Malware Analysis Report

2024-10-18 22:07

Sample ID 240611-s2ggsasarc
Target MEMZ-Destructive.zip
SHA256 8c19ca3a8b76d47b29de2776def65388f894c77360ebb159168088ab458a3458
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8c19ca3a8b76d47b29de2776def65388f894c77360ebb159168088ab458a3458

Threat Level: Shows suspicious behavior

The file MEMZ-Destructive.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Checks computer location settings

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 15:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 15:37

Reported

2024-06-11 15:43

Platform

win10-20240404-en

Max time kernel

220s

Max time network

322s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\SysWOW64\Taskmgr.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\INF\netrasa.PNF \??\c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SysWOW64\Taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\SysWOW64\Taskmgr.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\INF\netsstpa.PNF \??\c:\windows\system32\svchost.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\system32\taskmgr.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\SysWOW64\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\SysWOW64\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\Taskmgr.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5f7b269a15bcda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0d4b957e15bcda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1d572bc415bcda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 90b49a8815bcda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packag = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 1528 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
PID 3520 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Windows\SysWOW64\notepad.exe
PID 3520 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Windows\SysWOW64\notepad.exe
PID 3520 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Windows\SysWOW64\notepad.exe
PID 3520 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Windows\SysWOW64\calc.exe
PID 3520 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Windows\SysWOW64\calc.exe
PID 3520 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Windows\SysWOW64\calc.exe
PID 2632 wrote to memory of 404 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2632 wrote to memory of 404 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2632 wrote to memory of 404 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2632 wrote to memory of 404 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2632 wrote to memory of 404 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2632 wrote to memory of 404 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2392 wrote to memory of 4308 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2392 wrote to memory of 4308 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2392 wrote to memory of 4308 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2392 wrote to memory of 4308 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2392 wrote to memory of 4308 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2392 wrote to memory of 4308 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2180 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2180 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2180 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2180 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2180 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2180 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 3520 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 3520 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 3520 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 2824 wrote to memory of 4924 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2824 wrote to memory of 4924 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2824 wrote to memory of 4924 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2824 wrote to memory of 4924 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2824 wrote to memory of 4924 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2824 wrote to memory of 4924 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2464 wrote to memory of 712 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2464 wrote to memory of 712 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2464 wrote to memory of 712 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2464 wrote to memory of 712 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2464 wrote to memory of 712 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2464 wrote to memory of 712 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe"

C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog

C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

"C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /main

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\SysWOW64\calc.exe

"C:\Windows\System32\calc.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3bc

C:\Windows\System32\SystemSettingsBroker.exe

C:\Windows\System32\SystemSettingsBroker.exe -Embedding

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s SstpSvc

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s RasMan

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\mmc.exe

"C:\Windows\System32\mmc.exe"

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 228.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.msn.com udp
US 8.8.8.8:53 assets.msn.com udp
SE 92.123.135.83:443 assets.msn.com tcp
SE 92.123.135.83:443 assets.msn.com tcp
SE 92.123.135.83:443 assets.msn.com tcp
SE 92.123.135.83:443 assets.msn.com tcp
US 8.8.8.8:53 83.135.123.92.in-addr.arpa udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp

Files

C:\note.txt

MD5 afa6955439b8d516721231029fb9ca1b
SHA1 087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA256 8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA512 5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

memory/1812-23-0x00000211FEF20000-0x00000211FEF30000-memory.dmp

memory/1812-7-0x00000211FEE20000-0x00000211FEE30000-memory.dmp

memory/1812-42-0x00000211FE080000-0x00000211FE082000-memory.dmp

memory/2344-52-0x0000020E89280000-0x0000020E89380000-memory.dmp

memory/404-59-0x000001AED46A0000-0x000001AED46A2000-memory.dmp

memory/404-61-0x000001AED46C0000-0x000001AED46C2000-memory.dmp

memory/404-67-0x000001AEE5500000-0x000001AEE5502000-memory.dmp

memory/404-71-0x000001AEE5540000-0x000001AEE5542000-memory.dmp

memory/404-69-0x000001AEE5520000-0x000001AEE5522000-memory.dmp

memory/404-63-0x000001AED4C20000-0x000001AED4D20000-memory.dmp

memory/404-56-0x000001AED4670000-0x000001AED4672000-memory.dmp

memory/1812-74-0x0000021185F80000-0x0000021185F81000-memory.dmp

memory/1812-73-0x0000021185F70000-0x0000021185F71000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\Q8D7OW8Y\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/404-93-0x000001AEE5610000-0x000001AEE56A1000-memory.dmp

memory/4984-115-0x0000021859800000-0x0000021859900000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

memory/404-129-0x000001AEE5610000-0x000001AEE56A1000-memory.dmp

memory/1812-140-0x00000211862E0000-0x00000211862E2000-memory.dmp

memory/1812-143-0x00000211862E0000-0x00000211862E1000-memory.dmp

memory/1812-147-0x00000211FDFE0000-0x00000211FDFE1000-memory.dmp

memory/4984-151-0x0000021869A00000-0x0000021869A91000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

