asyncrat | hxxps://github[.]com/Dfmaaa/MEMZ-virus

Analysis

max time kernel
300s
max time network
294s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-11-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Dfmaaa/MEMZ-virus

Score

10^/10

asyncrat default bootkit discovery evasion persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

Os3wCmVfxWlB

Attributes

delay
3
install
true
install_file
fuck.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fuck.exe

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x00280000000452b2-1170.dat	family_asyncrat
behavioral1/files/0x0004000000040d8f-1198.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	AsyncClient.exe

Executes dropped EXE 10 IoCs

pid	Process
5524	MEMZ.exe
5264	MEMZ.exe
5608	MEMZ.exe
4976	MEMZ.exe
1648	MEMZ.exe
2436	MEMZ.exe
3328	MEMZ.exe
824	AsyncRAT.exe
5116	AsyncClient.exe
4100	fuck.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
71	raw.githubusercontent.com
167	camo.githubusercontent.com
70	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7aa01b22-7d03-46fb-b8ee-4d9ba634072f.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241127051947.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4820	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	AsyncRAT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\NodeSlot = "6"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 5a003100000000007b59bd2a10004173796e635241540000420009000400efbe7b59b22a7b59bd2a2e000000450300000000060000000000000000000000000000009052e9004100730079006e006300520041005400000018000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "4"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e003100000000007b59b22a11004465736b746f7000680009000400efbe57590e727b59b22a2e000000040904000000020000000000000000003e0000000000f9862d004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "5"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff	AsyncRAT.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6048	msedge.exe
6048	msedge.exe
664	msedge.exe
664	msedge.exe
5336	identity_helper.exe
5336	identity_helper.exe
2880	msedge.exe
2880	msedge.exe
5264	MEMZ.exe
5264	MEMZ.exe
5608	MEMZ.exe
5608	MEMZ.exe
5264	MEMZ.exe
5264	MEMZ.exe
4976	MEMZ.exe
4976	MEMZ.exe
5264	MEMZ.exe
2436	MEMZ.exe
5264	MEMZ.exe
2436	MEMZ.exe
1648	MEMZ.exe
1648	MEMZ.exe
5608	MEMZ.exe
5608	MEMZ.exe
5608	MEMZ.exe
5608	MEMZ.exe
1648	MEMZ.exe
1648	MEMZ.exe
5264	MEMZ.exe
5264	MEMZ.exe
2436	MEMZ.exe
2436	MEMZ.exe
4976	MEMZ.exe
4976	MEMZ.exe
1648	MEMZ.exe
1648	MEMZ.exe
5608	MEMZ.exe
5608	MEMZ.exe
2436	MEMZ.exe
2436	MEMZ.exe
5264	MEMZ.exe
5264	MEMZ.exe
2436	MEMZ.exe
2436	MEMZ.exe
1648	MEMZ.exe
1648	MEMZ.exe
5608	MEMZ.exe
5608	MEMZ.exe
4976	MEMZ.exe
4976	MEMZ.exe
2436	MEMZ.exe
2436	MEMZ.exe
5264	MEMZ.exe
5264	MEMZ.exe
5264	MEMZ.exe
5264	MEMZ.exe
4976	MEMZ.exe
2436	MEMZ.exe
2436	MEMZ.exe
4976	MEMZ.exe
5608	MEMZ.exe
1648	MEMZ.exe
5608	MEMZ.exe
1648	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
824	AsyncRAT.exe
1056	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	5468	7zG.exe
Token: 35	5468	7zG.exe
Token: SeSecurityPrivilege	5468	7zG.exe
Token: SeSecurityPrivilege	5468	7zG.exe
Token: 33	3604	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3604	AUDIODG.EXE
Token: 33	1056	mmc.exe
Token: SeIncBasePriorityPrivilege	1056	mmc.exe
Token: 33	1056	mmc.exe
Token: SeIncBasePriorityPrivilege	1056	mmc.exe
Token: 33	1056	mmc.exe
Token: SeIncBasePriorityPrivilege	1056	mmc.exe
Token: SeDebugPrivilege	5116	AsyncClient.exe
Token: SeDebugPrivilege	4100	fuck.exe
Token: SeDebugPrivilege	824	AsyncRAT.exe
Token: SeShutdownPrivilege	5264	MEMZ.exe
Token: SeShutdownPrivilege	5608	MEMZ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
5468	7zG.exe
824	AsyncRAT.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
824	AsyncRAT.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
824	AsyncRAT.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe
664	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
824	AsyncRAT.exe
824	AsyncRAT.exe
5804	mmc.exe
1056	mmc.exe
1056	mmc.exe
824	AsyncRAT.exe
5116	wordpad.exe
5116	wordpad.exe
5116	wordpad.exe
5116	wordpad.exe
5116	wordpad.exe
3328	MEMZ.exe
3328	MEMZ.exe
3328	MEMZ.exe
5264	MEMZ.exe
1648	MEMZ.exe
2436	MEMZ.exe
5608	MEMZ.exe
1648	MEMZ.exe
2436	MEMZ.exe
5264	MEMZ.exe
5608	MEMZ.exe
5264	MEMZ.exe
1648	MEMZ.exe
2436	MEMZ.exe
5608	MEMZ.exe
2436	MEMZ.exe
5264	MEMZ.exe
1648	MEMZ.exe
5608	MEMZ.exe
5264	MEMZ.exe
2436	MEMZ.exe
1648	MEMZ.exe
5608	MEMZ.exe
1648	MEMZ.exe
5264	MEMZ.exe
2436	MEMZ.exe
5608	MEMZ.exe
5264	MEMZ.exe
2436	MEMZ.exe
1648	MEMZ.exe
5608	MEMZ.exe
5264	MEMZ.exe
2436	MEMZ.exe
1648	MEMZ.exe
5608	MEMZ.exe
2436	MEMZ.exe
5264	MEMZ.exe
1648	MEMZ.exe
5608	MEMZ.exe
1648	MEMZ.exe
2436	MEMZ.exe
5264	MEMZ.exe
5608	MEMZ.exe
2436	MEMZ.exe
1648	MEMZ.exe
5264	MEMZ.exe
5608	MEMZ.exe
5264	MEMZ.exe
1648	MEMZ.exe
2436	MEMZ.exe
5608	MEMZ.exe
5264	MEMZ.exe
5608	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 3876	664	msedge.exe	81
PID 664 wrote to memory of 3876	664	msedge.exe	81
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 5644	664	msedge.exe	82
PID 664 wrote to memory of 6048	664	msedge.exe	83
PID 664 wrote to memory of 6048	664	msedge.exe	83
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84
PID 664 wrote to memory of 5436	664	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Dfmaaa/MEMZ-virus
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff9ea1f46f8,0x7ff9ea1f4708,0x7ff9ea1f4718
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1668
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7f5905460,0x7ff7f5905470,0x7ff7f5905480
    3⤵
    PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6896 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6664 /prefetch:2
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7936 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7992 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8252 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8380 /prefetch:8
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7784 /prefetch:1
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,13648789148552266622,5029385943323622511,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7848 /prefetch:8
  2⤵
  PID:2968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4824

