6a33bbfa12fb1ff18c12bc7ff1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6RMIJ2G2\KFOlCnqEu92Fr1MmEU9fBxc4EsA[1].woff2

Filesize
7KB

MD5
207d2af0a0d9716e1f61cadf347accc5

SHA1
0f64b5a6cc91c575cb77289e6386d8f872a594ca

SHA256
416d72c8cee51c1d6c6a1cab525b2e3b4144f2f457026669ddad34b70dabd485

SHA512
da8b03ee3029126b0c7c001d7ef2a7ff8e6078b2df2ec38973864a9c0fd8deb5ecef021c12a56a24a3fd84f38f4d14ea995df127dc34f0b7eec8e6e3fc8d1bbd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6RMIJ2G2\KFOlCnqEu92Fr1MmEU9fCBc4EsA[1].woff2

Filesize
1KB

MD5
52e881a8e8286f6b6a0f98d5f675bb93

SHA1
9c9c4bc1444500b298dfea00d7d2de9ab459a1ad

SHA256
5e5321bb08de884e4ad6585b8233a7477fa590c012e303ea6f0af616a6e93ffb

SHA512
45c07a5e511948c328f327e2ef4c3787ac0173c72c51a7e43e3efd3e47dd332539af15f3972ef1cc023972940f839fffe151aefaa04f499ae1faceaab6f1014f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6RMIJ2G2\KFOlCnqEu92Fr1MmEU9fChc4EsA[1].woff2

Filesize
11KB

MD5
16aedbf057fbb3da342211de2d071f11

SHA1
fdee07631b40b264208caa8714faaa5b991d987b

SHA256
7566a2f09ff8534334b7a44f72a1afaba6bdbb782209be8804636ee8b963c75f

SHA512
5cd45dfb0d0ee44afd9b3ffd93c2942c2f04e359d067d4631edd67a2ee09149766294b29c75aaab7436dacc775a8ca02392c5e4cfb8d7fede19c028448507e0e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6RMIJ2G2\KFOlCnqEu92Fr1MmEU9fCxc4EsA[1].woff2

Filesize
5KB

MD5
6bef514048228359f2f8f5e0235f8599

SHA1
318cb182661d72332dc8a8316d2e6df0332756c4

SHA256
135d563a494b1f8e6196278b7f597258a563f1438f5953c6fbef106070f66ec8

SHA512
23fb4605a90c7616117fab85fcd88c23b35d22177d441d01ce6270a9e95061121e0f7783db275ad7b020feaba02bbbc0f77803ca9fb843df6f1b2b7377288773

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6RMIJ2G2\KFOlCnqEu92Fr1MmYUtfCRc4EsA[1].woff2

Filesize
14KB

MD5
e904f1745726f4175e96c936525662a7

SHA1
af4e9ee282fea95be6261fc35b2accaed24f6058

SHA256
65c7b85c92158adb2d71bebe0d6dfb31ab34de5e7d82134fe1aa4eba589fc296

SHA512
7a279d41c8f60806c2253cba5b399be7add861bd15bf0ac4fa7c96fa1eee6557bf1ebd684e909086d9292739f27fa18947af5c98f4920fe00da3acf209c6260a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6RMIJ2G2\KFOmCnqEu92Fr1Mu4mxK[1].woff2

Filesize
14KB

MD5
5d4aeb4e5f5ef754e307d7ffaef688bd

SHA1
06db651cdf354c64a7383ea9c77024ef4fb4cef8

SHA256
3e253b66056519aa065b00a453bac37ac5ed8f3e6fe7b542e93a9dcdcc11d0bc

SHA512
7eb7c301df79d35a6a521fae9d3dccc0a695d3480b4d34c7d262dd0c67abec8437ed40e2920625e98aaeafba1d908dec69c3b07494ec7c29307de49e91c2ef48

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6RMIJ2G2\KFOmCnqEu92Fr1Mu5mxKOzY[1].woff2

Filesize
9KB

MD5
efe937997e08e15b056a3643e2734636

SHA1
d02decbf472a0928b054cc8e4b13684539a913db

SHA256
53f2931d978bf9b24d43b5d556ecf315a6b3f089699c5ba3a954c4dde8663361

SHA512
721c903e06f00840140ed5eec06329221a2731efc483e025043675b1f070b03a544f8eb153b63cd981494379a9e975f014b57c286596b6f988cee1aaf04a8c65

