phemedrone | hxxps://mega[.]nz/file/HccTVRRR#vN0cUJcILuzE6ziZSDbruaGqr8fEbvJSNnbg_5N_3g4

Analysis

max time kernel
330s
max time network
325s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/HccTVRRR#vN0cUJcILuzE6ziZSDbruaGqr8fEbvJSNnbg_5N_3g4

Score

10^/10

phemedrone spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7250665686:AAHW0YznZP8w-6An0q8-OF3zVVfXyjQuxLM/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone

Executes dropped EXE 3 IoCs

pid	Process
5596	lite.exe
5948	lite.exe
5364	lite.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 251678.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1156	msedge.exe
1156	msedge.exe
3352	msedge.exe
3352	msedge.exe
3108	identity_helper.exe
3108	identity_helper.exe
5360	msedge.exe
5360	msedge.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe
5596	lite.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3424	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	1364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1364	AUDIODG.EXE
Token: SeDebugPrivilege	5596	lite.exe
Token: SeDebugPrivilege	5948	lite.exe
Token: SeDebugPrivilege	3424	taskmgr.exe
Token: SeSystemProfilePrivilege	3424	taskmgr.exe
Token: SeCreateGlobalPrivilege	3424	taskmgr.exe
Token: SeDebugPrivilege	5364	lite.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 2196	3352	msedge.exe	81
PID 3352 wrote to memory of 2196	3352	msedge.exe	81
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 412	3352	msedge.exe	82
PID 3352 wrote to memory of 1156	3352	msedge.exe	83
PID 3352 wrote to memory of 1156	3352	msedge.exe	83
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84
PID 3352 wrote to memory of 3628	3352	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/HccTVRRR#vN0cUJcILuzE6ziZSDbruaGqr8fEbvJSNnbg_5N_3g4
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97d9546f8,0x7ff97d954708,0x7ff97d954718
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,7270962896693581004,355705968122558372,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1052 /prefetch:2
  2⤵
  PID:5716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x428 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5476

C:\Users\Admin\Downloads\lite.exe
"C:\Users\Admin\Downloads\lite.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5596

C:\Users\Admin\Downloads\lite.exe
"C:\Users\Admin\Downloads\lite.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5948

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3424

C:\Windows\System32\fruvan.exe
"C:\Windows\System32\fruvan.exe"
1⤵
PID:4420

C:\Users\Admin\Downloads\lite.exe
"C:\Users\Admin\Downloads\lite.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lite.exe.log

Filesize
1KB

MD5
4272497d3c3536eb06331f00a9c5ad96

SHA1
a63406b354c660c8284a07f9812cc953968ce5aa

SHA256
181052c912dc4377b7debfbd342ad17da67d7af140026c008988af728c0bacb1

SHA512
f0c37354f03f9133b9b38309e44cccec9b982d6868daf36600d105530015edad3f8ac5fdbbcc1e3845351ccd2d8043a5b3e12045914e803d33878ae9d4c8b8d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
09a751265e44e5c324b80edac5662ffb

SHA1
cfbdd99c9ec990a3149b4a7ee0c04234389c0067

SHA256
060a7008afab7b2d817de53c88a6c85375a6672844afdb962518cd296e9a6155

SHA512
0c3357a80250ae12f6b24aff001c3fef52193f6ceb614e83a2e23fbe1142fea7369e5ca2e44fba9f1e55440925b028508d467bee19fb77e6bd764364dbc15e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Collections\collectionsSQLite

Filesize
64KB

MD5
2b65c5d1ab0aa3f3f57c635932c12a5d

SHA1
b532c837537438e591d5d6adbf96a5dfe5c40eba

SHA256
c111777e9b9a42cf62b06900b847283238af63d15033c40577cb10aaa58c084a

SHA512
7d75089fb928c23c0166a74bb2baa3c1245bb23012d30ec2cf1fe71f8412700d354d4b9b8070309b23a5b003e37727ecd00f9ffaa018ffa5bb67ad1bed58e175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
4b2c2509fcec57b6021341f330a039c2

SHA1
d88cd727cdebdaba56b20181028a9429c6d069c7

SHA256
be9472968d2649a59e398a0411569932c4a24740387ec7c1517beb46de4b0e66

SHA512
31c8a4777a910d4f8d0c841fb47cf8ce59d81b0f065e2fdb60b07d00a365e8073e3aa70a6a7eaa77f8ad11cfe36687604cd380f61ad536dfcd184e9bbba262e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
903812ab6501865551562164db5aa396