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5524
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5264
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5608
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4976
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1648
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2436
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3328
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/
    3⤵
    PID:5496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x128,0x150,0x7ff9ea1f46f8,0x7ff9ea1f4708,0x7ff9ea1f4718
      4⤵
      PID:2328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=vinesauce+meme+collection
    3⤵
    PID:1228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9ea1f46f8,0x7ff9ea1f4708,0x7ff9ea1f4718
      4⤵
      PID:6028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp
    3⤵
    PID:2128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9ea1f46f8,0x7ff9ea1f4708,0x7ff9ea1f4718
      4⤵
      PID:2124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz
    3⤵
    PID:4300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9ea1f46f8,0x7ff9ea1f4708,0x7ff9ea1f4718
      4⤵
      PID:5144
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5804
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1056
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5116
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus+builder+legit+free+download
    3⤵
    PID:4460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9ea1f46f8,0x7ff9ea1f4708,0x7ff9ea1f4718
      4⤵
      PID:5500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself
    3⤵
    PID:2728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9ea1f46f8,0x7ff9ea1f4708,0x7ff9ea1f4718
      4⤵
      PID:3744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+get+money
    3⤵
    PID:4716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x150,0x154,0x158,0x120,0x15c,0x7ff9ea1f46f8,0x7ff9ea1f4708,0x7ff9ea1f4718
      4⤵
      PID:1976

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap31206:74:7zEvent27313
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5468

C:\Users\Admin\Desktop\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\Desktop\AsyncRAT\AsyncRAT.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:824

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x248 0x2bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "fuck" /tr '"C:\Users\Admin\AppData\Roaming\fuck.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1632
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "fuck" /tr '"C:\Users\Admin\AppData\Roaming\fuck.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C34.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3248
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4820
- - C:\Users\Admin\AppData\Roaming\fuck.exe
    "C:\Users\Admin\AppData\Roaming\fuck.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\248dc103-d7e4-4a06-8a72-f2927102bdac.tmp

Filesize
10KB

MD5
26b07b3bea8edb7069ebc8bcc9fc8cbb

SHA1
c4e7e9f266765aea059499b7f081e7ac35210521

SHA256
e773b8501350e8f27c2b75044e22bb74c17a78ad5ecce62c0c3b4f5451ab1a79

SHA512
75d1e10279632638a61e3a7a43331b159987d3d616f3482099c721d0e5c554d57da3ba065bfc0381e6352db9985b443bc8740ab11ea512f7c2661a52a887c817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
843402bd30bd238629acedf42a0dcb51

SHA1
050e6aa6f2c5b862c224e5852cdfb84db9a79bbc

SHA256
692f41363d887f712ab0862a8c317e4b62ba6a0294b238ea8c1ad4ac0fbcda7a

SHA512
977ec0f2943ad3adb9cff7e964d73f3dadc53283329248994f8c6246dfafbf2af3b25818c54f94cc73cd99f01888e84254d5435e28961db40bccbbf24e966167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
557df060b24d910f788843324c70707a

SHA1
e5d15be40f23484b3d9b77c19658adcb6e1da45c

SHA256
83cb7d7b4f4a9b084202fef8723df5c5b78f2af1a60e5a4c25a8ed407b5bf53b

SHA512
78df1a48eed7d2d297aa87b41540d64a94f5aa356b9fc5c97b32ab4d58a8bc3ba02ce829aed27d693f7ab01d31d5f2052c3ebf0129f27dd164416ea65edc911c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
49466246aa9c46b768ccb553e4637c69

