hxxps://download[.]novafn[.]dev/

Analysis

max time kernel
201s
max time network
204s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
01-08-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.novafn.dev/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5024	NovaLauncher.Web.exe
1236	NovaLauncher.Web.exe
5596	NovaLauncher.Web.exe
2320	NovaLauncher.Web.exe

Loads dropped DLL 2 IoCs

pid	Process
5424	MsiExec.exe
1408	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Project Nova\Nova Launcher\Nova.ico	msiexec.exe
File created	C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e596529.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6691.tmp	msiexec.exe
File created	C:\Windows\Installer\e59652b.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF94B24A1CA3139BCD.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65F4.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9B911E1497679403.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e596529.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFFE0051672FC8095E.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{071444F9-5B61-4482-94C4-F2B13CD39908}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5FA3A1758F1A357D.TMP	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f512e6be856207af0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f512e6be0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f512e6be000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df512e6be000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f512e6be00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3070649267-739947649-3250922198-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 786373.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NovaLauncher_44dc2817f4e85757cc52784cd3521c67.msi:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5172	msedge.exe
5172	msedge.exe
5328	msedge.exe
5328	msedge.exe
4304	msedge.exe
4304	msedge.exe
5960	identity_helper.exe
5960	identity_helper.exe
492	msedge.exe
492	msedge.exe
1380	msiexec.exe
1380	msiexec.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
5024	NovaLauncher.Web.exe
1236	NovaLauncher.Web.exe
5596	NovaLauncher.Web.exe
2320	NovaLauncher.Web.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	6096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6096	msiexec.exe
Token: SeSecurityPrivilege	1380	msiexec.exe
Token: SeCreateTokenPrivilege	6096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	6096	msiexec.exe
Token: SeLockMemoryPrivilege	6096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6096	msiexec.exe
Token: SeMachineAccountPrivilege	6096	msiexec.exe
Token: SeTcbPrivilege	6096	msiexec.exe
Token: SeSecurityPrivilege	6096	msiexec.exe
Token: SeTakeOwnershipPrivilege	6096	msiexec.exe
Token: SeLoadDriverPrivilege	6096	msiexec.exe
Token: SeSystemProfilePrivilege	6096	msiexec.exe
Token: SeSystemtimePrivilege	6096	msiexec.exe
Token: SeProfSingleProcessPrivilege	6096	msiexec.exe
Token: SeIncBasePriorityPrivilege	6096	msiexec.exe
Token: SeCreatePagefilePrivilege	6096	msiexec.exe
Token: SeCreatePermanentPrivilege	6096	msiexec.exe
Token: SeBackupPrivilege	6096	msiexec.exe
Token: SeRestorePrivilege	6096	msiexec.exe
Token: SeShutdownPrivilege	6096	msiexec.exe
Token: SeDebugPrivilege	6096	msiexec.exe
Token: SeAuditPrivilege	6096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	6096	msiexec.exe
Token: SeChangeNotifyPrivilege	6096	msiexec.exe
Token: SeRemoteShutdownPrivilege	6096	msiexec.exe
Token: SeUndockPrivilege	6096	msiexec.exe
Token: SeSyncAgentPrivilege	6096	msiexec.exe
Token: SeEnableDelegationPrivilege	6096	msiexec.exe
Token: SeManageVolumePrivilege	6096	msiexec.exe
Token: SeImpersonatePrivilege	6096	msiexec.exe
Token: SeCreateGlobalPrivilege	6096	msiexec.exe
Token: SeCreateTokenPrivilege	6096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	6096	msiexec.exe
Token: SeLockMemoryPrivilege	6096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6096	msiexec.exe
Token: SeMachineAccountPrivilege	6096	msiexec.exe
Token: SeTcbPrivilege	6096	msiexec.exe
Token: SeSecurityPrivilege	6096	msiexec.exe
Token: SeTakeOwnershipPrivilege	6096	msiexec.exe
Token: SeLoadDriverPrivilege	6096	msiexec.exe
Token: SeSystemProfilePrivilege	6096	msiexec.exe
Token: SeSystemtimePrivilege	6096	msiexec.exe
Token: SeProfSingleProcessPrivilege	6096	msiexec.exe
Token: SeIncBasePriorityPrivilege	6096	msiexec.exe
Token: SeCreatePagefilePrivilege	6096	msiexec.exe
Token: SeCreatePermanentPrivilege	6096	msiexec.exe
Token: SeBackupPrivilege	6096	msiexec.exe
Token: SeRestorePrivilege	6096	msiexec.exe
Token: SeShutdownPrivilege	6096	msiexec.exe
Token: SeDebugPrivilege	6096	msiexec.exe
Token: SeAuditPrivilege	6096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	6096	msiexec.exe
Token: SeChangeNotifyPrivilege	6096	msiexec.exe
Token: SeRemoteShutdownPrivilege	6096	msiexec.exe
Token: SeUndockPrivilege	6096	msiexec.exe
Token: SeSyncAgentPrivilege	6096	msiexec.exe
Token: SeEnableDelegationPrivilege	6096	msiexec.exe
Token: SeManageVolumePrivilege	6096	msiexec.exe
Token: SeImpersonatePrivilege	6096	msiexec.exe
Token: SeCreateGlobalPrivilege	6096	msiexec.exe
Token: SeCreateTokenPrivilege	6096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	6096	msiexec.exe
Token: SeLockMemoryPrivilege	6096	msiexec.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
6096	msiexec.exe
6096	msiexec.exe
5328	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5328 wrote to memory of 5292	5328	msedge.exe	79
PID 5328 wrote to memory of 5292	5328	msedge.exe	79
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 4000	5328	msedge.exe	80
PID 5328 wrote to memory of 5172	5328	msedge.exe	81
PID 5328 wrote to memory of 5172	5328	msedge.exe	81
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82
PID 5328 wrote to memory of 5832	5328	msedge.exe	82