SHA1
668d412ca98f0acccaf60778f376e684e46e33cc

SHA256
f5f3bea225a949f5af6e5e26b5f2a0de1f60ffc5225f4437eab8494dcba9dc6e

SHA512
530d2f438c46cc29416feebc0c7127b4800b1b7f230986f9c4817227a4028019d386953e3b046201f9c35e5d1b086e342d942523d81333fa831f0c89b9bdd858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\000003.log

Filesize
225B

MD5
32e05f766c6d2bbc5e71da313544ceff

SHA1
cd561c791bd82bd0dd1602eda3fda926d5a7bcae

SHA256
92347dd590b59085bc4b186607a9702cfd213977327ac30d76bf44c08b5a4d95

SHA512
5093cca292f783cb0b5ec5296c3f67087dcd7ac4a218c1503846c2bdee16bc36eaaeb4e9ee2a60121d8bc49e69f5bfbd48c758b837a9c33cbaa7ad59a48f99af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\LOG

Filesize
295B

MD5
58babd491c86e71c938d85252cf7c2bf

SHA1
581afd2a85f2552158d750ad693414a4d5daea23

SHA256
52d69ada6414c3e9fc208db06e55a9147100b70747c4ec24574628abdfe7b103

SHA512
7dec97cb6e8d7b3a4cf9f4e0e78e31856bec43d438f4dea55a89cdb0a1e90edf6c1a8f53ab3ff24dee2e1f76a3b46331a766dcf50f05e89b084e1a12140b3bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\000003.log

Filesize
95B

MD5
7967dc4224c4fde89093b2f09fd68005

SHA1
ab860a4f12e85cfc4f91ff293a935454972bf076

SHA256
a1b3a75262e8436e8a0c90a4b3d5379ea0d8e8a42d447970be029b07c8633cd7

SHA512
ab19ef44579b38c64ee2cfe4df8dd68f2664555b0bbc49eef227dcde444eca4b0f6a366db91fba30b760cb621ab6ce1e70410dbd7869377046532180104580ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\LOG

Filesize
287B

MD5
a439ffcc5cb0ff35b37c7d859506dd14

SHA1
14565dadcdeb7dce23a09f822a9687cf17c4426a

SHA256
9e9eecc4a035c70d85dbabd4d3d3a52768be2deed01aae1e3a27fe1c0de4e573

SHA512
467bb2a3f9d8c4473d8f3051241629dd84295e2de01eb274e4584c3b936c05dc4084b34c413919c231f8dd5876360717fd3ae0831c34813f2de88c4dfcc0b120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
27f806c893e3ca55986b17677440b303

SHA1
270750d661c23bde9c015d46cdbf9e382214c720

SHA256
1c214772c4124755eee1d4989aba7c9ab09601703e75a7d06687aa7952a0ab4c

SHA512
6a4c37fac3a9c03977279c24e4925c0ab29041f75e945583f3ea649c9c8417b36bfc94f65bdefa1b7864a068ed13d886196d944e2e146a2ec2c1016f5eedb3de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8cfd7f504576adb8939ff8addc39bea5

SHA1
591526156618313e007d947907560396cb5367db

SHA256
50fd55ac5bf33dd0fe76d8ba4c17e414754c5001c1681464db24520c7a16a767

SHA512
cf70eebf6be8a6db288993e1e5120e1bab92c8a2b1352b13a580a9cbdbf431eb29c279d2e1b7ff202140c2e87e96ab447617ef6a2b5ddd0f4ddb577ec5947102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c91902330d3108da73ac5798b781ef07

SHA1
c73436e3cb1835a5dbfcbe1fb97dc0ca970ae901

SHA256
0d23c1d5b002a204a780bf9bc1e8c785544a0b528f48b216132c650452b6257e

SHA512
cc25d9332498fcdbfea2181ceb7268640f1562268b93169ef099e56d4968b2df1c42182f09c0bfcc0f57f0dec991ea679d209f3720c081a1418d3c6e4204f1b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\QuotaManager

Filesize
44KB

MD5
a8b3c335d6cdf46014d41ce9c0738cbb

SHA1
5ae66a7dce348c67705201304b55a7e680358620

SHA256
d1b2b719220fe02c65a983b1fff016af361b1eae4bdcf285a054f42d3833a78c

SHA512
0675c26a2756eb41e19444c4db32be06aed21b316178e63573cfc8d0d3c7429829a3ee8e9b8c437ef7edce61be19cdda80642f52e91e6bb4ce5088980b7d35a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\QuotaManager-journal