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GFIMG22C\KFOmCnqEu92Fr1Mu4WxKOzY[1].woff2

Filesize
7KB

MD5
7aa7eb76a9f66f0223c8197752bb6bc5

SHA1
ac56d5def920433c7850ddbbdd99d218d25afd2b

SHA256
9ca415df2c57b1f26947351c66ccfaf99d2f8f01b4b8de019a3ae6f3a9c780c7

SHA512
e9a513741cb90305fbe08cfd9f7416f192291c261a7843876293e04a874ab9b914c3a4d2ed771a9d6484df1c365308c9e4c35cd978b183acf5de6b96ac14480d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GFIMG22C\KFOmCnqEu92Fr1Mu72xKOzY[1].woff2

Filesize
15KB

MD5
e3836d1191745d29137bfe16e4e4a2c2

SHA1
4dc8845d97df9cb627d9e6fdd49be1ef9eb9a69c

SHA256
98eec6c6fa4dcd4825e48eff334451979afc23cd085aea2d45b04dc1259079dd

SHA512
9e9ec420cf75bf47a21e59a822e01dc89dcf97eec3cc117c54ce51923c9a6f2c462355db1bc20cdf665ef4a5b40ffcfa9c8cee05bb5e112c380038bfef29c397

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GFIMG22C\KFOmCnqEu92Fr1Mu7GxKOzY[1].woff2

Filesize
11KB

MD5
15d8ede0a816bc7a9838207747c6620c

SHA1
f6e2e75f1277c66e282553ae6a22661e51f472b8

SHA256
dbb8f45730d91bffff8307cfdf7c82e67745d84cb6063a1f3880fadfad59c57d

SHA512
39c75f8e0939275a69f8d30e7f91d7ca06af19240567fb50e441a0d2594b73b6a390d11033afb63d68c86c89f4e4bf39b3aca131b30f640d21101dc414e42c97

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GFIMG22C\api[1].js

Filesize
870B

MD5
db3f5a748364d84b2b5f75e3d4e851d0

SHA1
17b34ff20d429abee726b4b74530e5af2819f7bc

SHA256
343ed5ecd144d781de67aa8638b1ca4fce5772faedbb72720daacb250884f4e1

SHA512
3ee552fff8e93097120367c7f5f6aed88145150d706349542e8800e65722f4e6507bc0802e41a305cda56aaf4bcd40c036ad7a4d2aabea9dc70f908bf400dd90

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GFIMG22C\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LMXDZRQ6\KFOlCnqEu92Fr1MmEU9fABc4EsA[1].woff2

Filesize
9KB

MD5
df648143c248d3fe9ef881866e5dea56

SHA1
770cae7a298ecfe5cf5db8fe68205cdf9d535a47

SHA256
6a3f2c2a5db6e4710e44df0db3caec5eb817e53989374e9eac68057d64b7f6d2

SHA512
6ff33a884f4233e092ee11e2ad7ef34d36fb2b61418b18214c28aa8b9bf5b13ceccfa531e7039b4b7585d143ee2460563e3052364a7dc8d70b07b72ec37b0b66

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LMXDZRQ6\KFOlCnqEu92Fr1MmEU9fCRc4EsA[1].woff2

Filesize
14KB

MD5
79c7e3f902d990d3b5e74e43feb5f623

SHA1
44aae0f53f6fc0f1730acbfdf4159684911b8626

SHA256
2236e56f735d25696957657f099459d73303b9501cc39bbd059c20849c5bedff

SHA512
3a25882c7f3f90a7aa89ecab74a4be2fddfb304f65627b590340be44807c5c5e3826df63808c7cd06daa3420a94090249321a1e035b1cd223a15010c510518df

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LMXDZRQ6\webworker[1].js

Filesize
102B

MD5
ad5e6a567d064cba36f2a56caab2d866

SHA1
a3b46ea0ca5df5a6b6ab6bb228cf805065523cd1

SHA256
e70942d2b905910af2538c685c2223c25e5068bfbccb9742cfa5ffa48150d291

SHA512
ba45b3d74c0d2e0ac22bc97bacb6df549d7a4eae8d64050af41167376926f4379ccb6be84a666ba615caa7c5ee6838f98020c530f5c2ce51f71dad369d130681