MD5 afc0ea80ee5488adf55dfd9d71137b2e
SHA1 dbd0217e67fc82c11cf49f82a08c1e1ab6f82309
SHA256 bac06d6b0754fe3c541d9ac538de22e0c2f12026751b237c4e0cf0db05f2c68e
SHA512 d24da5c9e3589e84acfa7bf75c042f9c30b02674f794eafccefebfc53d1e337d1c15a79607a987951274ebe1f08ce240276b04a39cb8a6930a9850544f94a5e3

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

MD5 615d0f052a26da704cc5f4ce736cbf06
SHA1 26152a2625cca167821be70c6fc4f1a4d6b8882d
SHA256 2fe75883016844c9315691151c8d4876dab9cb8a3744e90398861606ccd6e8da
SHA512 21c75dc986a5b41239302bd37e47f449289a4471d91ec64d23edc978acf271c46ce461654e6147e4ed3d1ab571cbef219b3a6d019655c830ab70f0294cee26f7

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

MD5 58c1644786fb17461760a2c73f1ff87c
SHA1 fb6d4d15b181552dd034bdf6067532a7527d7204
SHA256 a0d6416e86558a7494e29678da853e4d590a7334688384c0b61b3d1c19b3f5db
SHA512 0b4c266a1b2a4d37f9e010e890a03c6a8232b2244a49a11088d1303c8351e99358c70da563b47bf1ad1c97bff3e43bbdca33b804689aa037e7a8caea2e91258a

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

MD5 b53561676f1323576e6db4f6d2819589
SHA1 bcbdd0228920b9ba12ad1de5dbf44545365c56ee
SHA256 da3d3fffeca5d32fa8ed627a5a49c14fd2262b9166cba8791931e62d3d6abbd1
SHA512 3fc9631e46970cbb7c4ebca67a7992d5caba3849da18782f7cd103e0bd80adf64762d5506264c1e8c94c171d071fa3e8449fe7b7c598e81ccee5121a89b666bf

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{4E7085DB-FFBF-40EF-8FFC-8D615D1E1E77}.dat

MD5 77a42762b6ea84d52657127c16107d02
SHA1 735b8422c62775a9efedb0007c3ab059791d1d9b
SHA256 852b9222fd8544e850cb88a70109664c8a6aa31c3c77d03718010e0f776f72c0
SHA512 03fd4d56c5406603062b5deb662057ee8cad870f90d185da0ebf615bfcff226c972f2054162d592ba489c1268f67803ad2197090cbdb77074f8086a52045935c

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{88539BCE-0ED6-4414-BBB6-55BB731E4486}.dat

MD5 e72f30eb8f2c6e5724ba16207848861e
SHA1 69a28a59023755d7da97ad373343807278f1bf5a
SHA256 490a36ffe56c104c705e5bf8c67315512bfdac0d58fd8d27749da728479e8928
SHA512 214ea214828d7af69e6c0f06dd545cfaa65a1df87fac7e206aabd0748d568aeb0edcb8567cfb98a689f107f32fda2acf644abfcf10f8b41ab5cb2e062ee433bf

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{4283AADB-8DAF-47A5-B9B5-29A97CCAF370}.dat

MD5 035eb086297d2983e4a4e0681800ef3d
SHA1 db077f38137ac54dc88707b36e799b72fbecc7dc
SHA256 4ad90f09cecc88caf0afe5b5c95ddcad63300534c90bbfe321776514e2cb8a86
SHA512 7eadb4ee47bb1611b8a78d7fb015f48ef946b781bf7b624a0067789d6e336ffbe43709dc87f96a256d720a5ae04ba7cf20014b6131d24ceca0669fae6fb2530b

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{0CEBD6B3-AB9E-42B4-B618-382A3BB32F53}.dat

MD5 45571fc1c8bcdd29f2d9ab1e1c3d824d
SHA1 6dfcbc412523b7c897fa4b1026aa6ea98531d6be
SHA256 a2a5b7afdd3ec37049fdd42555814a3ae51adb46172b30aa698b294dbbb7c60c
SHA512 5a28d106e6806b94e324440db0c4d7699fd4b20f87e07ee4c0d9c36fcaff49b6fee8c4e21cdad2aca6bad0090829ef6d3d1ad285e588ddb20fcb95199a265455