Filesize
20KB

MD5
8f8b0a9daac181aa77550c295ab400ab

SHA1
17c7bba09c4959f8f7469e237487a4116f02c80e

SHA256
31a6656bbe3d7f4fe76d3be48ac88de29db73f5027da6f5e87a01901aec3b570

SHA512
526d025d0b8fff8a6597f064a7d14990d9790bcabdc1247c605f0204efe9cfa66ce07d7f188235f7fafdbd84c6293f7c0c0e3174d51812f360d7b7e961d2471a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log

Filesize
583B

MD5
9dd85dfd3decc61de97f35e337282df0

SHA1
9aee4be298a737e26e61d7382c06803d1e7cdd93

SHA256
b463c2e68f385c77bb680c436fdfc4c01121484376b84057fafeeeb15ebcba14

SHA512
2479b37fc6ac1fbeb157ae5e8adff605fbd5ea7c227057bb2c68d08a0d9fa35df70cec70fba54c77f7ef0cc8c1f09191c89f38c5c02ef53c5e50701dbd2925c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

Filesize
295B

MD5
0d14e7c17dc4b66f609c4311c64b6948

SHA1
ba8d7ad8149b63ee62f47722752ee2902de9ba74

SHA256
1f82958aea8170030be4341ef23a3d4988ce59ea13be923aca9e021242ca9de5

SHA512
3bc7023b58599fdd00f37b86a984711f0c58e84ca46965034b594e69e99de3f92af70bac547e982efbca8eb2e461f12f20f5d0ca20e017c7e84b88e26b6859e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7a3141576b0879ffe013930292970fe5

SHA1
4ee50c8b6b0945c9dc024a4369c0ec8b3f5ce3c2

SHA256
10a11eb520e1fa95b31aca1f2559402202050e8a89630bdc85bd30047a746f05

SHA512
71e6b422a56c145b4f1c59724fcfb4f807f5d1df4b69a2d69ac78771867755ec9486a851a834797cdcbf459bc6611b112fdb79736306b120876d170745a323e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a8f2.TMP

Filesize
48B

MD5
bb3f4a4aeb91fcbf91fe5762dfdce53b

SHA1
009e3c397ebcfcf17bfa28ff0c6d979ac7becd62

SHA256
5ef21c320375aefa85b0289a77ef93079296edbf85cb8657d0a916c01fb125eb

SHA512
14c94008404f8a7e06f14ac17d42668d03c01479eff9e8bf0da3b15327cae4c9a0270f6228e8a52f2f395783262854b08b0931dcb9d6716e8229221a89e411ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13364050579193389

Filesize
27KB

MD5
93f4bfb8587fee945f10c40acd240c1b

SHA1
52c5c718d4b8376639823304f10590f3f5acf0a5

SHA256
82defb31734e8aface61b163cf6681c6b1d786aca1f8e95730e8497c9ca11ff9

SHA512
64e8aafaca518809d7cff75b5f1b4964e8c4cdc0acbc870d135048446e8d74327133170f661961c4d4588b024454036a004912b0ba7577690379fd79df96431a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13364050579389389

Filesize
933B

MD5
3be99ae2c1e0da47f175b7e7a3036ad6

SHA1
ef79503360973ce988fe8e0fd4db13e52fe5d8bb

SHA256
841f02f9390b96fd63414af5405a95b604f34843c6ea092809843596c6ba602c

SHA512
f1bfd0bd3488a933a078eab39b8408f02fdfa4cd02dd7ae58084fd6f341ff3191a287f253ca0551392232a465dd871fd79317fba82d92bb5896887795ad64e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
1d065a772aba413b9105eebb8035df23

SHA1
77e849262161fdd8d0bf186a2e307de9872b9b44

SHA256
5fd294eb71a45bdc116bb64fd25e694bdb31f645737be504c86c23e404ed39af

SHA512
b9cbb342a6d69cb661bd7497c40840397e8c2867fa9408e9bcc1abfdaa4f7207218ceb6ab126cf0d7836de2849d7e27c05b88ba2b5d85d786ec80945d2f01621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
643989d22262669bb4de04edce8ca4d4

SHA1
daa4009a53ab0a72913ef56beeccad14b5fcfce0

SHA256
debdb96f4275992324db7c55d44ae1066cec825fd6abbeeb79263050022cf3c8

SHA512
df10d0670a114c52d532691d16d4d3f359030d80a28261ae16b54f12dbb8120c7ff93813d791a70fad8876531692e4de2fd3c7db0af0142afb342b3d4e9a44b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
dd9c7f72e429b76b8e94cb6ac7d3b052