SHA1
45ae4672cca17acf9bfdf21ff5660b3ae4d59911

SHA256
f968489d33c5c8b6b1d4346326cb9810f798564982b323239e3bda9f97531f70

SHA512
3f17c3b1502412707cf284c35c745f564749f052bfdc408b1aa7deb172c3993fc88b89777c92e9422fdb1556656d25ec3e2dc4f1f9d11f7666af2fa0324fe607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\92d0a77a-3591-4a76-b2f4-8fb38ec1f737.tmp

Filesize
24KB

MD5
952a6e3cbc50f011cf2f04c9470080ff

SHA1
a0d6a2509af73e523c970f6e4351861bde63d6db

SHA256
faa79ba7dfd140106187ab50f14aa7cca13650f94f796419bc0a44d7a2b79d5f

SHA512
7955092a6086f05268e4b0f88648d9275020b6cad83f81c90eac5a7cd994cc243b8dfab579d4335db62f3577fd2d8a7fbefcad6cc615e2bcf1d014115056cde4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\27e336d9bf26b5c9_0

Filesize
288B

MD5
b5c4a8bbec5537ee650fab3a7d16f879

SHA1
1ef2cddc9dd7a1350132eb16a9e5126fbb440b30

SHA256
eddb21fde95acc8dc25075101cd6302e25f6ddbcb9827cbcb288788978b7da88

SHA512
232a70af054f3657cf4d9a635963081c6eadea7d1ac03cdf1856038101ccbbace4c76b10f7770f697ca0a52c68cb93e6eaec4eefe97390e66b5d2b4210437371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\33f3c0123c841dea_0

Filesize
428KB

MD5
61bcec4ee5f4664db2f3d2ca268f588b

SHA1
66a7b8733591e2d66fc7486c27826e3dfdae4ccb

SHA256
726a1ac6d6c810ca7f502fbb6a61c66eefa66ea39ba11230ddf6fe9e4add170e

SHA512
6b531ffe0ee2324f94d4ade1752396592aecea37d4ff69a842b710af6bc28010d86f3dd13666b24d97a5cfa006c461fcae7deec57101d2a16bc9c4914ec89800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\eef153ee5b884e2e_0

Filesize
19KB

MD5
aa077fa7a618bbddc72907f3e5ce6955

SHA1
02096456b45c8bec6824461097308cd286470847

SHA256
dbdb1c81d63058c2ec3b7d54f1bb3bae1dec3c84778bb3cad332efd8f8bbc332

SHA512
ba6a06dd2a5fd4526561671bf7e45fbd0a930f370e7dd59b56fe7719203e2115f988a9665ab2446a70531d1efc9f81de7232dd752174e344f83b4f2fdde1e93a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
afa4bf84726b952852c3b8b9c8d6caa3

SHA1
901defde9feaf5035e5fa3d99a408120f09074f2

SHA256
60e7db3de81b3b27c5c3546ab93df1b0281a543fd29e2b7708e22daa6ec91ec5

SHA512
1b8c6019039199f6c9e39aa5f1fb11b47c3621fe16cd0dcf9e2de5fe4bdcc9aa890d183571cfd68828b999f815f269e5086662afde21b8ad62d283223091bb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
eb9416f62f94748cc0b1db850b43f519

SHA1
7e751c0eb50d64d144e97df7311533d76a41ff43

SHA256
b8abd72beb691f8429e275679a34dad6b2897fe733d9b5bc024a88201fba0173

SHA512
2b015e7a9a877ebb556ff740808a09d11acbe09523e8c891ba8c609c3101e35976ec868acfa7833aeb426761de8a13accd935758ea9379ed837b50c26e1ec005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
860b60e3875081737f3cd882efb8df60

SHA1
96da5a13a50f6797f84c169f22aba39757021227

SHA256
be180fbc122791f886c54e520dd5b8723361a08e1264648812d5ca84398828ce

SHA512
809738e0aee27146974b2e8c8196e137dc5e191b86b39432364b4a13964b9941abc57a2593d545551520cb043638875cf4d68ce24e7f7b47c464a112c52f7c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
94f938ff89db9d53e414d32d57936d69

SHA1
27bb14949b90e3bec29f8923af9971ae094b4f52

SHA256
733f58d1c09728c0efa82706e4662a63ee4857ddd43241bb4f107b1ec5bb7b22

SHA512
d6a4a4ef0916614f67a02837a65ae66f19cc91d7f0e1ff9989dc24dd2e2dd22a119bb68336f1554fac6581061dff0841ddd4bed657206c0b7e8906951058f200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d3bd7e1da2c301394700d1be25736b71

SHA1
099f58ba719095f41268c800f3f6d97069baca56

SHA256
f29f4a70103e0b767feb731008de94838adf356e4fc42a65b5dc85d1793c611b

SHA512
47f3daf52b6553b29b40c996405e8e35a29e8217c0c319b6889caceb296b93d39baacc29b4b18b3201f743355d72babc2c92218405efbf9b0a5f65780a53f28a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
e51401bdf1eae288a9ba5d952ebb3aa9