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\R2YS6MYK\api[1].js

MD5 6a6cc2ad49dfce92ee26a4c0763bdbc1
SHA1 52eaf8c26612f7707a0b2010df2c799427f260cf
SHA256 7225ee91bc032b3b900e8c200b3316ce6a8c0fb9d4b4db962d2dc91d0e044fec
SHA512 beed34e45b4b82859d18bca264767b1d1d3f49ca6570c1c724252581e1e6af92e9e2c25613114f9ae13a8d0e44810736fabebddeb3fefb0a776086516532ce83

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\a07fpb4\imagestore.dat

MD5 7d42c854b2e43c07a4cababd0b3ce402
SHA1 fe1d4bbb7ddd0a410a0ba7266f1388e05dc32f91
SHA256 ab418ea06992b5c4bcd5f9b8a8e89d508de1216cfe1998cfaa0bfd93bc27e327
SHA512 7e40c9581220caeb2aed748a66b34c217cee35c1134dad37dabda50c5e10ba186fcd8f8a4da6668046408499cb8cea1b091650b80f2366495fc4fdbbf7e9e446

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322

MD5 837922a3aef2726e8274fd56034fa4a3
SHA1 d8da55042c6766da2a83374d8f1bcfad9a4b7288
SHA256 86dcf75b1bc623705bcb2cbcf5e24d5a67d993660c4153becd0478008ae46f7a
SHA512 944668386a36856b556804ed7c83cfc930c5c26a180bcb47b8944247ab4190ead7bbf5dadfd0ff8a4cd7a5443ee5f04f0d7c232e1eebf77cfd43765bc113034d

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322

MD5 aadd802f073f23f34a46d328d186d863
SHA1 b12d0f6264924de5970a3dcfd56107b94236c1b0
SHA256 cd33ec39d4d1546fed50af2cbee93f6ccfa17763bee4cc4ce8fb08cc105a3c05
SHA512 641cc7739f39f93ad84fb31b2d52191d6f345ea42bd300d70f4e7aa80243bdede7b2a7cc9f6a8bb5727d074602eb4d5ab2f80558d6b06500c6ab3a8bb514fd0e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 36b3fa055ced843bb5f47b56ab921162
SHA1 acba81abffef7d50090c6798e39ce39ef492f136
SHA256 1e7b0ee8708a827bb9de89f2b13960bfb8bfa889c1b13781b6d8f8fa20a0cb84
SHA512 c760e5b58bb21a531beb2bcb894a3faa9a206d550ce5b6f65c99b6f4fe87c282ddaa209640da1ceed0ffd43cab3e8b4723ed1ec008e0a0069e381e16e7499933

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b927c7c559e4a51db96c2630a34290f6
SHA1 46e47501bea080164f4cc7a611b275d6b5bc89a5
SHA256 b21114895d50872bba3eaf5e452ef24bdda30d2f232c12ee9b2b167d64a33187
SHA512 9166716955422ff0d2c7dc2fc3cce8a5a73aac8486e9e037d950e0f648eb2eb93dc8416635b53da86820b0587552e79f780facc0655a6c5d13beb5298a4a1bc5

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 55d13419ef7e00979888e1f36e85667c
SHA1 9213fd7f1bfe3399f11d8ce56516c9ecfaef50c3
SHA256 99a431ec4372e147cbb89b186806b63791ccac196e7c21362affa2da3dea5883
SHA512 4cfbbde7606ea5d8c56ab0a540ef2c4c84d3feabf5b694d41838f00cde9fddac90cac1a2d095f53ca597288a48adbf080f1196fe4c179e5b86be7b6ba4968da5

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

MD5 9dd677e0e903b380549326733489bf84
SHA1 46c733c9a26ae0819fa48df5680a1be339af0ac7
SHA256 1a22843b8b37f03b74b1db8e223fc22070672149b4c6f73fdb2ccd514204a93e
SHA512 442dd7954613a263ed3b31aee62513a4f889dd9d13dcb08a94fdea57ef13db3de4f904dc3eded9ef72c94496bb814e0a663bcca1528e2f5dccb7107e7eaaa298

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF97BC5DB8B7008798.TMP

MD5 a93c62647fb5168bae83c8e99a714882
SHA1 efcb270fd1d3d7cd1c87922e67ec9fa4f0b0ddb3
SHA256 24951bd9472b140de27b0f525feebf57298f8110fade4971503df911675078d5
SHA512 141920b8fdeeb2afb7176b5ae4e8749f1a7cba3daf9657f3936c233ff3a3ef125f69784e7c799c89eadd4108c778a659ed9b433101cfd09b8a63fbf0168bd30f

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

MD5 2e5ad69bd4dc1fbae8d6a91e3cb2ddef
SHA1 239f7b0e554517e5c5c9d78e8544f4d2fd6183f4
SHA256 f4b52162d0a143250c2734559d7d8771c88e899f7a49d5198ed68645ea92c8ca
SHA512 7fb01766e3357eb63e5ed936629a6cf80304f7f9cb53c7f517df532b5ff5d01ff7607e955733dd6139bdf524424bbc8c71bf246e10bb5477fe9de99c0b63de3f