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SD25NXA1\KFOlCnqEu92Fr1MmYUtfABc4EsA[1].woff2

Filesize
9KB

MD5
797d1a46df56bba1126441693c5c948a

SHA1
01f372fe98b4c2b241080a279d418a3a6364416d

SHA256
c451e5cf6b04913a0bc169e20eace7dec760ba1db38cdcc343d8673bb221dd00

SHA512
99827a3fab634b2598736e338213e1041ef26108a1607be294325d90a6ba251a947fd06d8cb0a2104b26d7fe9455feb9088a79fe515be1896c994c5850705edc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SD25NXA1\KFOlCnqEu92Fr1MmYUtfBBc4[1].woff2

Filesize
14KB

MD5
19b7a0adfdd4f808b53af7e2ce2ad4e5

SHA1
81d5d4c7b5035ad10cce63cf7100295e0c51fdda

SHA256
c912a9ce0c3122d4b2b29ad26bfe06b0390d1a5bdaa5d6128692c0befd1dfbbd

SHA512
49da16000687ac81fc4ca9e9112bdca850bb9f32e0af2fe751abc57a8e9c3382451b50998ceb9de56fc4196f1dc7ef46bba47933fc47eb4538124870b7630036

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SD25NXA1\KFOlCnqEu92Fr1MmYUtfBxc4EsA[1].woff2

Filesize
7KB

MD5
585f849571ef8c8f1b9f1630d529b54d

SHA1
162c5b7190f234d5f841e7e578b68779e2bf48c2

SHA256
c6dcdefaa63792f3c29abc520c8a2c0bc6e08686ea0187c9baac3d5d329f7002

SHA512
1140c4b04c70a84f1070c27e8e4a91d02fda4fc890877900c53cfd3a1d8908b677a412757061de43bc71022dfdd14288f9db0852ef6bf4d2c1615cb45628bebc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SD25NXA1\KFOlCnqEu92Fr1MmYUtfCBc4EsA[1].woff2

Filesize
1KB

MD5
7cbd23921efe855138ad68835f4c5921

SHA1
78a3ae9ec08f2cf8ebb791a2331b33a03ab8cc76

SHA256
8eaae4c8680e993b273145315c76a9a278f696467c426637d4beab8cb3dc4a3d

SHA512
d8a4db91d2063273d31f77728b44557612b85f51143973caa3cfd60ab18f8c3e4b8cdaab43af843fe29441cd1d8299bf2f139a78e47bf740277b33a377377177

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SD25NXA1\KFOlCnqEu92Fr1MmYUtfChc4EsA[1].woff2

Filesize
11KB

MD5
29542ac824c94a70cb8abdeef41cd871

SHA1
df5010dad18d6c8c0ad66f6ff317729d2c0090ba

SHA256
63ef838f895e018722b60f6e7e1d196ff3d90014c70465703fc58e708e83af64

SHA512
52f91e02b82f9f27d334704b62a78e746c80023ee8882b96cb24cb4043f9a256f395d24830b1f4513bd7597f8c564af20db9c715ab014eb2ab752fd697156591

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SD25NXA1\KFOlCnqEu92Fr1MmYUtfCxc4EsA[1].woff2

Filesize
4KB

MD5
133b0f334c0eb9dbf32c90e098fab6bd

SHA1
398f8fd3a668ef0b16435b01ad0c6122e3784968

SHA256
6581d0d008bc695e0f6beffbd7d51abb4d063ef5dedc16feb09aa92ea20c5c00

SHA512
2a5a0956ecc8680e4e9ef73ec05bc376a1cc49ddb12ee76316378fe9626dccedb21530e3e031b2dae2830874cc1b6bfd6cce2d6d0dce54587ff0fc3780041ace

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SD25NXA1\KFOmCnqEu92Fr1Mu7WxKOzY[1].woff2

Filesize
5KB

MD5
a835084624425dacc5e188c6973c1594

SHA1
1bef196929bffcabdc834c0deefda104eb7a3318

SHA256
0dfa6a82824cf2be6bb8543de6ef56b87daae5dd63f9e68c88f02697f94af740

SHA512
38f2764c76a545349e8096d4608000d9412c87cc0cb659cf0cf7d15a82333dd339025a4353b9bd8590014502abceb32ca712108a522ca60cbf1940d4e4f6b98a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SD25NXA1\KFOmCnqEu92Fr1Mu7mxKOzY[1].woff2