SHA1
5effd82fee8231e1294fd404dd1f10caf5c41fd2

SHA256
a08ea4c022c5207583d92dedf27194f6d81335b90bef42e90132333220a52fa2

SHA512
f777e86f2eb64d2c31afba76f544f9a65392b0d77de18e16d6a2b5534f43febc083f757d37c0719b29b556c5f73b1238c0857ee7b9a6e18c0c9c99ca54133edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5b0a45f1e633702dbb9e3e6d1cf73cfd

SHA1
9d9e25ac2706167cb59e0512352b0277ab419a99

SHA256
92b3641107ae3c110af92b400190b71403491ea036de42d0cff3764a406e3df0

SHA512
450fbe61534c7d913d355f8796db3fd73098fa329b39500f78f72fab0ba0f7491b8b9ef29c16be60642593d7e811c04d95fc77451a25ba932ce1beab0b88e409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b8396e83ff11aa56aaf6fe9e385c8adb

SHA1
39c4cf4cc3e5ff908ab480bae3f56c808975d266

SHA256
958de781756d1b701292d4308576445da4f5cc986f6e17002e2d524255058b34

SHA512
f6488c4650ef4cbcd265ecd5ffa0063d8011e87c192076983f8d52ce5580ee9de72f537c08b55be9781606f5db6fa3a4b18241479b90f6a77826b7dac6cd8698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7ab3c3baff74b3f0e81ba2cc23112b49

SHA1
ff51179665ac50680770567789092cd8b8ad28c2

SHA256
8a29d70d60d736798819c4a0c858a1718818a6963070b4d2d86fbde9c22b4fc0

SHA512
1e50d4c65f421d5cc1205f92095839a75545e9425b219d784c767e086c1fdea7ae90f5b57f7e48861d19782c24432ab4673a2a0071a6c0d545d8c99cf40656c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
384775d59993aa1b349e25a4ffa2f7b8

SHA1
4ea6122d2d960914e738171582221d439a8c80d2

SHA256
f5af9f1e2f2966ddc3260944f8c7dcec1008f1366e48720736eb94ce746966c3

SHA512
8bd6bc96b489da2bbbb3430f99b208cabdad85871e77d9ce0dd9e7b2ae0b427a27d5f802dd125b68a8e08b728f3d467b6048a6de1c4a1faffa7f8285b06e7389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4f3e532f02aa75c70b44a9d9dea428e6

SHA1
fee8a8aa863d430e920caa380227927a80ed29c6

SHA256
5b7c9ea0085df3fcc2d12ff6be82ce029a49a00245b360a9cf436618d7348e11

SHA512
357432f6bd424e18d56b5d595aa8c7aca6e86bbfa3530f85fd6fe260e31a24088b92aab2e5da2ba094d8e17adef5f0e676a2992c0b5633f62c20ee0df024d73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
27cab40b6519524c919ae39e1ecdaae5

SHA1
f3662f6da690e952b9a3acb484a8f086a2dfeb6e

SHA256
0c1eeae001d27a6499d41dff07c5c18a968ccb588c0fd5044a714caecfef0129

SHA512
23e6c1662ecd2ed3dab2b62f19b589dbc54a5f953be2102d2be45cd40fc7af6779e5dd5124e66bd48260b73705848225e81b48c355875f595479d1b06d7e030a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
37ee86c2bd981d2f565a175b94624236

SHA1
7add619bba785f80a60651ebbda34a00e7e123ba

SHA256
de4b46d80af1cceba05b4c255399c11b898b82355ef29bb362f1750f74d36dc8

SHA512
52cd01e87834be07745cc9aad187a5d7a1a9402f2cc853add1a0d587448246d2fbb3da5588a07c5d9631aea87e0f3921382de06ed5283801131c02b20af4cf01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
79484f9123bd7c9df0e00f03d3d3d03a

SHA1
4944810aa64d393157f0f89cb0ba2383a0b0d114

SHA256
eede374722a2835230c68cbf690d749ac502634c7da5212809699665bb1163bb

SHA512
05d6d5e6a372b7296f7446e503bb0f8899c9efdc80af9f13aa6b8ffa5ce1cc27acd54632e4e0218977ff3d4e7d8e343584cb707c01b98a82413008c7162728ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
609acb77823b7eeaf8c3f6ba27bd59ec

SHA1
4b92bc6fdc64f32eb67593ea23c90f977029cdb7

SHA256
a6940a8728404d6bc23855ca8419508909e18b323572b538df2bf1834b7a1934

SHA512
e6ed253d6530fb12df1a5f039e66610ddef17f78d10e04a655e706f1050406b99cb03f672274e3b8ed3b00f4e2632ea4365bc819c63099d770727a0903b44926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a903e293ffe5272bc2b5c846c1a6bce7

SHA1
55023f51ebaeedcebd53bce9c7b99a6807bacafb

SHA256
1b1da89efa11f85aa9d99f1bbea5515ffa65bcc28e1544abe6a87fa985d17a82

SHA512
05cb6b3fff5ceb6d925b788747a596fc10ef04bf5a84930c71e815cefff84988df38701dbcaed8ca2e91af6f637bbd26ca19a44f62488583d77ea8ba86156c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
49bf519b16faff183eb082c85d015ebf

