xenorat | hxxps://www[.]upload[.]ee/files/16822414/mega_top[.]exe[.]html

Resubmissions

03-07-2024 01:55

240703-cckvxa1fnf 1

03-07-2024 01:44

240703-b58a8svfqp 10

Analysis

max time kernel
599s
max time network
547s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
03-07-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/16822414/mega_top.exe.html

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 3 IoCs

pid	Process
4728	mega_top.exe
5020	mega_top.exe
952	mega_top.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MaxPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).left = "250"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "3"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	control.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e00718000000000000000000000e1a40ed25739d211a40b0c50205241530000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "287309825"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).y = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\Registry\User\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\NotificationData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).right = "1050"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MaxPos1280x720x96(1).y = "4294967295"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).top = "46"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).bottom = "646"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).x = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "2"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	explorer.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 799421.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\mega_top.exe:Zone.Identifier	msedge.exe

Runs regedit.exe 1 IoCs

pid	Process
4660	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1696	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4080	msedge.exe
4080	msedge.exe
2980	msedge.exe
2980	msedge.exe
660	msedge.exe
660	msedge.exe
2568	identity_helper.exe
2568	identity_helper.exe
4252	msedge.exe
4252	msedge.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1696	explorer.exe
4812	taskmgr.exe
4660	regedit.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4812	control.exe
Token: SeCreatePagefilePrivilege	4812	control.exe
Token: SeDebugPrivilege	4812	taskmgr.exe
Token: SeSystemProfilePrivilege	4812	taskmgr.exe
Token: SeCreateGlobalPrivilege	4812	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
1696	explorer.exe
1696	explorer.exe
1696	explorer.exe
1696	explorer.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
1696	explorer.exe
1696	explorer.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
8	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3392	2980	msedge.exe	79
PID 2980 wrote to memory of 3392	2980	msedge.exe	79
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 3536	2980	msedge.exe	80
PID 2980 wrote to memory of 4080	2980	msedge.exe	81
PID 2980 wrote to memory of 4080	2980	msedge.exe	81
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82
PID 2980 wrote to memory of 4244	2980	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.upload.ee/files/16822414/mega_top.exe.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff947cb3cb8,0x7ff947cb3cc8,0x7ff947cb3cd8
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6852 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Users\Admin\Downloads\mega_top.exe
  "C:\Users\Admin\Downloads\mega_top.exe"
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,15089313000027855807,3929383882113753705,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3648 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3084

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1696
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4812
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe"
    3⤵
    - Runs regedit.exe
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4660

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2104

C:\Users\Admin\Downloads\mega_top.exe
"C:\Users\Admin\Downloads\mega_top.exe"
1⤵
- Executes dropped EXE
PID:5020

C:\Users\Admin\Downloads\mega_top.exe
"C:\Users\Admin\Downloads\mega_top.exe"
1⤵
- Executes dropped EXE
PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f738fcca0370135adb459fac0d129b9

SHA1
5af8b563ee883e0b27c1c312dc42245135f7d116

SHA256
1d37a186c9be361a782dd6e45fe98b1f74215a26990af945a2b8b9aa4587ec63

SHA512
8749675cdd8f667ff7ca0a0f04d5d9cad9121fd02ed786e66bcd3c1278d8eb9ce5995d3e38669612bdc4dccae83a2d1b10312db32d5097ef843512244f6f769a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
68de3df9998ac29e64228cf1c32c9649

SHA1
be17a7ab177bef0f03c9d7bd2f25277d86e8fcee

SHA256
96825c1e60e4a87dc5dbae78b97104e6968275fa1602c69053d0192cae143f43

SHA512
1658b0bc504a8a5c57c496477cd800a893d751f03d632ef50aff9327cd33ad0e4e4f27bcb85b20bd22bef2ca65600b7d92e2a1f18fd3d08ad6391983de77beaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
082e41173e1da296326fcf1058049e6a

SHA1
cc571c8f43fb6e0db36715a0d4bb5d7cb6a369b4

SHA256
62dd20ef1fb4866c42a21a97389227f81c3ad1b1a9951cae84bae7731ed3ac05

SHA512
f6a6a8d9138b0cee5215da9149dde501b0550344450575e59bbdf83ef60df55921fb2983f3ab678f2cfbf376684d4ef5088da568419c8b0485106d4c69bada08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3e8d2edbe62734e6e21427f7686b405d

SHA1
b50ee76b94175f2d0a7d1c2829f51569e6031b40

SHA256
0284bbcb49bd1ba26acb1a15c6a50399a3ed04590a593305394ee370faaa8b45

SHA512
a98ae47427926726cd771fe828218fb12c9297847dbef56b2681abdaab19b4e6d438ab6209341e183e79b06ff3fcea65c9117badfb1aeb24366c1f37f5017e7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4cad9a9d2ed6d3a60023f1a8449ac8d0

SHA1
9521af3a5ed813fd5b4cccd2caadddb05bdacec1

SHA256
34d2baa238f1a864363d5e5e19acdc107b1c4e1d1853fe2c68b5ebf76129c9d9

SHA512
69848577915a60df2b99208b94049ba45f3c086c230d088279c82c153c663e732465f5a67834e6925a1d1240769e7b4de228eefbbdc753ce3aa7b652dfde37fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
49e13b72c590fbeb0b44057cedc3dcd0