Filesize
1KB

MD5
57993e705ff6f15e722f5f90de8836f8

SHA1
3fecc33bac640b63272c9a8dffd3df12f996730b

SHA256
836f58544471e0fb0699cb9ddd0fd0138877733a98b4e029fca1c996d4fb038d

SHA512
31f92fb495a1a20ab5131493ab8a74449aabf5221e2901915f2cc917a0878bb5a3cbc29ab12324ffe2f0bc7562a142158268c3f07c7dca3e02a22a9ade41721e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SD25NXA1\jtfVNCDllPkHVmro98zm5d41V4d88fHJDx69n-tu_Nw[1].js

Filesize
18KB

MD5
36e9d8d2c2194d0f01c5e6f39ef1e618

SHA1
9601c7397b47092f1ef5fa548eabf089ad9a1f09

SHA256
8ed7d53420e594f907566ae8f7cce6e5de3557877cf1f1c90f1ebd9feb6efcdc

SHA512
349939f956c7c4a5815553fb6aadc5c4b5e4c4b33c7df52626c8f5edcf1a6255661bef1f9664f37fc68b6cede2b4c22dd654bc7e4b7ee4c0fb043bcd56a5f370

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\8WGCV3W4\www.google[1].xml

Filesize
99B

MD5
1b82d230ba8d289c3d44c07e0ee683fe

SHA1
f4e4fa0bfb10e77b1811afea86e6d8fc520094b5

SHA256
43ac89a3ce360f603b21714d64257da236f45043e30d283da53efb22c3b22004

SHA512
01d7e7ab4c70650f77e02e1f2971cf1b69bcb3d0c5ce13baaed07c191d56360d6b14622aa24081e859ac523f1a5f02ffdf45fa9fa95fdcf4e78c041e7c9b9a37

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1e0c01e4e93d52ef16f3b669214b04a4

SHA1
d33a94ee7a36cd526a804016104a660d86044627

SHA256
46c9c707b6b946d2ecb0d581784dea6f73c1a8af5d7984c6d42ccc19e59e135c

SHA512
0f9e27b78900a45499fc97d1cfb8e846f9b04fccc062f34d0add23ee56d88a0e485602c8cc31fdba792b4c5e973398b3ee276b234d64149a0df06845ba7b74cb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
471B

MD5
e400427ce8f210a9c3a85444aa57c72d

SHA1
9fb62bc3ee3254f0a6e2257b21c9c70dcc5ce239

SHA256
4332f5d8cb2cd04bcf054a3edf102ecb98653dc08601c4d867d663e9bb258c25

SHA512
ede559e81231e3e1f68ac03e6962218bf4a9020d3ee548c1b8fe9d1bd772a5025b8bf0a161eccecc6b4f5db20c3b27826000a8f21a987e0404bd69b62ce96558

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
472B

MD5
4c10ff9ae1a38044a74bdfea79242ba7

SHA1
b1d8b2f717e8206a9b143d665834515e7075fa92

SHA256
487a8e4bb48e308730e00838076cb0102ef91321dc8a01e1eef6f8626d639013

SHA512
aa4ac71782105a505ee4746572f2c636c28aadae7a5b4ddfde9ef78dbdff22979625d846985e8629a8971e1832ed567181f92abda782833525584695134242f0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635

Filesize
472B

MD5
2f32f31431b0e85fc4dff6612c673113

SHA1
e53cfa801c7d4e1b3dba5704d0ff96b447ffb1fe

SHA256
128351609b5b8e9b6ba9d6f2d6af86b189fe4d72f99f0b05663766d9abbf2886

SHA512
3573ea9378ec313bbb6723eba94f52f7e88c39bfe7919f052b9f76f6424d943b99405bd7250705e5dd5ffc8d2dec8de5b873624ef8fbc1391adea6f4143898cd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
2fcb95929e9f2ee73a12559b2b31e316