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

MD5 9980e520522d12458c04a22665106dab
SHA1 88a662729862bf3064625fcd1b24dde397c63041
SHA256 41de1c438faafad76d457d2d6bba760884a9c8f70b6a5bc470b8484501099474
SHA512 70a2e4da8fb14c901c0927ed0b856ad8f49870f38c0bebb4d48f84e69b5facc11f70ef35c0cb305d8a30f8d9e6fba9ee6a12f563b99b2b4a7948a1f3dea63340

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

MD5 8b3dcfb31bf52f010a4393225c1be59d
SHA1 6f3c7d1a8768803f7241049fa77d703d6e21d589
SHA256 c1cda6c89e46e1503b5b4de517d991d882b8f86b10f6d97b75ab573f3c485fe9
SHA512 b06a9a0c7d68f87ed3e281370a7f344146620cde9ce45f593c0a8a7fc57d015bc06ded8fa4836459c3f6c94015b9b04507cb2124168af71b8e9d13d0fc214f6e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

MD5 7049e6b1608d32dfffab8e1598470be5
SHA1 724952837e969611f5b0f5df00ca98b40d108915
SHA256 a85c8209ed29c4ea7c4c98182596cc3e37606d692aa90852ff15bacd55a96721
SHA512 ecb64782a93739548cc16f4f0a24b45a60dec196106eff3b9edddd3bcea6adfc19e49d6b04dfc32bfd1cac0845c7db290a48142c654830d02a97efbabe55d2aa

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{145627AC-336F-412D-8AC4-679A50A2AD98}.dat

MD5 017012b7c95aeee330de5807b36a8be9
SHA1 08b9973599b49cd7dd6807ccb0b398da2e276bd8
SHA256 043f28bf5db892c0f7da5d7beaddaea4c2df762fdfa4ec09a7010a15ad5d33b7
SHA512 d53d86402cb1dba489dd939b436f273c02811647944bf319053fb82b166b99b705fb13cb0ac04b707e455ba8877425d3d2a8ce04eee2c8c6bc832dba300d94ec

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{28CC570E-59A8-4ADF-982C-080395A977BC}.dat

MD5 93094365c85242bb4fb6910e54d869d3
SHA1 7378a4ed0b91bce263db342c4c837d921855e491
SHA256 a673e2416e8a96de8ae53508652ed5da7fccee63fc8948be8071f7aff71c9b98
SHA512 5a328a125f5effa63cf492bf8256956601941e42ecd0134e04d61ce31b50e67cc74d1ca4643c7ee0f82f0fc93944d1146c2ea47a56acbb2b1462ec18d1b136d8

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\a07fpb4\imagestore.dat

MD5 32978ed02132686000d55450e68a601b
SHA1 7a0e745e6123a06feb2c2cb7c11344dfe7c67fd8
SHA256 b55ffce1748b77afcd5abd26b7086ca63717190bdc37f9ce1bf855a377df3e26
SHA512 b66bb5856d4212ea1d51ef29c3e8b2015af0e0a288c0bfc46bb693191ce2fde56d4c3a09ae6b55b7b8fa5081aa4a6c148359ba7b5eb89c828f563bf01df40e5c

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5Y6SHWJX\recaptcha__en[1].js

MD5 ddcffefac58f205ea194e1612e7c22a7
SHA1 4db6276eccafc0030490f970824b55dc327bfebd
SHA256 5f12968474e2995c485a2c256a9819dde04e78b6a13aacadfba935ed7970234a
SHA512 4b8561f2bbc596382e9c22515354b94df9613844a2c6b6736dd7c1f6c51305e235c58160d8e5b3d6f5fa289dc55f6fd675332e4a13d07fd35282d61e227adc13

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_47A43067FD26B14BE12C55F112579786

MD5 cde50ccfbda63e3f99950cea7fa3cdf8
SHA1 fee49cf15b17db0186aed46421f2e70807ec0495
SHA256 bdd0f99f88229608ffcba168ffd06ce15985dfd8caec2ce71bb11a3e0b98fa15
SHA512 ab31cc051e3ea73de39a673dec52e79a78660da486d36d3483ba3fa232a0abc466337899d6fc2f62027bb2370d2a656ab585ed4020b6e514082aa5a2c134a181

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_47A43067FD26B14BE12C55F112579786