SHA1
482c65d45c2511c4c6600e4c259407f9ebe88bf9

SHA256
04ec59e6a881cb734d2f99f4bd8d8536a96d2676271991196c79d7dd49178c59

SHA512
d739db2ba782f28aacba7437a93d081f06ce6ded48dfaaec246c0424987b8de74cf6286bd08d761527d2092753a6196e0f7273a7758ad5d4768532e5d1c7dd24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b745400a08fb698ee93c0af7eb4b3d65

SHA1
7441e1f171a53bd62c0bdb0ae919b078b06578d4

SHA256
47f9371501218c59c7c4ccc7f559e1bd26eab2e9f980a52457cb1df6d00d3de2

SHA512
186e2b3302d7e874da40aaa2546b7948845b1c671702c07c5fd229160ff66e34d24d3b13ac7312b8216675c0133a41199a3d683432e6b5b0c2ae4b7987fd6532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d42c4bcaa9f7a86549ecdeff313d0876

SHA1
2d757edb2b15d920e82646eaf866941663c1d458

SHA256
81d042fa22c0681fae73576f6ec5df3072d6ca1d0a042517c8a808e6c8def7d8

SHA512
9d58df99761b269c829cefbd184d3cd5526a1b3cded13bbaf7ed65387cfb1196958efe2c4c536f5e5154ad95fb6ef2f0403c82effdae823823706a0e18123adb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
74d9eb5260fef5b115bec73a0af9ac54

SHA1
18862574f0044f4591a2c3cf156db8f237787acf

SHA256
7d7e7b38664d625a0bbffbcb7882b175709e92987bf9da113c4745fafbbc361d

SHA512
b85917201b1d4b4542a4424ce40ddd083ddbd0e230e1931fe6f7cdd2aa3d8a0eec8daa743ddc5467f0a92da5594144c602081d941b216ca9cafdfd3c150d32d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
ea678bd42ef854fa1769f393f5f2c3d3

SHA1
2607bcf7eb83ab40e8dc259639d4dae3c610de81

SHA256
53899207a66fee5a6e7f4d1e2dbd93ccba95aa268150b28e005442538ebcb9b9

SHA512
beab237dcd52cd57c1abb585180fb7fde346c7d950299fb313c80f3751e949a4820199c8b6b0760f1bf574a6bb18207f231a5ec7fd20461e21d62e5e73ca3c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
b48cf6a456475572fd0c2ded7ef19758

SHA1
8cd01659f412a4c7f20fc81a696129c1359ab653

SHA256
f2a76c6cedbc4b5cce40649dcc1b2c01729e1d92e8c4d83dd6646b01868d308b

SHA512
3253567d73bd3888f69b6a9daabbffa27ff23ffeed5554970b68b9088c168551f240ecbc661bd531a9b14a91682d229b7e45c1b6d9ee5dc2b12ca768eb85c365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
882994e3ab13e4d7e925f61856c655b1

SHA1
de5c105c2ca11cdc3795e66bade1a94b222b9df4

SHA256
b70c3f69c9ed52dc3ed4c8b359be49afc7f7f188029205e3470c62df54dcdaec

SHA512
f419d33523e78cff1e7f1ab9fa931b87f38f81572ab5ffdf2306d1d50fec0c920babe7f96117efd4fbbcc65170d5881348bbb6a40c8385783c27e67fa2380fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0472a270dab68af6b10f7f6a8a97eeb0

SHA1
63d55706448735239cc6231e16b0ddad1ecd823e

SHA256
5f184c3fefd8efa02d9c12de503fb4cedae5776d56a8012011959d9ad0ef018b

SHA512
807701796a40c4d33958b60ac934fe68727fdcacc82c6c4fa89f3da5e706585f1178264d8f654373917ba5d816e592249b1e1075b9d1c06ef7ffc1006f0de59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5bfaf6.TMP

Filesize
48B

MD5
67794e9abfa6bc9c2b0d62475fb6ddab

SHA1
dc348e9f72b983140f85d778c6451a3ef3a1fe65

SHA256
a763642c089624cbb655dc98a74466dc8372cd062803dd2bcc8f97d9e6ad8fbf

SHA512
64783f68b68581a6353cb7c94f0335bcedf77048dd2f2b9dee8ce6fa55841fe09f3ea6dc844eac89972734df87075df9a7cb857e3821a39c86a11eaf3e964999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dd7bbfc17c809f12fee3a8189aa6bf02

SHA1
fba1a095ea105b3ac2834a4e0370575ecdc8ced0

SHA256
4775bafb9e307efd1d88a5544ea4d11e5c04fe3683af23446644508a6dbce1f8

SHA512
402a85b053ba4c956784c2940e2dd38c5603fe0770a1b2f9aa8087b85f8cfc74c3dc914e59277ed333ce7a5337a18ef163042f774d2a60bcaa53c76e13632f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1ec65c2e149d404a468b758ec1d305b3

SHA1
d45c46f6a056fcc41d35c15678a46a06ec040758

SHA256
83a16e55e3379e7f7c7541752ae9697bf2f7e62b5eb54ed3f8605c39b7d29196

SHA512
ec2eeed5cbc8c2ad2b986da1d2f336c9be51c648af5a6820da8b4800f667b9fdd2392853e96dd1bda16bdda524bd780920ae3b68bc00a70de4d6aabffb00221a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fa6e3cfce27eb7eafa038d54ba622988