SHA1
fb3121aa74823484707bcf1623da11405ecbd3f3

SHA256
7d9bc5ccde1a2b4c864e9a445ccfe667b354519dde253dbc3328ba0090bdb4f3

SHA512
3df74a9acaf10c26cce1aaf93c5ea8b8981724374e2ddd8711702547a683391438167be5b134cf471851cf1c46d2da1c9fc73c0cf941a859ebd6e63ababb70c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
cf40a240cd878ce2a0617c348086aa7f

SHA1
5d482fb92342a22c56d46f411dae1a9de908accd

SHA256
19e9f0581f3f9808599f87ed5eb3a97f2469e607c9d152452f2f40dc4fbd2b2d

SHA512
edbec3f6a8a9ea5d31646ad81953e04ec845dfa929a352a101939233ffadf28d801985ba3fbe5707755257ba1b1de0839905b2c4023b123ed25f72a1418fbfb9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
406B

MD5
7aeed281d217885fa8fadcf9459c623c

SHA1
18bbc033aa59fe7f8e373d48a909612d8a17ac64

SHA256
f5bb25c5ab5cbccda88cd83f45a5e85d4df8007a7829ae135e290523047f4015

SHA512
6dd7ae5a684cb2833910fa79234cb860716d0a99a804ff05b66eae141c7b2abdee5e2c629b156bd92ab2ba3a9807a89359d689d2fe8e8b6e433543813e37c8c8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
398B

MD5
415714193185863445973a1d758ae676

SHA1
708ff326212da011a5a2ef30692ad6e90ec8c330

SHA256
b212733295f57dbf9d85da7c18bcb98a9ddb87da558301f474a8491bbcec16f8

SHA512
1af22e92a69a792a39a8387546d01d342886ed9f8675ac5412de302651ae1b1cb0adf75a771ec0e874b738ead4fa92cf732ee2fe7816a8ba9c7dcf5c9656f112

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635

Filesize
398B

MD5
f782a9c4fbe050d6505d066b89519f27

SHA1
6ec88560896c22042af0db07a2fadb1a50a8712f

SHA256
693af2f37c9d6dd1f621c93322b449cd449f7b9fb55ab4c2269f5231538c2dca

SHA512
6f27189e29a9c76bb4d97085f9384f715da4b5165755ce605da0810bb925f01cd57f1f0f46619f76650839e5bac9b29bae129090b49e8dfab365649e6b0344f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
b5bbce041347f6a55c2ae5eba7497e3c

SHA1
8f2dc628be091cf9017e6dc6212d02a3eb607923

SHA256
ac8ea941528ceb69d3a46522af66486581541643ab49541c58e74cd1265d72c5

SHA512
83a8138db36614f643510c2a359c5c2f98b2cc4306dc3925717149b6efd7cb151e215a7a973d4aebf926d1bdd0c68e47fdc0579b9127e82f81476e9bb4e6c30e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
d1caea614de40e57403c9e36b463300c

SHA1
84a186f640e0383210d7388ce8dfc60e3aa2ec8a

SHA256
c5196eab44c33f972e0298a0389afa67918dff32c88acb2bfda0713c639791ed

SHA512
dadd0967d3f0f5594259c3b535c3afb5a56a95a69351ca98b84a96d4ae98dcdd8711202c66ffb7fc26807abdb3a1a60e4365dfa9d6cc29c2a5f6130d4728d20f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
58aaae2181377c181fc14efa23674c6b

SHA1
5e0768be55d87970a2e73fa60a38c97dd2c18936

SHA256
7746b126f0d3f22a9318bdd794b740c1e18d53798b8c8b22c6664ddd453a2ffa

SHA512
00ad5cfbbe11fd523f7c5b850688a4d24a6dc1f6ed6e734861aa1ed5df1e1075122a733416a02274a040740ee1e19c8344c7532b61d6c1459626453bcc27f3b7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

Filesize
8KB

MD5
ab0c006012d603ca42873fb54506f0cb

SHA1
37889f2363818582cfcb4289e87f0a47185a11cc

SHA256
c0dc6ca11f54dac13dca40ffa06885721ca423a33fec2ca42be80e01dea248f9

SHA512
73b5cb2f76995e408f98b223a655520201f1f79b16dfec1c317d08fa92b714d1b43ecd4138a608b4e83ded675a9f16e8cec7e6d66f11430d0f3df53f51941a8a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

Filesize
8KB

MD5
939bca2eb8acae6f90548c4348b32495

SHA1
286af0f5aa3e8e76cef7a0e4ac12e741c6ff3e7e

SHA256
e87d9abbb133ae9da7979faac01095f3a9985bddf189b9d38a38158bdd116496

SHA512
d88a4882dfdca6c5780f457bde44e76cbbb67839048806914bf8b07f2ee9644b0cd3e4bec9d2d9c7c061c34002656d98de6db0493638435504022e0a78a2ab03

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

Filesize
8KB

MD5
8df7bfe02aaa1238b427711d987a5e14

SHA1
8a7ac14e27a263ce6ce36bf30571f399e5f1823f

SHA256
76487ae1b10d294631d3727c7494ff2204752eca2a0712654875eac868af158d

SHA512
0156f1b7da93aa446f3b050952a6508f86e050948173229b457e7a5a4151f42ec6adc706bc329b5ca4a52be9e28543697865e4338311d7c36508f5042819a781

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

Filesize
2.0MB

MD5
5a5304bc24bee7a54c7cc097c4f43638

SHA1
148e902366fa178376570c120174291ec3b672d2

SHA256
9b1847b653af5d5b92921d8c4a3e4b128ad43bc987b27251933a2c6c67f6be20

SHA512
a3a302ced3ab09b308b234f4a240251263605389de27dcb0b8355bdbdb74bd85bcee2bb2a59c726f9fff79972fcfac76400f69f90c95c9276546c5dcc1e8ebd5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

Filesize
2.0MB

MD5
cd4c56df5e0223d816ace55a8b6e56c8

SHA1
8fa1e56f66ecd98b91a12b478c95c3c52166e345

SHA256
5468008036c929f0c7245f57d97670f6b217e05f096a293afe2acc77ba5932f4

SHA512
edfb18db94adc6b30b7ccdc3c32d2cfcc85f21ba82f470c9d76268974f6c99447c9d663eb9dbdec174ea02dfa028ec7becc2802ebb7dc512469a21c90ea3292a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

Filesize
2.0MB

MD5
d66290d313f4ab17e2cd17bb4fa55dd0

SHA1
bdf1b1cbc19d941392548dbb97a86c33f382eead

SHA256
6ee4f9b7d01d1406e34e3d672a125e93139575eef95b76aa0b39e04495d53afd

SHA512
7239a31b0d23096c796210a27c56dd890862018c970016192d3267b12b4e24dbb34eb67a96545cacc0d7003655c9aed81ee67866479c73d7c7cb0c4855a97950

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

Filesize
16KB

MD5
3de42f58ed177da606af178dc7c63004

SHA1
847eff40804e50168c74082df05305b1c010d079

SHA256
e2574f38a008594a8c4f5bffdaef029f0d1ccf52fb47dc45112294c3f4869769

SHA512
4a2523f45514b41f929074eabfedb0ea87b54dd6b5ea915d12409b5c716e8b5f5e44a16aa62a74906d2bdcec6aa8ca7e8ee559c32ded5fb3f0ba0299eefd0336

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

Filesize
16KB

MD5
1d4255aec25d7be6828fc3648fb5e105

SHA1
212668a518f918127ed7d04cd328f12b26ec9152

SHA256
8466b4c3289062ec3ffe9457dc536533a4ac4a069eaa9b8d663b6852ecc8ca03

SHA512
2296565fd845d2e7123c74f1aac3deb84bb90877098c97f9766b59fb0d2dd3a583ff85ba3fdbc8c2075d37f5074745717a9cfe169d42f0ccbbddf479ddde0310

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

Filesize
16KB

MD5
34c7419937dbb3ae5a9c24337cc71788

SHA1
0c24d395b16b58c404c0ebaf3c3e98ddcb6b7521

SHA256
bfe23211e5b4dcf2298562f8d6e387d74de2b82c179436ffdcfcf106cc72c19f

SHA512
73312a50adac76252493645347a1675c772b0c69fab212d89903b160a20c05e5a2ca019a2829692ea57f65efd7ba294e8b88fbaabf9841f0756869b6921d472d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\7pjcu16\imagestore.dat