MD5 b567f9efc2abf3fbd4e25857ca82e03a
SHA1 59484f3f042d96f4a69b11582f08f6ea4e10a899
SHA256 ab74b00cac8beb7a2e6f4742d1dff9f50cc5812a3dc2d4632bf21e038cb21bba
SHA512 538c6ee95421d129927d4def6eb4a812435aac76a8dd50a3046575b81e22eeb928bd4897af47e7cbdc0b6663800656245788ce2b49ff9e70f736200a8869cc9a

C:\Windows\INF\netrasa.PNF

MD5 80648b43d233468718d717d10187b68d
SHA1 a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA256 8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512 eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

MD5 b8da5aac926bbaec818b15f56bb5d7f6
SHA1 2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5
SHA256 5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086
SHA512 c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri

MD5 30ec43ce86e297c1ee42df6209f5b18f
SHA1 fe0a5ea6566502081cb23b2f0e91a3ab166aeed6
SHA256 8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4
SHA512 19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

MD5 cc8399cbc2094df7c89567ea14bae8c1
SHA1 c139dc17311689b7eb3b7c748d15a49826cda561
SHA256 be4d84dcafdba31c19719d741e669278d4c6be9ec6cbdac77f13f227c8932ddb
SHA512 ecd2c9e11ca31201447e955536e62b55a23a93979f03882a5c9729796db8d0770507dd8b1d2c61f10f60005cf3342ffd9a6b1901b9114b195a093a628937781e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

MD5 5de3abe3ba7556a8df0c5a1a664c7275
SHA1 8e3667ef79c8cad1682d9add43a24bc0cc273c6b
SHA256 06d7315b73396ccfa9eb0edaaa7da6b41436672541e84a86b8ca4d0409c907b2
SHA512 63da9d4eccf923ba80a27fb0cd12c79d4033e2cd0fdb0a09b66d304c76c50731f8d9d56f19c21a7946afda9e5318f5f1137e74ef6dc46eb8023ddf56b9813c3b

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

MD5 5644bd31887b0777dc18e8422b66a7d6
SHA1 60fadb943a45e5f3e344b0c5969a79b1b3c54e3a
SHA256 b42462c760b785b2a576100508e4f1e06e9bb04509f66f625a50a8e3a6ecbb98
SHA512 67da39d989728041c0cbcb0bc30cbfcc83f37e30e69abe23e45df7d458a886b523567663346f850f2d1266dd2a4d8df185549b037c2dcbc340d476997c0c982b

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

MD5 871eabc5eda4eba04b3101c6179a8785
SHA1 1bb31cb9369ff566a34d0fcd85bba57d1e92c3d8
SHA256 90fc329c1d3bd3513c80516cab0a628d8d9de47c5d9b8b2dd28a7ed4cee9e638
SHA512 34feba7f2e6b2dbe9424df40898422c8209df283ac61cf25e06495d378068028087451dbdd2cb38701e563cde1470eeb219aba6043d9e6bcdb8e33863385be8c

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{C1BEC32D-DBD0-4ECE-AFB5-6B490CD7F8EB}.dat

MD5 5fcb944cf0f81b7ca0feb13187d8afd5
SHA1 0a60077cad20884956a4b3093cbbcd938c39f39b
SHA256 04f64705017d2414822348aa53830ac3b5d750bd40a7361f6800e5576c3d8d96
SHA512 d7e1df7f265ff3ffc630474a388790a7a3ae8ae0a5cf2d018006c797e79a22f4a1cc8005c026aa738c78b3fda4a0fb48cf8f019dd9a3b30575fa2530f0001855

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{83A2D468-5C1F-4257-A68E-8FFD6CF6FE9D}.dat

MD5 d4b1b6173fe8be1abfc076d8f57a45c5
SHA1 9f19ed213b410c45293d8dc67cf7dd2e5b5351e7
SHA256 3b25befe556efd33c4b9b1570fe5d98c132ce787eb16f02ed09cb8d7da98757f
SHA512 d117c97733ba8330469628a29bff642d16b8f2181f2ceb36d6c7194fb661903434b8814f55e5049b28ed9b068df2df5e5c0219608cdce6f991901e3925657b0e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\a07fpb4\imagestore.dat

MD5 54b34cb82f6213503ad0fa3c9b079f98
SHA1 163700f3d9ccca69632565612697c06df21b61e3
SHA256 cfbbbda21cfc772739970ed5ce128e34ec7141695da2ff4defac77dbe025bc32
SHA512 c77a6bb65d9df0557fa6cc4d86d32737bd817cc6ce6aa4b664c7ee986e3a9c7595c06ebfeab54685034da8e6591b09461b1fc940e906c3fd913358555880789d

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

MD5 55a5567422d48db42a0554316a87bee1
SHA1 a1c259ffd5a822616088181640ae3a5b64ef9c69
SHA256 7e660f30a538de301d508738847b36f7954af6aab9857b7067b8979975d60586
SHA512 bf226fd9fb0591def2470400dd4c746c43fb03ec1054a285b05d5bee359ab2e34ebf095e5c5f3651f9e93b6938a190ef7b6527a1e54840492590f9da98310140