SHA1
c38f9c9995b3cfbe0da30976d2323e9bd5b61235

SHA256
e88ffb6a81ed0cd378fea9720fb6d485efdea8e6e95cc3c392d16e80103e3836

SHA512
8d53f9b7322de6b0e3031900e741e72751fc610a8fc0d0bf109b7c91b8c13c4eaa83c6b3271a8a2468cd4efef7469df1d8f9f3a4bb0c61f6c7d6828bee171ae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b6fa1adc06f1aba3b49b58aa8f7c51db

SHA1
859b16c13757a2453dc11970b43c7d48ffe9d730

SHA256
013c7782f7f438e4c504d137165955803bd06eed8951bee96b4dd5011f825042

SHA512
084d870c4457e11ea05ab9790da9943b0efb01116b59cf728b7a65acc1f4a469aeb2b09b7b3e34202ed77db142cc0698076ea92d42bab4978af00fadec90635f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
768061708ef05fc56811a3125acb236e

SHA1
8101e51b59a2cb446abf31cb2fcdb486785c97db

SHA256
a9de003958056ac597729e7ad4508a5033995b11420b5ea99c687f6df23b66b6

SHA512
7f40cbced0c957a45e92b62a00027f15f6b6337a0f6dc9447e1597d34dcef55156512fb586cae994cce958133c0b50b3cfb25ef2e9c084ae370cb82bf5bb7570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf432d419ee0acd984bcafb1bec5b4c0

SHA1
85034a2f691068ed15b730c4528760a4961378e4

SHA256
8e279bad4a8b94e63f6175c6eb3e2633753f352a1c47e5e7e9f055e61a17cba2

SHA512
bb8736211c2e09ba4eeff20da0de1188afdd001639d67b53bc04c04b79c5f88024147f3f9905e2a7eb5a9e706781075648ee35ddd034398620aea9295554b815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e213.TMP

Filesize
874B

MD5
87c481a6aa016d57e34ac4c9975bd0f5

SHA1
e3ef4e059f9ed1aacd97b9e787cf270b37558d9c

SHA256
b4a76155c644ede4c9b2882c0d0b8b518d3c582241642dc57ab701873c2c3508

SHA512
8a75972084cc695b15bffc494de3b591cc3001f1884bdb7862e59e876f9d560d4641f2bdcb0fc02186c6e93452f835b4ea14f84a64bc76ea823a9efe56fdd9c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ff88e351-c97e-42a7-97b8-93a1523ec3bb.tmp

Filesize
5KB

MD5
dc401a92b64e1a1169f1ff48f52757b5

SHA1
28bdc5d8afb4710f5938b8548947a2d3f28eb2fa

SHA256
b74b45d59d845dcdfbf4d2ecdc70e562b7095780c7902089dacaebf4f1763a76

SHA512
33a9303681bb52318f4b448c629e4e94f31af36a02a58742a5073386267b877089c36c03a9471efd882c500c89ad2ce59d997781c2a858d3fab6e93deee94f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
421ed180607efbe88c31cd1f452429ab

SHA1
67b3f55a04f6f755d96e8579f4dc6887ae9a437d

SHA256
c41d9c81ed3e5ff4590bb9ba0b68e84af24da8aa062ed3ca7d386342cfc7fbef

SHA512
c500220a9f4a94e73dfec0cf47e5103a03e21abbad12aa7e1b24baacf4ab7c7e1da97de38987e423389cb4fec04edd18c0d4466c880c49b5b3be709a34f35565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dabd4bd19a76da0400882d6b04ba14ca

SHA1
b1291ac9d3f4dec88e04118cd6366f2b518383a3

SHA256
4bd760c553515ba0e824fcfb5b7adfcf52b3bb3bf21549777e103ea33ec8b7d5

SHA512
e399568011dbf87f745fec8bfa1702230a736be4cc976992a5c29e9a947b6aea1d903074f5a201eb77468fc9177d7d2d807254e465599de03559004ff3e8f778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6682cbd8fdf2d7557d5031fbea3b9083

SHA1
0254a1c787e146263c677b9929c2b5358cbcd8ce

SHA256
bfcd6d6ba94cc21c608fa2fc7215dc941c163ff9e5535f0d558dd805d56df87c

SHA512
7ad60bb054a4c257c465afc2388f688feec55d5fe4354dbb96478ded938c586ebe6939f2d5c3b59cb8a137b45d713b0cc8e1c856e63cca3c4fe2cc2e6b0f8b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
10530ef3f0cd88d845cfa3436ff1d09a

SHA1
ffdcba6ad7f86fffad53255c8038cd21924be43a

SHA256
ea1e28e9d372d4ea5f1ebd50141715d740b328e51122d586beb2713d2afc14ae

SHA512
1ff1fd1c4b94f68350da7e3141674947480bef4fd35fb245dc7e8cd8807dc9840f4790ecddeb1ffa37717214d253b3dc0dee6595f517ae520c7b0a3d62422c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b5b2b64f014c388909975acf1dd98c44

SHA1
521bde4421bc287b2d992ffebf61de421439f266

SHA256
b755fe0b87f2d39d6727260ef630d153a332f44fadbe7d59630f4a49db3a8ede

SHA512
5d74db935af771cd9217da2f2688c06e5e44642c4017c63c88ae2694082143e7c18e74aed8c197bc86133fe751053eb3bd9631939204d67bb8a04d512e561ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0486ab81932b1e9a906c8bf36e319855

SHA1
c48a8e6e4d2db02d454fdd21cebfb5129345fa79

SHA256
10c1bc31fffbef1906af41a7eeb340c30713f2e78f7318da376bb715952af9b6

SHA512
5630c7b51287ee7f54bf8c935e3814282b3e3f4ae89a7689a1d1eeacdeab21f475d434e947eb2a103b07c335d56385d0a2f2b8c45bbbcde44912d7292386bd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C34.tmp.bat

Filesize
148B

MD5
5241f1572fc366911b2e5160cbf6802e

SHA1
adfb567a529d367e27498aaf06843c234c20c567

SHA256
9a3049c51201dd27c0b7323344d21750fa7f48b1b40dac29c1bbddc56d71f34a

SHA512
7eb578e954982d5c1f7160df1eda718beb13d74fdd2941a962ae95d496585fe280d8e551083249ae07dfa89dee4fc58ec46a14c1f87db179185a4a3131bce8ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4ad15a5da630f3e8b6186e8816b60966

SHA1
c5407de6295c256a28d8b85d2647ebfd65fee549

SHA256
c85bfb4fbfc6215499ae1d50807b5c7503483ee2d0a21c6219007388410d5815

SHA512
21df45078cde4b33c0d827732cd5fba337f006027194b814216774137af08b106ef32084625adb1a155a657af8072342af890e3d8be15d9a9ea0dae7f87d08fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
2783f419e1cc59f088f8a73211646115

SHA1
4e3a7d887ce34412ef4b7c1c1a383af10d3a78ae

SHA256
ae04108e91c32b191cb6f1c433d7a1c78821d3c324bacc5e4b10ae8bd6fdad6d

SHA512
63d06d3f82f2dde4e65376769c28034fb8e1fdc433c2d9a996b7ab6a37e2e7798da69529d108b8dd7c12081d461bddc2bc16914d6144e285e766144f489f41c9

Download Submit
C:\Users\Admin\Desktop\AsyncClient.exe

Filesize
47KB

MD5
d30d5f53f268555b45e7116a952b2097

SHA1
2ccd43c5cd91814ec2a202d9da459aab9081a79f

SHA256
e8235cd9f3bf85d13785cc2ebf1e0540d1f9a12c581448b1c3db8d79de9b5ff4

SHA512
719c17dfb323d7a6d193d45bdc68b2c6ceb4bf3274c1f86b3eb7fb5c0d0c3e34687d3ba25745a4a0f31dd285ddbc946b33f80689bbca0c36e8b3127b4e515ca0

Download Submit
C:\Users\Admin\Desktop\AsyncRAT\AsyncRAT.exe

Filesize
6.4MB

MD5
97a429c4b6a2cb95ece0ddb24c3c2152

SHA1
6fcc26793dd474c0c7113b3360ff29240d9a9020

SHA256
06899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5

SHA512
524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89

Download Submit
C:\Users\Admin\Desktop\AsyncRAT\AsyncRAT.exe.config

Filesize
5KB

MD5
cb1f2dcfeb5cbb5af8efa7ea40b8e908

SHA1
ceb040761554040cac2fc7ca18623498d3bfc7ce

SHA256
58f956abe9d717683f4a1cfa6f70e256c80461315a8d47b6456116b3d3075372

SHA512
f0d805bb7983a111b7083e08d5e53c30dd78a0a5fa2baa2af6c5d3395475a3399fd085d151cc8cce312c7eb3e11ac7c2cc78c49ff8a9bfba4b6ad6585caeaeea

Download Submit
C:\Users\Admin\Desktop\AsyncRAT\Plugins\Chat.dll

Filesize
367KB

MD5
b230da150aa974d2a0801cef654cbe05

SHA1
ab28e63c165ebd7d43d6d0eed4de2750743b9b27

SHA256
37d41c7042210845593ddd7e5a5e37a37f6605305264d50a30aa2be1686000f6

SHA512
2d81546548b6ed2e799eaaf4766ac9a811344d9f57726bed7270e289234f7b917df07deff9d1f6e93b9f4d186daefcbfd2d0181b12406a0b5b81e3bdffa65aaf

Download Submit
C:\Users\Admin\Desktop\AsyncRAT\Plugins\Extra.dll

Filesize
375KB

MD5
3bbcb7c7967c714f767d751db17ed1d0

SHA1
ea15b176c5c7073bfa3bb58ebe9280b032414fbc

SHA256
7dd3978e7721f4460d639d17c47fe1307917dbacfb858d0d12e403105cd47089

SHA512
c20bf3b9b4051b050b6efebbe3c6ea54e520d68172f4ef7bbab961169c4479e9c77b39719e0139edd6ff4c4366b355579226f49aa979331ac8ab8c69bf3a165f

Download Submit
C:\Users\Admin\Desktop\AsyncRAT\Plugins\FileManager.dll

Filesize
392KB

MD5
9caa1fa3b3b7824167610d309446223d

SHA1
093fa014488ea1ddacf083c398fb8b2d07b8a0e0

SHA256
9d1b94035f381b5183e82a317f001725674c8ea1c5cd82ab5af408f7f53ca19d

SHA512
feba121ed3ccdef26b0c78874c5247cbb223b2992649fed6bbc088bfe952cf86de1145d84666048ad37b0f2c6a9dcd4da95cf972ec790b43deeb1c22322d17e1