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.novafn.dev/
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85ddd3cb8,0x7ff85ddd3cc8,0x7ff85ddd3cd8
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:492
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\NovaLauncher_44dc2817f4e85757cc52784cd3521c67.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,17672569477316161995,15362510084266887547,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4864 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2076

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D8
1⤵
PID:836

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F926F9421D51926A1A781F1CB894C7AE C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5424
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:276
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0992381F087A8172B49D055E13D5DDBE
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4564

C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe
"C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5024

C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe
"C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe
"C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3368

C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe
"C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59652a.rbs

Filesize
9KB

MD5
102cd88e74f1165a13c5b09c5981f2b5

SHA1
b61529c768ea25380d2fb3d364b145454a1ddc95

SHA256
280e35e5982ed235c3d226130d927d1922efedf4b09767a8e1e316c82af59078

SHA512
ab30755eda59a7f609d398a7cb5cd46c0eff642ad97d71c3541e8235e364f2d70ab37666d3bf4e7395a67f40cf8afe218e524c4f9114f74c50c09bca21ffd08c

Download Submit
C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe

Filesize
23.2MB

MD5
d614f11f98b8c059b689189d4f00deed

SHA1
604bbaf15e69c1a31ab7026adb4b942feccebbab

SHA256
c3856399a4e3ede23748ec060e7cfc9293e09480d20c2f29e455ec2e33f9012e

SHA512
a89d8a000a5bf32272d4caa3e7398073267aa319bf1ab29f40d38549c596ee145d9bdabaa30931045a67493ec685d4d6898d8a996f61c37c136a73b9bfd5f8e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\248DDD9FCF61002E219645695E3FFC98_8161B15032C07B64978FB2EBA40D052B

Filesize
727B

MD5
f71279bf5120bec90b59eb35770d57fa

SHA1
fa08c1cb95ca37fca3c4998cfd0b1adc81e9c2cc

SHA256
728fb41ee90199c55fc8c68be578783deffd231ecbd3947cf26c3440b8104fa8

SHA512
9d2bf00374c7fc6d15a96c1cf1335c0eb21d9308eb3d442d81d58a5acb076693dd086185ae7f3896ad3f8ab9b086e83042551ef8e074609ec75ce501d96e0c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\248DDD9FCF61002E219645695E3FFC98_8161B15032C07B64978FB2EBA40D052B

Filesize
478B

MD5
aed7dd62e13c50d9c5fb5cc9b5d74a17

SHA1
af0b693caf4cd03d2ededffd18e2e21d2cfb5f5d

SHA256
8d8931228eca7d054fa356b7d6683295914670beba60895013ac29c0c01af341

SHA512
b9a208fb2ad337f9176e772b07be723630cfd549693449dcb246a1ce06b77bdc3664d517548b90523affa9ba61d485a18c07ccc743c63e9c88cda4947ebbf6f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
d8b1c7a9e8c999b0ba54b1527860718a

SHA1
fe9278a5fc84ee4e71228f760debc64ca2b7be97

SHA256
8309990b256549b9b4e72462748614c76f85150f24e4c2652b09ca5c66d22c63

SHA512
bbc9ba438715c72a36aa58d1bb092b068bf938433d7ff8d1bf795d3de64623d90c77e5e5a8d134caf658dda04c7a82411d0782a27a8eccfe8fede5c921e6bf97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f21010c94e1009f08062dd9e5a111f3f

SHA1
a02eb37688abf5ccacdd4eba9c3d274ab2a44abf

SHA256
f7f88cda54d24605bbfb55c55e0d02e9fc73271b715b71fb51394095421f82a2

SHA512
5d8cc69ae7bb6373194ce9bf69e30459516e7105da72df41715fd33c3282c7d16b06c5c23137d65596b60e524a688d69814249e126d270e187b58f36505f7aa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e055230e18b5c829279f7bc999b631d

SHA1
025d3d0c87346b7822c481517e833edea2120a40

SHA256
fe144bb89636e3fc5c3cc8619995d065f032f04faca4c87503facb615fff777f

SHA512
446a328effa484804f758f7279c693b278383fa29489a81fd4ddf581af10e634331ffd5b22e34688d3bc18172fede091966c69dfbd644a5f05dfdacc0777b2ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
cd14c584933073036ee46da136099e34

SHA1
7fed39084208d6f65796e122e3b921be25fba4b1

SHA256
4905730ff334946b47e05829d2107c5edcab5b5eac3d716892f0131ba2578472

SHA512
66c5ce37f7ca319b1b2bda1bfe4d38cb0aa3f814419d054c9111de6e3179fe19aca04dbb6690efca40d14b20d41c141d59f2861239a729c5265955deed4488ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
777c553a233cad2286d21d026dc1cecb

SHA1
6b74f885d3d64e14c805561cc9f61a0a56dc3819

SHA256
96bde18ff892cdc7569802942e1a5c90f39fe87062e4c7cd1a8915ee24832e1b

SHA512
7c35abe0f8a22cc4d14a8de65ffd648a7941271a7e7b3689487f3524b967fe25fdacb5481270670aaa75c633a0459497ff397db47120391b90707394cbb60296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
73768505f93b0148914557fd55429c94

SHA1
fb11b3f6cdd752f9e828c4b513b46545b7150eab

SHA256
e1bd7a876eee349e908024ae9788fb47048b387751d69482b57038bdd2320bae

SHA512
47ec0730d7cad5e346c6cd70716422d9aee11b6eb91b07c95a645512dd573647be1fa07f65da186bc8ce899c7aeb0f72153de1d3fa4ff8c5e5c011c926af41a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d58b5bd6450377a792c2273a0edd0aee

SHA1
08326597646a75cf29e0e8a2da9f43f9518ee166

SHA256
450890b0e49090eb575dfc719aa85b779a91d55a8c6f6130396fdfed3870e01e

SHA512
042e74451d885ae331973721b26ad8254018af756a2860dc5f9ad9d405ee9f4ac2f6429126096a46ee585f760d92ae205b099b4561db3668b80146ba8c83f0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
afb5d8e0f194eeb3b42311ee773e5a01

SHA1
9360f837fbc043d9ee557c2309a457e564c4d61c

SHA256
7893a8fc9fba76aaffff2639493085dc7e6075845d47d36c37e94d8c5dbb955b

SHA512
ee9618ec45b87f17337a20e2a5f9388b75eb3c18b6c4dd5bdcd210d502828dfc8da948f70f498ddd7c1ff865c6e714a2c0095c78b418a5d57af2ee2a1bf821ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
53edce154e9ac57263b38105164398b1

SHA1
0187c0789d84fb146b05e339bc96ed4d425439d8

SHA256
d5b5c2eb6403a85d6bc7a6d2bc1321cd4f5bc3c96cf00c3f72948443f781b84d

SHA512
a4e61321d8c3078b6017f62f5ad82e4ed3468acc27d70ec6d01fbe61ff1c7dc9ff7c0d3bd521debc5e45618788bc8ac7e404d7c095a931aff8ff994a58d8e550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
777421eafdcc83354072d22c9ec20ac4

SHA1
17b7014e245b12d97d9d602933be72f308370716

SHA256
37c4504a503ae7fb1e96274c9f39fd5c679bac88acae7b8447f66628520eeedb

SHA512
3e505347ea879cf38d8b0f3ac43b9c1000ec299186a0995a27def004901702169ee7413504efcd83b7799aec50df7f4f31052f12f43ef425a1684f0a1f3a5ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5cca5870f307f4b936c699be47a8db46

SHA1
ef6f7bc10dd6949f1f63e740d53275e1109eb858

SHA256
7f2fde4e7c4d80e02fecc3e7fd30db3538506de6b17f7249c317409894d3b429

SHA512
825ce7861db1cb49164eab92e328ae06693f5246e799df4a8afeb73d9c9c9090edc5c2ee7e699eb4fe0b88b36955a5ad34621dcda11e46469fcbbdb90ad7b2f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3423bf2c7c25842c6a644cd04034fb77

SHA1
ac7aeb5a0804d741772dc6f772bea498e906209b

SHA256
8993a2bfdc987c2955b6523ad3549342191fb4f0199f42269a86b81f038f803e

SHA512
b94e30abeabb910684f74b562a4f9322a9e312cf63861db6b5d636b4625edeb81be5806c63d20a4ec9c7e2418dbd41ec8f4260844fe7805fba4521560448bcfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
08d54af6cbebcaef00d4a4cc047c1894

SHA1
b7041b623876f7ab3ea2b5f684717217481e1cac

SHA256
185d798430d68c9a189e2c104e41d2c47c58855a25820c8342b0d5ac4a2106c4

SHA512
ed2113850c9e4af4d71543ea8b7f87c2f7f71b2c7230531570c98756015cf09587e954f8026637f6d2ba0d62f3fdddce6a724d74e60c1fbc53635d485b293c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581894.TMP

Filesize
204B

MD5
518351381120e2c7e9c6f51ee019fe8b

SHA1
44285fa81dbef7b0d35ce7e66c082f40d0d3de7d

SHA256
71c924dedeab173a3d17a63cca8f9fcfbde26230a66dd58b3b7b52d5754d158a

SHA512
4cb6a600217785e8e855cd033f4a5ca1e2dd4828b654ec01575490eb575e69fe2845a2ae044d719334153a2ead4c410ae355c04c7b8d080f72b021a2d7358fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e8dc674b2e7789dcac8b01d37677e7e6

SHA1
960c60f1b48f1a3fbbdcf3d98c54d1206783d363

SHA256
34e2a5297ce396e25b588afb0bc753077545757cad1909dc9153ab72a337eb18

SHA512
bd730563c6ad624f175bc38f374cc1d49f8ab83686141f1d2171a6af411e73d087c9dc80044503350e404a3590ce3926fb85fda458e26fc03de4ca919c97988c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
05c50bb3ec655a2163127f7dedf2a1aa

SHA1
d7a0e73c1e5362a9296c488742aa2ad023bda5a6

SHA256
c24721d93b5348cf22b07da4267e2978384b6191e71f5968c30c8fe324519b5e

SHA512
5dd564ff01ead46d32b79af983721fec520aa980f14d1d7cd64a184be953f8defdfc4a540a4884decf571ae1bdadf8dd153df76a86fae8af7e199cc8015b85b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
259b33ef4a90dfb6e9a8c478fed9164b