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

MD5 c9e111dce97fdc0245cfce7c63000a0b
SHA1 2949bac6fde5e67057c37265b538e388fbc79a20
SHA256 58d85c29c07effb2c71180544e0e3bb3f896b8fb6f6f7aacb746a83686fa2f81
SHA512 44d8ee73e96bdd927682708a59ce8da4e79d2bc365f68c9c471d96b9a9a50419e88f25009f0d9b8059a84ef77780cf676128e064b46255202af0a38cb64b9780

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

MD5 f18de85982d539d358fe1ccf3174155f
SHA1 d58c265bd724c9de0e9e23d7e798ccf2e75fe2dd
SHA256 f35131e2c85595f60f3cb14facc0eb5837db721e8eb2ade8b80d517a4ae1ba44
SHA512 2cc5b302a4189bfed08fed5a0970cbdebbadc0db9edb232e84af792aaee3a751247a280ae7efaa45270ab3c5aadee29562deee6056977decda98cb2533038eb0

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

MD5 c26c5c57c1b9ee7570a32e1dc8d09838
SHA1 16e99a39e6827ec41925e01e5139a68ddc1a5b84
SHA256 378b61218c73c1e6525f986d1de2e777729709724178e49c31780b8e8c88b821
SHA512 6d862ba6c9815c000d4dcc4ad7cbb36f0f389f9d1849e68a3b8738761e93e9998c9a49d3c14947c7e8df7a56c4f115ac53c8541f466e9a7613b732ed73bbb98e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{AC8BF516-45FA-462B-844A-7EF90920A038}.dat

MD5 dc9ad70f9da1f52fb971e3331e6bb4b8
SHA1 ffe44f864fb162f74f68ef32c3ee3a49533b7ba2
SHA256 8fdbb8e7e68f055f371acfde8d989e46725de4fedfd8dac4b508fd29172d1263
SHA512 a144ec119f45e60315a596b20407bd2b74df880bfbd1cfcdee1cfb69bad2c436d2cdd363a22d093aaf06273fde170c1bd3d1a541e2ede9efad2527b123c98fda

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{3D9FEF3F-6490-49D2-8AB1-31D1CA8633C9}.dat

MD5 e193c707df31be655961509f0350389c
SHA1 d67b6d6c53f8a01233ba8cbe58cbee15c4ae68e0
SHA256 fda07f628c6c5e6b7d70eeec67629f540b63449e14efa462f5b99cdd9affa2bc
SHA512 0e62c0392d0422025cc90d5ce7c05bdf87b52f6cc8e4d105934f2547ac4b700439fded9ef9adaea705b924463bfcf083fbe0f303bd11856a1984884a6d773149

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\a07fpb4\imagestore.dat

MD5 c29cb33b54f8aaa7837e1be01fe33f04
SHA1 0f6a625ef178c2b5e13f690fce6cf93e55da786f
SHA256 99937f119887ae4e26baf1b60a38273df43642f691d17972aac237ca8f81a930
SHA512 7b9c3bb26e3cea7b3bee7a31dc160c74a1feb5d25fc398be1ec6fe10d8aba188587ca5a63e987cafa7331d3b9f79b86ce5eb85aa374ad60b2ac032af08aecef2

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

MD5 92e80c86f12cb23cc080f035aca48846
SHA1 d84cd7876488aa718df5da9e702f906b8c8c9b44
SHA256 bb77ad8b4314d110ac6354af720acaba296948dd1a8144082891fb7ad76ad9af
SHA512 7064d1bc26ea9b9e7f447a2ee9c2b4bcef3ee678d1241f1234fe7e40098f2900a38fe54778514f61f004f0575cdb4c1bf3b99cd89e5832d5ae96f03657cd9dc1

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

MD5 78577d5c072fe285ec746795cd6703c9
SHA1 b4ad3f6bd3ef9443421fc535d63b4b0b81cf810c
SHA256 cc588d26012a834ffc14c1e4512eeb11b32d3c3b8561b95004966ccef705b8c4
SHA512 8d4b65025a06768185c005348660808212304f18a7eff7e6c749dadc8d5c121aef4ee85788de6c6804277bc32d18df851d8cfb778e6e12486bdca3592b0b4920

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

MD5 287ab67315a4234cf3fe5a34b13c75a2
SHA1 4041e376c1ca4e54ecc072a3e6aaf0fc65ebe1b9
SHA256 04de9809e91c84b6b5dd9a0432f1ea51dfb4e7ec0d61fbcdaa164d36ab019b42
SHA512 bd5381f7a31ab433190b025da4741751ad9b0dd303f036d22b3b07754f4aa404762d20a98f8b1c327f0741f4eed61e0d5137b59a581ea31c760a21d05d85d989