SHA1
8f5c736ce0f99f8ca9a79ad717c9acf5fc33f0de

SHA256
e20c3102e082a79e862803f38fa9f44ba0d9a369b763fbfabe1f9cadfd62f3ca

SHA512
ce3ef3646d48ce4b94223b5d8bf482f5561bb11db48fac65edfeba25932bddb6bd361b196b5867e7d2d6e6cdbfc642efe101db223dbecffb24aa29b57ef9f365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase

Filesize
10KB

MD5
69d11176b29eaf13adafed73b2d328c1

SHA1
b37156268ad718f52adc9e9d0793f648ce459a7f

SHA256
b4feec07e7d55c1101bb41b6a22632ca1892a4b4fdad0c0720e63d3162376ec0

SHA512
f70d76edfff443f4a1048e18b71a71df41fadfa4b502c4b2b3ad15f9ba7a111038f309a934549bdd3bafefb531ad044bbd8692148d5b241fd32915d6d84b55e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
139B

MD5
7519acc37195f8226c6e828faa9af29b

SHA1
b490eac705709112aa16d00e9a2961b47207e97f

SHA256
3257f9a50b8c3f8811f7729ce7c147c9d8b4147e415ba2d85b0d475a25f474ee

SHA512
2396ca89ee94f15f68ae2e95938cb0f2b606854c87a3bfe62f6626aeeb710595e9e67125a349d103822b75a3904a72418ba8108a09817f22cf24170295e11792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db

Filesize
28KB

MD5
f52b3e5685c4f2b98461bb84fe93ab55

SHA1
89d471548ded09933e4180cbffae6b54f3227173

SHA256
4ed3ecc79883e5c9a3d3aec94acd8d00cd5d88c311b5101e82639c258a2816f0

SHA512
2f1652f4e2522276f0b1c7dcb9db117ceebefd3df146222102016993ade3442da03218b35f0bd3b487327a09094d28cebb80d3afe258be2048b330c1bc1c9912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
788KB

MD5
64f86a30b11b6e056e067156d43a9659

SHA1
5cb1316fd329af0fd376e69d285534cb73b29ee1

SHA256
a78837e138efd2a5c6763343e7c1eadb39f855419188c1a84fa8c9da33bf1ee3

SHA512
5f125bd492284ba9e949b627022217682a67e958a9519c2d7fb5beb62b204bb53bf9f2b24a5769fe0f31b7ffcf1fcc57d0e050b9737aa86d4b25c77904324605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
3KB

MD5
791f50eb5320bd3afab35c2d061db547

SHA1
71e1a71b3c3a98f06a4aa73c19b0039d64deaf12

SHA256
0c59fa71a1520104fed36a3ee70a17d385705af5de52e07191d2d8088000cf48

SHA512
7f6b73cadb37727895d67dbee1768cb9d61e44c4a09ccf22ff4e08f16756c195887e9ec6174b345de6ee458f021eee8f086b7e1949a190f9842b69c3d85ff4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
814ec7623380ee8a7080829e008dc217

SHA1
9bba433b3c93a66c0b9dfcc3c7f3a609d1675f2e

SHA256
91a6eaa42a6f394cb79b04a124d55243b1e6eff881a8600f07a2d28bb5fd72a2

SHA512
a95a659e23a0d8a30e59af9ba63973e71420bd748021623bd4f5fd0b78a1d73c11361e143b12a1ec606eac94ba8992efaca90722479d0fc28c5ae464bc8d831b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
531B

MD5
1bd1c4bc9fa87990262f4a9a1111a65a

SHA1
2538415b6a6c0a441238aa4d9568e335dd02af47

SHA256
d0bcc1e7d64f86c3adb8de3ab115f33f77e4f02ecd04aa9ce5005c793e0e870b

SHA512
6f3cecaa559934a97d62d84de0655c6d0f7146121a9a7122df03cc1a2298531558c679358add4542555a127c71d0d276fa65e5495c9e11a57272ef717ef8ed6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
39033122b4fc8527bc5167c6d3cc732f

SHA1
4770f09a6d804523857b01dee97da7c85ac37f18

SHA256
4cb0da588b4c31be11b3609a717170df89274b1e515b17683174f42ca618db23

SHA512
4944e3b0385c8ed7c034cf5c1ac3efc03e97bb53147c26d3787198889c02ecb369fa8a95f356e5c87bdb4d82b2e2303816605a18405dec45eafc727980b4723e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
56c8c08ac3ff0a9f6bd518c09708a5ec