Download Submit
C:\Users\Admin\Desktop\AsyncRAT\Plugins\FileSearcher.dll

Filesize
433KB

MD5
4e1922ee8333847507a34823ed695131

SHA1
5df1f96b0a0a43eadeb101c54864a85cf51e9521

SHA256
a6bdd625fa1d9a7ee66e4ca09ced0b3dca8afd2ad92ecaf44fd9a879b57cb198

SHA512
e4f2bc24f7d44e19580d561599b563ef2d011cffbd64851c867b03aab22e650da55150b6bc9c02389acffe546efdcc17da72204fef4e6e49a53e27be1a290f0a

Download Submit
C:\Users\Admin\Desktop\AsyncRAT\Plugins\RemoteCamera.dll

Filesize
452KB

MD5
1b2c9164e625b600e699151de11d9e98

SHA1
2ce0aa3161c641623afd1acfa922fce5f10a709c

SHA256
87938027a63a867b831c86611dc6a2c1fc6af61526dc2269328af4b59e15b1e1

SHA512
aa0785b079059463a1df409380451c2be7c3bd627a199661627815f364689ed3816dc9cb78725fab510d687d6866186f3fbdb62b633554b9a0aa324730487729

Download Submit
C:\Users\Admin\Desktop\AsyncRAT\ServerCertificate.p12

Filesize
4KB

MD5
f14fda762d71c3b5231e41f8e3008255

SHA1
7cab0b6c677727616f8a42cb8572be0781b7289a

SHA256
8fd3edd6648b9108d668fc5ad2f697f0b95942608452e7e7bcdbbea64ae1f066

SHA512
1d49514bb23ea47d62ee861b5de64aeda4054193ef2289470fc37c288e7b3d1a6f6a1c3d0a45796fc23b1a60b0c75c40e3ff4df48dc8ca33626fef0089a74b57

Download Submit
C:\Users\Admin\Desktop\AsyncRAT\Stub\Stub.exe

Filesize
38KB

MD5
f76702fa423ce2b2b4b0fdcf547b0789

SHA1
ea408a4419e8a3139ef14df987608964c12d3190

SHA256
0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e

SHA512
03c7d8814687bb4f11ac41a555f368d89d5be749c92624073b77da0e57d872df201f2657b180ad0c9d5bc9ffa0a85989bf31374c7e5deefa06cf36bce3697971

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 319108.crdownload

Filesize
6.9MB

MD5
30b1961a9b56972841a3806e716531d7

SHA1
63c6880d936a60fefc43a51715036c93265a4ae5

SHA256
0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

SHA512
9449065743226bd15699e710b2bab2a5bb44866f2d9a8bd1b3529b7c53d68e5ecba935e36406d1b69e1fb050f50e3321ef91bc61faac9790f6209fec6f930ed0

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/824-1063-0x00000285B1C30000-0x00000285B1C42000-memory.dmp

Filesize
72KB

Download
memory/824-1043-0x00000285B1830000-0x00000285B1A82000-memory.dmp

Filesize
2.3MB

Download
memory/824-1041-0x0000028596BF0000-0x000002859725A000-memory.dmp

Filesize
6.4MB

Download
memory/824-1191-0x00000285B26E0000-0x00000285B26FA000-memory.dmp

Filesize
104KB

Download
memory/824-1053-0x00000285B1C60000-0x00000285B1C6A000-memory.dmp

Filesize
40KB

Download
memory/824-1064-0x00000285B5A60000-0x00000285B5CE0000-memory.dmp

Filesize
2.5MB

Download
memory/824-1168-0x00000285B26D0000-0x00000285B26D8000-memory.dmp

Filesize
32KB

Download
memory/824-1169-0x00000285B8B50000-0x00000285B8C76000-memory.dmp

Filesize
1.1MB

Download
memory/4100-1228-0x0000000006D50000-0x0000000006DC8000-memory.dmp

Filesize
480KB

Download
memory/4100-1265-0x0000000006B50000-0x0000000006BB4000-memory.dmp

Filesize
400KB

Download
memory/4100-1211-0x00000000065A0000-0x0000000006B46000-memory.dmp

Filesize
5.6MB

Download
memory/4100-1229-0x0000000006E80000-0x0000000006E9E000-memory.dmp

Filesize
120KB

Download
memory/4100-1436-0x0000000007780000-0x0000000007812000-memory.dmp

Filesize
584KB

Download
memory/4100-1230-0x00000000074C0000-0x0000000007528000-memory.dmp

Filesize
416KB

Download
memory/4100-1231-0x0000000007870000-0x0000000007902000-memory.dmp

Filesize
584KB

Download
memory/4100-1227-0x0000000006DD0000-0x0000000006E46000-memory.dmp

Filesize
472KB

Download
memory/5116-1200-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/5116-1201-0x0000000004DF0000-0x0000000004E56000-memory.dmp

Filesize
408KB

Download
memory/5116-1202-0x00000000052E0000-0x000000000537C000-memory.dmp

Filesize
624KB

Download