SHA1
5a0051e186c3a6ff11fc1f34e8a9260e58f3f6fa

SHA256
851fc5a8135bc9ecd0d31eaac44b2d5f52f93a10dfe90bf7de2ed66ef075126b

SHA512
4b7fdec0a488979464d67a3c9c3dc09f2c7d192ea5fd8e78e63653d50a66c644fe43dcdd315581cbda1fabf915fd056ded39baa4514c319a01e33c65a49d8044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8eb394ce1ddb73b85ea901d083dbd5d0

SHA1
36d3f50db0b2005bdca6d4d8337fec1f6bd82809

SHA256
f9e2ea9b179940088617bd1681d0f3a12862c6dc94ad92d718b7e0c5da821688

SHA512
411da12aa47ceb6115ef9cf0ac6b92f186d0a4096d1fce40e87ecf2e5a8b6c977c0497be67968e3050cb474fcbcf287272c6179c110b7a4c21c90cca5edc18fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f13792fa6d1712f23be457b8c21198ce

SHA1
037409f1709fff212036af314ce523be3f2845d9

SHA256
0a4a4d2bbdfa48dd76ef7a7b0dce69a98a6bc945144f69addf33b2a79edf738c

SHA512
92f29d0a3f68f844e40df70996456ef52285273a82754cc293c79768df7e5d865f56f66d64dde647b5a279743d73b213671af0c8acfee1f975647df3b631fc37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bb0ec4238ec9495be80f63ab658b885c

SHA1
9f487173ba9c3f30f7bd7cf3cbb1c9ad902bde52

SHA256
eb71bc7923767588025dbb6958bb70d03d662db5dd75a98f69b784b7a2c1e8a6

SHA512
a597d6b6336faf75a8b2c51ca034b7e42a7dd18a37dcd250db44ec3cb69b871ef74d35d0b8d5c9c680e9d2a9e1ddd42da776601c01a1758b0b8e9cb760bb8af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
57497683389608cb84c6b44db380af37

SHA1
cb466cdfeecb508fdf80eddbd4674762346f7a2b

SHA256
d4d6b4c2103fa6a5350d702fab72b2904aa3229a325054ef6d328474f98978a2

SHA512
41aa251ce769802f777ce8007f2e5c4cb07ddbd71301a612d9da796e034241eaccc6931a2465e8739dc57a1fa5baabb6e050365c39f338f2feec71348bb0f90f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
3f57c7d589559a1715fc061f10e555f6

SHA1
064e19cae394abde070e9539fdeb839c537c3c50

SHA256
99fff0d79c48db8d1bcc19718fecaa527b2b108a44cd2c1caca2336bcec4ef83

SHA512
4c5a676721f8f1f18b3dc9796e16cf403d51a6f1f190ea6587909bd24d040a084797ee56fec8b38bbcc7204bddba1abf1afa5e3097d1eff8eb53d7d8206f5dd1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
76895a9958fcec9da538d1d9f09db9c2

SHA1
fd939724a66719fd6acfb55cd44ce901c9cb5fbd

SHA256
728c9cfd134307c0dbbefc344282c946b32f7f44d9c6b8af997636359b98257e

SHA512
f773262b808ec110def178dc79fb8da03bed38ed275fb6d002afe80a34f28f68f619163d589946eb3c8acadf436e72682a2a721fc3907718a903c84f02d93db6

Download Submit
C:\Users\Admin\Downloads\mega_top.exe

Filesize
45KB

MD5
42faf67435979c1245010683d8e916b5

SHA1
b93b780736398c6e4001c150276ccb24982ed67f

SHA256
eef18c81faeee1877aa9cd8d8aef18b643a434fd3da221cc724070ec863e5fcd

SHA512
ff0fd19b423da9c89a6729790f5f39bac4e2dd03d62ad8c8fcf9628afb7e57a58b0a4700ee8811ba6c6191390c7cf3816342852fb90fc583ba261fd4637fcd86

Download Submit
C:\Users\Admin\Downloads\mega_top.exe:Zone.Identifier

Filesize
177B

MD5
68650e1c83c204b5577a27b875edad8d

SHA1
446184303681ecf3c4a12d6f3b9ccd94ea7801c7

SHA256
86c458b714a0905d12438948d590d8a958a8481f4fd703129e2bbb8fff94265e

SHA512
382a26835d4e42def148fcbe816c983330b70d374031601e55096531e1d4c06c6cd8fc07f4d035b78b33215d9bcb2c5208904be85e9167be46a658d7ebdca547

Download Submit
memory/4728-142-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/4812-237-0x0000025CB1950000-0x0000025CB1951000-memory.dmp

Filesize
4KB

Download
memory/4812-238-0x0000025CB1950000-0x0000025CB1951000-memory.dmp

Filesize
4KB

Download
memory/4812-236-0x0000025CB1950000-0x0000025CB1951000-memory.dmp

Filesize
4KB

Download
memory/4812-248-0x0000025CB1950000-0x0000025CB1951000-memory.dmp

Filesize
4KB

Download
memory/4812-247-0x0000025CB1950000-0x0000025CB1951000-memory.dmp

Filesize
4KB

Download
memory/4812-244-0x0000025CB1950000-0x0000025CB1951000-memory.dmp

Filesize
4KB

Download
memory/4812-243-0x0000025CB1950000-0x0000025CB1951000-memory.dmp

Filesize
4KB

Download
memory/4812-242-0x0000025CB1950000-0x0000025CB1951000-memory.dmp

Filesize
4KB

Download
memory/4812-246-0x0000025CB1950000-0x0000025CB1951000-memory.dmp

Filesize
4KB

Download
memory/4812-245-0x0000025CB1950000-0x0000025CB1951000-memory.dmp

Filesize
4KB

Download