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

MD5 e6472d4f059d42958db6bc0256f65d24
SHA1 b3386a9eb056e4cf84e012ad787927347f56a2b4
SHA256 93034fb7e1a7c26ad03cba33cfa8ef2942713e9ad5a8dfa9dda64cf9b100b7e0
SHA512 722ac94d3ee8689a94c3156abca2d66cbeb1e292a8c75ebeea23f251f57fa7ab6b73b609450ac298619421c4d615d757ff01ac1a42278af3bbc46d0e81213ddb

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{3A82738E-1288-428D-A8BB-09C433E0400A}.dat

MD5 c224b3a9d1c698d4ced944413f29890f
SHA1 e67f085b47a505abea898af0309a6620b8fa4a6d
SHA256 3617d1abe224999ce1776bd37e95c8e775a21397a661164e631d223d8903e337
SHA512 a74f77b393f107d29eb6733f577f38438bc40ccb002b94016ffce05eb1b298acf57524b80d601f55787b083f2e0ececdab1e71c6ba3ec745e527ad25c321d4cf

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{C35E4B3C-6A26-49B1-B2B0-8826CC10C2B2}.dat

MD5 4a465e6b0ae0cf0a58381257b564e6aa
SHA1 1adb1a5f1e19c130a1177b7df7c13f70ff486c48
SHA256 76a6d3769f68df3bd148c903d7da0bdea225d51d9b0181f64f2a3a7539c66767
SHA512 adaf98a7776b2a9f127636a04c56aa85f2ce3018c19d439201a1ddca66af96aa7a091b6af01340856e5fe5fab5434fb5f03a210f9ffd4a1d5889f25bec32c699

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\a07fpb4\imagestore.dat

MD5 61ad21c8b7f4fc4eea5078b3bfea98c6
SHA1 df14451dbcee79c98253015dea0d8218171ff918
SHA256 fa2c12d0aa0feb190695c83b6273d0ead37093803986375b0612039e2d0ff283
SHA512 73f15e426cf781a3fe6e7c3946c5481be8cfb6a3019cd617b35a94483d63b16c645362c78d70d3ec1fcd441c5387a26988f37a077dd575a65842f3cdf4ae6d55

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IY3ZUSF4\styles__ltr[1].css

MD5 5208f5e6c617977a89cf80522b53a899
SHA1 6869036a2ed590aaeeeeab433be01967549a44d0
SHA256 487d9c5def62bc08f6c5d65273f9aaece71f070134169a6a6bc365055be5a92d
SHA512 bdd95d8b4c260959c1010a724f8251b88ed62f4eb4f435bde7f85923c67f20fe9c038257bb59a5bb6107abdf0d053f75761211870ca537e1a28d73093f07198b

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5Y6SHWJX\KFOmCnqEu92Fr1Mu7mxKOzY[1].woff2

MD5 57993e705ff6f15e722f5f90de8836f8
SHA1 3fecc33bac640b63272c9a8dffd3df12f996730b
SHA256 836f58544471e0fb0699cb9ddd0fd0138877733a98b4e029fca1c996d4fb038d
SHA512 31f92fb495a1a20ab5131493ab8a74449aabf5221e2901915f2cc917a0878bb5a3cbc29ab12324ffe2f0bc7562a142158268c3f07c7dca3e02a22a9ade41721e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5Y6SHWJX\KFOmCnqEu92Fr1Mu5mxKOzY[1].woff2

MD5 efe937997e08e15b056a3643e2734636
SHA1 d02decbf472a0928b054cc8e4b13684539a913db
SHA256 53f2931d978bf9b24d43b5d556ecf315a6b3f089699c5ba3a954c4dde8663361
SHA512 721c903e06f00840140ed5eec06329221a2731efc483e025043675b1f070b03a544f8eb153b63cd981494379a9e975f014b57c286596b6f988cee1aaf04a8c65

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LVS0P5KA\KFOmCnqEu92Fr1Mu7WxKOzY[1].woff2

MD5 a835084624425dacc5e188c6973c1594
SHA1 1bef196929bffcabdc834c0deefda104eb7a3318
SHA256 0dfa6a82824cf2be6bb8543de6ef56b87daae5dd63f9e68c88f02697f94af740
SHA512 38f2764c76a545349e8096d4608000d9412c87cc0cb659cf0cf7d15a82333dd339025a4353b9bd8590014502abceb32ca712108a522ca60cbf1940d4e4f6b98a

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5Y6SHWJX\KFOmCnqEu92Fr1Mu4mxK[1].woff2

