994d6a3c00f42e919b596a6234346a095521ce84013474aa462570aa49b0e3da

Analysis

max time kernel
217s
max time network
208s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
16-01-2025 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/MEMZ-Destructive.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs regedit.exe 1 IoCs

pid	Process
4508	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	MEMZ-Destructive.exe
4480	MEMZ-Destructive.exe
4480	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
4480	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
2788	MEMZ-Destructive.exe
2788	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
4480	MEMZ-Destructive.exe
4480	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
2788	MEMZ-Destructive.exe
2788	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
4480	MEMZ-Destructive.exe
4480	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
2788	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
2788	MEMZ-Destructive.exe
2788	MEMZ-Destructive.exe
2788	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
4480	MEMZ-Destructive.exe
4480	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
2788	MEMZ-Destructive.exe
2788	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
3720	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
1144	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe
4080	MEMZ-Destructive.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4508	regedit.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3828	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4016	MEMZ-Destructive.exe
4932	identity_helper.exe
4016	MEMZ-Destructive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3720	4744	MEMZ-Destructive.exe	77
PID 4744 wrote to memory of 3720	4744	MEMZ-Destructive.exe	77
PID 4744 wrote to memory of 3720	4744	MEMZ-Destructive.exe	77
PID 4744 wrote to memory of 4480	4744	MEMZ-Destructive.exe	78
PID 4744 wrote to memory of 4480	4744	MEMZ-Destructive.exe	78
PID 4744 wrote to memory of 4480	4744	MEMZ-Destructive.exe	78
PID 4744 wrote to memory of 2788	4744	MEMZ-Destructive.exe	79
PID 4744 wrote to memory of 2788	4744	MEMZ-Destructive.exe	79
PID 4744 wrote to memory of 2788	4744	MEMZ-Destructive.exe	79
PID 4744 wrote to memory of 1144	4744	MEMZ-Destructive.exe	80
PID 4744 wrote to memory of 1144	4744	MEMZ-Destructive.exe	80
PID 4744 wrote to memory of 1144	4744	MEMZ-Destructive.exe	80
PID 4744 wrote to memory of 4080	4744	MEMZ-Destructive.exe	81
PID 4744 wrote to memory of 4080	4744	MEMZ-Destructive.exe	81
PID 4744 wrote to memory of 4080	4744	MEMZ-Destructive.exe	81
PID 4744 wrote to memory of 4016	4744	MEMZ-Destructive.exe	82
PID 4744 wrote to memory of 4016	4744	MEMZ-Destructive.exe	82
PID 4744 wrote to memory of 4016	4744	MEMZ-Destructive.exe	82
PID 4016 wrote to memory of 3136	4016	MEMZ-Destructive.exe	85
PID 4016 wrote to memory of 3136	4016	MEMZ-Destructive.exe	85
PID 4016 wrote to memory of 3136	4016	MEMZ-Destructive.exe	85
PID 4016 wrote to memory of 1152	4016	MEMZ-Destructive.exe	86
PID 4016 wrote to memory of 1152	4016	MEMZ-Destructive.exe	86
PID 1152 wrote to memory of 1420	1152	msedge.exe	87
PID 1152 wrote to memory of 1420	1152	msedge.exe	87
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88
PID 1152 wrote to memory of 2240	1152	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3720
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+remove+memz+trojan+virus
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0x104,0x12c,0x7ffdd9a03cb8,0x7ffdd9a03cc8,0x7ffdd9a03cd8
      4⤵
      PID:1420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
      4⤵
      PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
      4⤵
      PID:1008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
      4⤵
      PID:1732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:4792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
      4⤵
      PID:5116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
      4⤵
      PID:1572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      PID:4428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4008 /prefetch:8
      4⤵
      PID:4512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
      4⤵
      PID:1640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
      4⤵
      PID:5104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
      4⤵
      PID:2256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
      4⤵
      PID:424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
      4⤵
      PID:2212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
      4⤵
      PID:4632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
      4⤵
      PID:2420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
      4⤵
      PID:3064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6544 /prefetch:8
      4⤵
      PID:2252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
      4⤵
      PID:860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
      4⤵
      PID:2248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
      4⤵
      PID:764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
      4⤵
      PID:532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
      4⤵
      PID:2832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
      4⤵
      PID:4104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1384 /prefetch:2
      4⤵
      PID:3104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
      4⤵
      PID:2684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
      4⤵
      PID:1112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
      4⤵
      PID:4928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
      4⤵
      PID:3232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,16051225364582367754,6172989479724225206,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
      4⤵
      PID:2344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=bonzi+buddy+download+free
    3⤵
    PID:4768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdd9a03cb8,0x7ffdd9a03cc8,0x7ffdd9a03cd8
      4⤵
      PID:5092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=is+illuminati+real
    3⤵
    PID:2076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdd9a03cb8,0x7ffdd9a03cc8,0x7ffdd9a03cd8
      4⤵
      PID:2236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://play.clubpenguin.com/
    3⤵
    PID:244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdd9a03cb8,0x7ffdd9a03cc8,0x7ffdd9a03cd8
      4⤵
      PID:3888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic
    3⤵
    PID:1528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdd9a03cb8,0x7ffdd9a03cc8,0x7ffdd9a03cd8
      4⤵
      PID:4360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://play.clubpenguin.com/
    3⤵
    PID:2052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffdd9a03cb8,0x7ffdd9a03cc8,0x7ffdd9a03cd8
      4⤵
      PID:2760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
    3⤵
    PID:3556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffdd9a03cb8,0x7ffdd9a03cc8,0x7ffdd9a03cd8
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4788