SHA1
e334cda275306be166e395aee64d2f5f73ef9530

SHA256
6feeccc076c94788127dbe56b759b7a9e5e3c35cd05ee75b79c4e74cac82b013

SHA512
cba4f7d4fade651e1161d4aa729075589069d3097af07d146b8208e15fd6b24de11da7622793b200c9b28f7ae77f3a63e6c5dfc3b5f99685754f02177cac9fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
0af9452dbaef76870b03bdd9f206e8d9

SHA1
faeb85fa3d4d169891a169285c87956991e01b74

SHA256
b87f01eeddd71c113397e702d1a775db2e0d3c58c762bd35814d3dc081ed4b1f

SHA512
cc37022c52df6b7c25b5b0553bef468bc2cb2bc68221218d57e5eaafc5965f37c0f430245418390ee9545d40bc5b77f86e1db90314fd2cdc925d5e6fe45c0faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
5d7e9825ed6706cbe986bc0bb85eb2c6

SHA1
1037b3b2cf7fa13c6833473be3235e5bfe5a7ccc

SHA256
7a28659bf259f8a26aac4dee5f89031dc389cc30c70458533760802e28199b89

SHA512
b37fe546520f5005a0a918d449338e130e8eb0b3d8093ad6e6de4d7bad37cfc9f29cc795285d0a41dc03325252531aeb63817f592fd8076ca375eff611866c21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ef91dade6eb8a76dfe2473c18a65291b

SHA1
301648b537ced809ef91869f315ec8e0e2c05478

SHA256
853444d80db7d5eb9598e0111335d1aa3ec7aca2305eaea7ad997f2583b940a8

SHA512
d587337d516ee6ff4051fd0edeab6f4aa8fb4f0225c66cdc60d921c1e5a612e1bb1aa974a39f7952ce3ffce33df6c1cc216a95a2b33bba79f4cdcde52b64512e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
be0c65c38cbe341827b696272bc70632

SHA1
de7a5de896762c7e6e075a0f35186259b688d778

SHA256
3484a7114548acdd8545170a7450d9a5aeb6bf4015a862798ca8b669275c8531

SHA512
5bd09b5cc2ad5a563f8450d85b184c0c50a3591b175bb65a31b1d00dc1fb1223c46f49f97fefd23fe1044cf1af35d9c3626b748c15239046bb0bebe9a17a0d99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a5d5926f43886ba1e7681ef9d3ea07c

SHA1
e6d9da517edc03c85e21fc6a1410d1009934607e

SHA256
86db62bd497f818166b0ae00a1b7f118fc452786319b7ea97411e3c45bceb190

SHA512
0d2ee432f8259a231888d8246e08dfe674cd4ffa71e0459d2b413c395341f1da444ea1ced01e5a4710137da2801c58d3630f37d7ac2bd707aa67037b61b7336b

Download Submit
C:\Users\Admin\Downloads\lite.exe

Filesize
116KB

MD5
9957ff72b98d2fd3819a1c3a5bb7c266

SHA1
27ee49406e1eaaf4ca84e9119baf83d79e199df3

SHA256
103b15ed69b33225af3886c39dca69d542aba6907567bea4f4854a80fe9ca34e

SHA512
52e8cb098534a39b7ad5c251db05fed8b414012f824ced61ba6dd53e29cb8f08e870c19a74906112f2fa3ba60abfcd1d7f3170ac27481a918b1b818bebcb251c

Download Submit
memory/3424-725-0x000002C00CF50000-0x000002C00CF51000-memory.dmp

Filesize
4KB

Download
memory/3424-713-0x000002C00CF50000-0x000002C00CF51000-memory.dmp

Filesize
4KB

Download
memory/3424-722-0x000002C00CF50000-0x000002C00CF51000-memory.dmp

Filesize
4KB

Download
memory/3424-714-0x000002C00CF50000-0x000002C00CF51000-memory.dmp

Filesize
4KB

Download
memory/3424-723-0x000002C00CF50000-0x000002C00CF51000-memory.dmp

Filesize
4KB

Download
memory/3424-721-0x000002C00CF50000-0x000002C00CF51000-memory.dmp

Filesize
4KB

Download
memory/3424-720-0x000002C00CF50000-0x000002C00CF51000-memory.dmp

Filesize
4KB

Download
memory/3424-719-0x000002C00CF50000-0x000002C00CF51000-memory.dmp

Filesize
4KB

Download
memory/3424-724-0x000002C00CF50000-0x000002C00CF51000-memory.dmp

Filesize
4KB

Download
memory/3424-715-0x000002C00CF50000-0x000002C00CF51000-memory.dmp

Filesize
4KB

Download
memory/5596-180-0x00000000007B0000-0x00000000007D4000-memory.dmp

Filesize
144KB

Download