SHA1
013ea8afb1736b0e22e4db5ae7d542022ec3500c

SHA256
92e31a8801b4825b68d86b35d92d3d5938726d87424bbc2c503666f4221bc325

SHA512
d787cdb197570437776291eb347a3ee7af52ab4868bb13343470639c777fe4adc22b8e0e40c09a9a3f3715246273aeffc47107345be5e000c8a7c7c475e174bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
354db6975459e3007ee786ecfdf90ffa

SHA1
67974fad95f8e596187ba237db2f84d51a7acaec

SHA256
7e6523455ac49fd90f9b9d161e969587f847dd3bdbb27e55b3667aaeb0245fcf

SHA512
557d55fadf121be419703a5062019feaea7675b0ae5700ef295df22eb030efec4e9eeb0f2563e3c80a52e63d03f885c7e4b775268408aa80138a7d77aab8193f

Download Submit
C:\Users\Admin\AppData\Local\Sentry\1B5A6FBA371851648D43F30C84A8B5E3AEA6BD63\.installation

Filesize
36B

MD5
d8035f48764047063496e8bb0ced6761

SHA1
099adf87f706a4b53ab61e8863c14a5b806a3a0c

SHA256
2c518e9fe9646fa73c516a6f2f77fcb574bf21a2f58d8a40a569e682f0abb49a

SHA512
1b72f96ba0ca2c0ea6a683065912a051b73ba6ebdb60da96f51b7c12e41e110218f3e54d89ed211c375cfdbc5a9744dd634f17d80ccae03f376f741413fafee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1D81.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{071444F9-5B61-4482-94C4-F2B13CD39908}\_36DF3F6CA6BD37BDE869F0.exe

Filesize
4KB

MD5
3772bc572222ee4b4536e308d41b00a0

SHA1
278ed102dc1ca22ab912f95a5be5c801ae475e10

SHA256
a93caaaab2d4d9560a8acf5c9622f55ae31500bd1c173c658bb8f88c52b56834

SHA512
f88b488a8312f2e2452ddacdbac8b0e509d182163506b282607c6869cd2545111c8d53b480443d1081e39dc742b38539fbb124a6e32cad15380f17f7b72fdca6

Download Submit
C:\Users\Admin\Downloads\NovaLauncher_44dc2817f4e85757cc52784cd3521c67.msi:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 786373.crdownload

Filesize
7.1MB

MD5
44dc2817f4e85757cc52784cd3521c67

SHA1
41fc684fdb5331b3bc0a6a48f0903c530e3ff054

SHA256
4a0a4a787586fbc370a2721019013e158a88d5c5f78fd140c91b54af42103763

SHA512
66215cc9fb92c7ec5c9fdbe85df9a98bfb72cdfb48e8db51c4ea9bcbd22ff784d57313dea9a6a0a1ee98852d52bec455ad8983e15cab9cd163cbb136ed0f2d18

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
6891ea6539781538da0989deb6699ac3

SHA1
0bd6651ae8f5630fe035bbf6a75e15caad9b8b1b

SHA256
8237b20d583739c9b2f06bdb16878bff84a0209c383ff007cd16f258d1af8617

SHA512
c3fe42f9880b8adbbb5298ff9ee6b29a519e22b1c4ef473ea085bce41e91bf074cfa385b6a96e6557df8fe035d6628c893aca7d8de6dab1eec719b5a61aa493a

Download Submit
\??\Volume{bee612f5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4c4f775c-94c5-4213-912f-d91536ff2007}_OnDiskSnapshotProp

Filesize
6KB

MD5
3594cdcd96258af772135b53ce1e3da1

SHA1
88213a8006ab54754bf5800f40bf06e155fd39c1

SHA256
ea6a5724c5be685622a94d72091cd69507779eac8e147d9aea97399ee0b5bdca

SHA512
bc9cb0ff2bc05656da3ea0116e363061fb39bb42afb3c53996bde8dc01ae9beae5c48d8a77750ef7494f36a2371c745b96af9983b6349603f87f57e2244862c9

Download Submit
memory/1380-402-0x000002C243C70000-0x000002C244732000-memory.dmp

Filesize
10.8MB

Download