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x000000000000047C
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\73a9896da2e8f016_0

Filesize
19KB

MD5
2d6f2450ba733272fde123fb6307c150

SHA1
4f90e6882287cb9fa38fe669be4bc2230539c9b0

SHA256
66014eae534ca3dfb66e4775d564a145b14dacf9364007f96a6f169ea12f2ca4

SHA512
cb26c1dd1a2e4b2083e99f8cf137d7e847be014b495316735900c4684a2ee58c7bd9463723c0a9e772271532cc8820f6be0de712c051aa0f130a47fda76a0496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
7cc49516967a6937416b18904a84e824

SHA1
1b93a441ce347f75fbc092b2ca3abe1429e86650

SHA256
ef6360124df5f2bc1e8dd3d9cdcb4e57c317d69abceb61bb5249da428beea144

SHA512
99855ce8bbfbec1d421eceaf62cd42a7f5ef3e128b011e0bff7b0d5024fa806ce35a87eb55554aeb4057cfb1e8901d53350c0568ce7f0972aec55c4b147f4a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
8dedd21e04954f9d1c033c469a518f87

SHA1
3be27721d20330d1d0e44489a215739b31b33b1a

SHA256
caf6644a0c901e74fa4eeed4c0818089bd3f882cea314801874c572f50043b86

SHA512
0844795ca3c3a09be8d3809fe31d12420589617d141effffb5418ca4b079e77a4fa613cb8c839ac93d3e954c34e517d317d3f94a2dfd1cd2e81fe226e3ced51b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
0bdfa1a738a1eabab1b0bdbfa1aca8f0

SHA1
8d526660b2d9ca5f505fb1b4ee55d744a9447256

SHA256
042007444b9aec75e664f2e41b4ae3e4ea76f0f04beaccff9f97b665aa795978

SHA512
e37d765b2c23c6bd6f5dbfb9a565c30c523f17f2cca2f3f3e5749bcfbd8be4fdb21e9cb8675405db97a6f6bf5257f202133cf89dc9807cd46cdba79f739c08ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
fa206c00ac3529e56ad1832dedbfc62e

SHA1
0dc0f333d15eca7847685177d17b84453567a6c7

SHA256
67358051bbeca917fc18334fc2cb203be17988027f256ac75415b7d76540e5b0

SHA512
1ff6521a028cb985037576b38810b3a558864946c26ae816128de429dc8bed602b09fa8ec0dedb0f458a2fe46e2e392d7299a8719b394b31503e9fd5c116108e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
cde4ea5982684f37764fe44001ddd237

SHA1
1d51dc484f461a10379fe92019f230be90cccaa7

SHA256
4fb94c7633e49e259f1ce9a153daef07ae9d2e7ac65bcde3900a6ef0b3f981c8

SHA512
b1e4b7992245b707dce03258aab7ff1677db0e34c93ce0deab400c85dabdc12314bf82e53d7a87d21f5c1f19862868d5f4cc347df664d76710b50eed377810d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
783B

MD5
4ab5d8cb960924ebc84528e6a51a8a51

SHA1
2348166cb8eb7aab009e4a05ec054fc2b9844a08

SHA256
94ea3c5ce9fdd0406fe4fd0cce6998aca53c54d89291d7f6d5579b7bb61feb93

SHA512
9717dd82138fdd8523d6d02d6f3651639c3d1ac33705b3afa08c2192085ad04befaf6f1af2766dc94859cf3e3b15063eec413491d0c3b51fba2a5e51f1701e20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
845B