Filesize
5KB

MD5
b6d6865f8ae84fd744d07a71f2d17668

SHA1
bf39f808c86e97084ff1150fe1879c61d33e4d88

SHA256
5852465b9974699676c03f5046aa06cf84f254b8e9f9b3457c2b543dfabfbe6a

SHA512
ff7dd36408f0aa84236a10acb500a9f97f75ca52abf20092a7b7d22efa15947324a6d030f0e3098a5977833c3bd20e49673fbdf03fc3ffb33758559bc48f4745

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\7pjcu16\imagestore.dat

Filesize
5KB

MD5
09d0b33abac1da79a9ce50d5d4261d1b

SHA1
d3c217f9ff3b2efb096153b977a1c6233a1013ee

SHA256
d83cd4a70bddb9591de407a96cc7c13967633830bb4c82153300cf2405289f21

SHA512
6252a5572dbee247f60a4d564b82bef1a46274529221a818a43af1a89837f8a739cf2a4a0055b322204e612abbae95b30985251ca287d102d108a50e96c3393f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\7pjcu16\imagestore.dat

Filesize
5KB

MD5
42b6b1e745ca22cd55a92e2452c0ab11

SHA1
49491c7cccdc2dfcbe005aba05145a918b7c339e

SHA256
dbb5fa989c4891f865d1d54c52029aeda38d88475c41da1a9312f996b3eb7e60

SHA512
d27380f94af7ccc2436b91683fb82bfa741a9875fd088388ce8e007a9e839f73a0b55e49f1be34c30ffbab4a40096c9d54f19c984235692c00a1ffe8b2cf6fd5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{19CEA63A-C4DD-476B-A86F-6C9FF8D58E10}.dat

Filesize
5KB

MD5
cb052d5432ba00268d8f16f070c78e6b

SHA1
09b7d13a0ce27ac058f16066bf40c75ddf97b16c

SHA256
380352b9f638aa684fc363064384cbccfcf5353b09d8deeedf4e8fe395213e83

SHA512
ee29f159a7b716e8e75b60dcab1e4bc134103185f224f4ec70a26944b84a169a0134c9ef45e34714c5f1c91c6407267214192d890d6490e60092bd0648f91853

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{921D5D45-D780-479F-8C76-73E388DC5976}.dat

Filesize
4KB

MD5
6db97bbfe3dfadf9cc933fcb4767b547

SHA1
448114bae846e76103f0d6189a2525e6bd2577de

SHA256
d3fbd56bc81dd2ea0772a5059568f7a8eb2324068f54f4333b1ca49a61fbbd45

SHA512
329ddf0889d2101306277b78daf3ad765d3647c557f46addd696ee74ec4241699cf4fe4ee2c439ac86108b4b959d8a040ed304f125db420ae8b2c508081a62be

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{C7804D52-BCD4-42AF-9E9F-5CDF304B3E48}.dat

Filesize
4KB

MD5
d059fc144c76e37275433ede68d1c67c

SHA1
6a4bcc178332e1b6d36e4d9e0c02f4fdcaa06c2e

SHA256
a9c32b94aaed99a6e1688786837f0118c70a177a2b04af4902d53f5c5828894a

SHA512
c0bb78118ac05d66fe109b8abec490a7f1d11ac1b8acd687a86b34cbbb9aac6e1f818eefe0f9eae7e60e3e013eb585cbed7f4d775c296714730d6fe93d987727

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{79F23EA6-7224-442B-9BBF-645922A3CCE0}.dat

Filesize
105KB

MD5
1b57f7061cf62043bbe4a7145a765123

SHA1
099dba92436850d24fa6ee9b5a98f3697006d2b7

SHA256
1c6e62e3bd54d71702dbd24d39e57f060d5b389d7fde4e80f017cdd775b20188

SHA512
525219ccf17457296e15b5ee2f59d1fac81f441f20cd57f4b25f4375dceadd3496717480d0ed4e36e28a7e952a9a77eec14ba23ff547e5381969d292a3f8d468

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{A1F55BA0-5E6E-4FD9-85B6-5F3BF9F6BB33}.dat

Filesize
17KB

MD5
5c40e23a5a6b1689c42c1b8607a4cb0f

SHA1
14ef75128ee5149aaf21838dd90d8f01aea2922d

SHA256
232536b73cbb59f86e5882dd3123ee052820e8fa99f17b47dfc4551d99348914

SHA512
20c1ec440ded4ae2f14a85d2058dfe9e8c4b0b3583221a5b985d3820b48649764504a41840ddfcae3d87438d48f5037e4b5dfd6494ae36cda0dac45077f58d55

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{AA0CBB79-C016-4C24-9057-55CAA21129DC}.dat

Filesize
8KB

MD5
38015a12eab22008b4b27e8d75bd19dd

SHA1
f8c7cb1e0cd77a578a1d3099006cf787ad6b75b5

SHA256
9caa35c985cff51a4a54f47c56608f18de75fdb617362a18ba60fddb7e68dbc0

SHA512
8fad615d23f432fbff910456c23bc58498c787d045e93da2a6cb52bfe6b5511c42c76c7bf49a2fa38dd1a971184660ddea36b97b3d45381b156d2d322143b526

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat

Filesize
12KB

MD5
13a43c26bb98449fd82d2a552877013a

SHA1
71eb7dc393ac1f204488e11f5c1eef56f1e746af

SHA256
5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513

SHA512
602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2236-18-0x0000025AB9C20000-0x0000025AB9C30000-memory.dmp

Filesize
64KB

Download
memory/2236-114-0x0000025AC06F0000-0x0000025AC06F1000-memory.dmp

Filesize
4KB

Download
memory/2236-2-0x0000025AB9B20000-0x0000025AB9B30000-memory.dmp

Filesize
64KB

Download
memory/2236-37-0x0000025AB8CB0000-0x0000025AB8CB2000-memory.dmp

Filesize
8KB

Download
memory/2236-113-0x0000025AC06E0000-0x0000025AC06E1000-memory.dmp

Filesize
4KB

Download
memory/3520-350-0x000001CAD1D40000-0x000001CAD1D50000-memory.dmp

Filesize
64KB

Download
memory/3520-152-0x000001CAD4200000-0x000001CAD4300000-memory.dmp

Filesize
1024KB

Download
memory/3520-358-0x000001CAD1D40000-0x000001CAD1D50000-memory.dmp

Filesize
64KB

Download
memory/3520-77-0x000001CAD2300000-0x000001CAD2302000-memory.dmp

Filesize
8KB

Download
memory/3520-81-0x000001CAD23E0000-0x000001CAD23E2000-memory.dmp

Filesize
8KB

Download
memory/3520-75-0x000001CAD21E0000-0x000001CAD21E2000-memory.dmp

Filesize
8KB

Download
memory/3520-73-0x000001CAD21C0000-0x000001CAD21C2000-memory.dmp

Filesize
8KB

Download
memory/3520-83-0x000001CAD2400000-0x000001CAD2402000-memory.dmp

Filesize
8KB

Download
memory/3520-79-0x000001CAD2320000-0x000001CAD2322000-memory.dmp

Filesize
8KB

Download
memory/3520-100-0x000001CAD2A00000-0x000001CAD2A20000-memory.dmp

Filesize
128KB

Download
memory/3520-146-0x000001CAD38C0000-0x000001CAD38C2000-memory.dmp

Filesize
8KB

Download
memory/3520-68-0x000001CAC1B40000-0x000001CAC1C40000-memory.dmp

Filesize
1024KB

Download
memory/3520-221-0x000001CAD3DB0000-0x000001CAD3DB2000-memory.dmp

Filesize
8KB

Download
memory/3520-343-0x000001CAD1D40000-0x000001CAD1D50000-memory.dmp

Filesize
64KB

Download
memory/3520-354-0x000001CAD1D40000-0x000001CAD1D50000-memory.dmp

Filesize
64KB

Download
memory/3520-356-0x000001CAD1D40000-0x000001CAD1D50000-memory.dmp

Filesize
64KB

Download
memory/3520-364-0x000001CAD1D40000-0x000001CAD1D50000-memory.dmp

Filesize
64KB

Download
memory/3520-362-0x000001CAD1D40000-0x000001CAD1D50000-memory.dmp

Filesize
64KB

Download
memory/3520-367-0x000001CAD1D40000-0x000001CAD1D50000-memory.dmp

Filesize
64KB

Download
memory/3520-360-0x000001CAD1D40000-0x000001CAD1D50000-memory.dmp

Filesize
64KB

Download
memory/4636-47-0x000001766CC00000-0x000001766CD00000-memory.dmp

Filesize
1024KB

Download