MD5 5d4aeb4e5f5ef754e307d7ffaef688bd
SHA1 06db651cdf354c64a7383ea9c77024ef4fb4cef8
SHA256 3e253b66056519aa065b00a453bac37ac5ed8f3e6fe7b542e93a9dcdcc11d0bc
SHA512 7eb7c301df79d35a6a521fae9d3dccc0a695d3480b4d34c7d262dd0c67abec8437ed40e2920625e98aaeafba1d908dec69c3b07494ec7c29307de49e91c2ef48

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5Y6SHWJX\KFOlCnqEu92Fr1MmEU9fABc4EsA[1].woff2

MD5 df648143c248d3fe9ef881866e5dea56
SHA1 770cae7a298ecfe5cf5db8fe68205cdf9d535a47
SHA256 6a3f2c2a5db6e4710e44df0db3caec5eb817e53989374e9eac68057d64b7f6d2
SHA512 6ff33a884f4233e092ee11e2ad7ef34d36fb2b61418b18214c28aa8b9bf5b13ceccfa531e7039b4b7585d143ee2460563e3052364a7dc8d70b07b72ec37b0b66

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\R2YS6MYK\KFOlCnqEu92Fr1MmEU9fBxc4EsA[1].woff2

MD5 207d2af0a0d9716e1f61cadf347accc5
SHA1 0f64b5a6cc91c575cb77289e6386d8f872a594ca
SHA256 416d72c8cee51c1d6c6a1cab525b2e3b4144f2f457026669ddad34b70dabd485
SHA512 da8b03ee3029126b0c7c001d7ef2a7ff8e6078b2df2ec38973864a9c0fd8deb5ecef021c12a56a24a3fd84f38f4d14ea995df127dc34f0b7eec8e6e3fc8d1bbd

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IY3ZUSF4\KFOlCnqEu92Fr1MmEU9fCBc4EsA[1].woff2

MD5 52e881a8e8286f6b6a0f98d5f675bb93
SHA1 9c9c4bc1444500b298dfea00d7d2de9ab459a1ad
SHA256 5e5321bb08de884e4ad6585b8233a7477fa590c012e303ea6f0af616a6e93ffb
SHA512 45c07a5e511948c328f327e2ef4c3787ac0173c72c51a7e43e3efd3e47dd332539af15f3972ef1cc023972940f839fffe151aefaa04f499ae1faceaab6f1014f

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\R2YS6MYK\KFOlCnqEu92Fr1MmEU9fCRc4EsA[1].woff2

MD5 79c7e3f902d990d3b5e74e43feb5f623
SHA1 44aae0f53f6fc0f1730acbfdf4159684911b8626
SHA256 2236e56f735d25696957657f099459d73303b9501cc39bbd059c20849c5bedff
SHA512 3a25882c7f3f90a7aa89ecab74a4be2fddfb304f65627b590340be44807c5c5e3826df63808c7cd06daa3420a94090249321a1e035b1cd223a15010c510518df

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LVS0P5KA\KFOmCnqEu92Fr1Mu7GxKOzY[1].woff2

MD5 15d8ede0a816bc7a9838207747c6620c
SHA1 f6e2e75f1277c66e282553ae6a22661e51f472b8
SHA256 dbb8f45730d91bffff8307cfdf7c82e67745d84cb6063a1f3880fadfad59c57d
SHA512 39c75f8e0939275a69f8d30e7f91d7ca06af19240567fb50e441a0d2594b73b6a390d11033afb63d68c86c89f4e4bf39b3aca131b30f640d21101dc414e42c97

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\R2YS6MYK\KFOmCnqEu92Fr1Mu4WxKOzY[1].woff2

MD5 7aa7eb76a9f66f0223c8197752bb6bc5
SHA1 ac56d5def920433c7850ddbbdd99d218d25afd2b
SHA256 9ca415df2c57b1f26947351c66ccfaf99d2f8f01b4b8de019a3ae6f3a9c780c7
SHA512 e9a513741cb90305fbe08cfd9f7416f192291c261a7843876293e04a874ab9b914c3a4d2ed771a9d6484df1c365308c9e4c35cd978b183acf5de6b96ac14480d

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LVS0P5KA\KFOmCnqEu92Fr1Mu72xKOzY[1].woff2

MD5 e3836d1191745d29137bfe16e4e4a2c2
SHA1 4dc8845d97df9cb627d9e6fdd49be1ef9eb9a69c
SHA256 98eec6c6fa4dcd4825e48eff334451979afc23cd085aea2d45b04dc1259079dd
SHA512 9e9ec420cf75bf47a21e59a822e01dc89dcf97eec3cc117c54ce51923c9a6f2c462355db1bc20cdf665ef4a5b40ffcfa9c8cee05bb5e112c380038bfef29c397

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q7BUKSPQ\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a