MD5
7fe44ddc7ce221e9dd7e53fbc4befc7e

SHA1
8e857360247ccda141be4d17d509eb231393be17

SHA256
fea39cb2edadf43e05a540f544d71f57786e4841026c955afb86e0a33ae993b0

SHA512
93bfefcb74237c2f635075a8042e05839a32be9c002f2d0aeefcea1a6bdca5ecc264e2b81ce73696405078226245508f8bcbc2eb5afb50004e898da1b3eb02d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11d8e2c81d6259537fc8881628e60ca8

SHA1
e25b1fa6fdb74d42f0c972802045e08b31f4fffa

SHA256
3b6bfdde84d4876b68a564e74adaca8e8f64951b5c09a01c421295a34bf6d794

SHA512
136a1c257ca00941526c4a8023670912ad11521b37a125803316b2a72d9e6a0102adea450bbae54e40add319fa0bf40160d119e82f79dc2a058a4cb81a43e57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc471e7b629ebc12b1a9f8109fff62e3

SHA1
04226b49112df68a7747522315e8caaa24eb3bd5

SHA256
4333f9bdf01fc3054a148a3701f5b88dab6a543ce8a0c27f7ee47ed6b7b36994

SHA512
b8fb8a1a2c18da8385d58bf8f7ddc72be80ab58b595f889c86e1b547d856cc38d8e90e30e48260e07a53df56c8e2152844c3a2797bc5577b2fea730fe352778a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2ccc1baea9cb0d4b63ef27e65eeff224

SHA1
5d24753855fc2e50d66b954a69bd5e9cfb5b0142

SHA256
0124689a906f7422d82e6d7841be8707fef94d2204603e8733e101c7fd4533f5

SHA512
f176344b08047ff1de2e28afcc7e81426f20d83780dc5220917d184b8a4496eb9fbbd15efe2c3ee3bc039d7299b19de6689bce5f6111a21fb91972b13e59d55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
18ac6ff6d852625b032cb0633bdb18b3

SHA1
565fde9204609ea8d6fdb804f9777d8e42616a30

SHA256
8fa2ca8ab811787c409f39db43766033306ba510d716db38f09d7720df008049

SHA512
a68e446f2c18f97fea662bfb4a7e1295f930b1b37743063a11b7fe4ccde6a5caefcc09f8936b57273c72d52ebdb3f0fc702a1ec4248b77e06997cd4c95d8daf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d62b311d9701dc5f430727cf24be4da

SHA1
d2a6d16f0ab9545c61ca067ae64303cc9c96cccc

SHA256
b8ddbc688ce23c943037a260397985c68e519211d02fca250219bab4b638ffab

SHA512
2f70458b2e5374afa46c4e6cb4c67496a4920b5db2eb36f3b594f7d218de8a4dccb3c21663507670065947439bacfcfb741dcd8445f881a070552d37adf6b21d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba7b12d67a05dd39497ed8e4cbc02a96

SHA1
e0c08f7e35fe392cc6ac496b8816cb70a3fc3c96

SHA256
2c8e00498957d831ddaed8ee7ecfe7b9a5cf737802372df5856e4eab094531c6

SHA512
270cedd105bbb2fcc488699bea063b8862f744441f38775e49cb65593155747bc6b0f139d6784bd18898569c37db83a0e969aa96fc6e4330ae68082adb4ff49a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
90b230709d3529eb86e67606a38a93e4

SHA1
341db6c75b1a26c3a968f139269688723ace4d40

SHA256
ad90d6e49ad590586ba5bccc2ccfeb240ec04276f4c71936cc08e74364deb38e

SHA512
7de2e887728cca0b954a44859eb02bb8b1e93c8a17ee6af91a71726640aecd8e09eefa518f22ca9dc7d10016e09c6cd553b19f2f17c2a47ce4cbf607b092f0a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9f05fb5a258dd176a27b7491b9120466

SHA1
9e6479e407da1e720ff166772ac6edc31e5d7a66

SHA256
353a2c4fd5a12afba98075704229fa5a80701ed17c870bbd0cdc076b7cb70d52

SHA512
861e24c145cf8437f9380ea254b280d4cc14cf8f6c0c5a7771fae95abc0493f279900ae44ff732c6b98601fb81311366df47b9798a7a961812e4f90fb5cdb8ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
443f0523f434b612fa811bbf382f891f

SHA1
4480987c70de79c82194c302e503ce18e168a69d

SHA256
0b82b17c7dd77b8fd67bf84b8f10f83c52829a6aae1b8b07162f93951598434c

SHA512
cc1bf76e6387bf9a29383a8590587ebbff5e8bc6611c0fcf4ebe0e0b3f476233b6fc49d8188cd6dc7cfffe78fc17afe3f3e64df340ab4bf6634970431c23db31

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit