meduza | hxxps://www[.]mediafire[.]com/file/9lc1hr1ni1v3qdi/Kiddion%2527s_Modest_Menu_v1[.]0[.]0[.]zip/file

Analysis

max time kernel
112s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/9lc1hr1ni1v3qdi/Kiddion%2527s_Modest_Menu_v1.0.0.zip/file

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2360-422-0x0000000140000000-0x000000014014F000-memory.dmp	family_meduza
behavioral1/memory/2360-425-0x0000000140000000-0x000000014014F000-memory.dmp	family_meduza
behavioral1/memory/2876-446-0x0000000140000000-0x000000014014F000-memory.dmp	family_meduza
behavioral1/memory/4320-457-0x0000000140000000-0x000000014014F000-memory.dmp	family_meduza

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Kiddion's Modest Menu v1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Kiddion's Modest Menu v1.0.0.exe

Executes dropped EXE 6 IoCs

pid	Process
3752	Kiddion's Modest Menu v1.0.0.exe
2360	Kiddion's Modest Menu v1.0.0.exe
4592	Kiddion's Modest Menu v1.0.0.exe
2876	Kiddion's Modest Menu v1.0.0.exe
5884	Kiddion's Modest Menu v1.0.0.exe
4320	Kiddion's Modest Menu v1.0.0.exe

Loads dropped DLL 3 IoCs

pid	Process
3752	Kiddion's Modest Menu v1.0.0.exe
4592	Kiddion's Modest Menu v1.0.0.exe
5884	Kiddion's Modest Menu v1.0.0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 10 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
344	api.ipify.org
353	api.ipify.org
343	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3752 set thread context of 2360	3752	Kiddion's Modest Menu v1.0.0.exe	127
PID 4592 set thread context of 2876	4592	Kiddion's Modest Menu v1.0.0.exe	129
PID 5884 set thread context of 4320	5884	Kiddion's Modest Menu v1.0.0.exe	133

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3980	PING.EXE
5868	cmd.exe
5536	PING.EXE
3224	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe:a.dll	Kiddion's Modest Menu v1.0.0.exe
File opened for modification	C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe:a.dll	Kiddion's Modest Menu v1.0.0.exe
File opened for modification	C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe:a.dll	Kiddion's Modest Menu v1.0.0.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5536	PING.EXE
3980	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
4160	msedge.exe
4160	msedge.exe
628	identity_helper.exe
628	identity_helper.exe
6024	msedge.exe
6024	msedge.exe
2360	Kiddion's Modest Menu v1.0.0.exe
2360	Kiddion's Modest Menu v1.0.0.exe
4320	Kiddion's Modest Menu v1.0.0.exe
4320	Kiddion's Modest Menu v1.0.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5276	7zG.exe
Token: 35	5276	7zG.exe
Token: SeSecurityPrivilege	5276	7zG.exe
Token: SeSecurityPrivilege	5276	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 4392	4160	msedge.exe	82
PID 4160 wrote to memory of 4392	4160	msedge.exe	82
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 3096	4160	msedge.exe	83
PID 4160 wrote to memory of 4904	4160	msedge.exe	84
PID 4160 wrote to memory of 4904	4160	msedge.exe	84
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85
PID 4160 wrote to memory of 4684	4160	msedge.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kiddion's Modest Menu v1.0.0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/9lc1hr1ni1v3qdi/Kiddion%2527s_Modest_Menu_v1.0.0.zip/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea18146f8,0x7ffea1814708,0x7ffea1814718
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6984 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2220,17839610579574189018,5335931264452656427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4868

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\" -ad -an -ai#7zMap28899:116:7zEvent12299
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5276

C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe
"C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:3752
- C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe
  "C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5868
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5536

C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe
"C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:4592
- C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe
  "C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe"
  2⤵
  - Executes dropped EXE
  PID:2876

C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe
"C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:5884
- C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe
  "C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:4320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3224
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
96516e76bc39acf87b4abd1bb96fc2d4

SHA1
0b1db98b0123f140ea74bd793531830b4d904d18

SHA256
f2fd824a0d417704661b021214e3aa0816b0c73977b0aa42db150c0dccb87cb2

SHA512
d244ce5ba49e544ff23489c40a6365d58518c490fde9695da06b17a88d814a5d10643c5cdcc2ec40287c96f1fea083ace141194147c3e6c2779ea844854b61c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
45f52d78e36ac6adeb06b277d19f28db

SHA1
1b30104522acaadc4b19a7f7d85043088f0f3ac4

SHA256
24c998a90f6b66c239be7075eef8c34b4a3003d5d02b1f7e777a85f60b01ed9b

SHA512
0cb1d0479e6a3e696e259595d69409a122d252a07c88a3431e699f53ac74a87a966d0e9860d496eb8904b38d6808baaca7d6e15a4127485c3dd327390dfdb104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ae69314eadd38579093b6b705877c268

SHA1
90f5b801b404ceb4e39e0d185ee7991535adec93

SHA256
a4add3616fb4308615f28707f2b24a18cb40b66ba600dc60e5be61cc7b8950d7

SHA512
2d936d53bbbedfa6c2c8e141d020a38cb4a31f1436d1f95a95b99537c760a568f15c00a28d5a872554ab2376048de7dc1dc02bbc2ae3011f938edaa2cc4145a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
36KB

MD5
6d60bbc4f2e1158ae109789978e17498

SHA1
9228f8dad0f11748fe386caf5d46387becc17ab5

SHA256
cc1fb276db634d72a56a3d1bc30d3ccfb5d64fe858b40e0ec2fd8bfa67c3fdb5

SHA512
84e7850ad040ea815079b380a351fd1358a1d7bf528244dd5f93afe8be07f2025f752b3d621da59cca0841b171544b2e4f34466515920c3b0659dc6e1073d3b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
36KB

MD5
55ba693b52c3f6dbf03527fa5f8d1edc

SHA1
a6c465eef15b87dda920b47ec4921d5b5f53075c

SHA256
568853c91c63bdb3f8e80be9d98b209407bb7d3de6aeaca30c7301c2f45b6d1c

SHA512
8002deecee9c4cf44158f725879a68ba1ebf845a1770b5d1b11058ff5de7b8fceaf95c91e519fa3b7011f10a62e553e20a7d04762b4b35d33cb5af47fb57a317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
148KB

MD5
b134d271c5c4751f60323160fe6c0dd6

SHA1
53ec5115268aa35114f79618d1a53a0d10a1b30c

SHA256
95acaea44a732f5a914b52a28452fd41b2ea9fb4f7d733295ee576c32ce7444a

SHA512
242f0c86cea84a0eb757813e0b62709ac3f49d1bcb0120b93c065bdb70f992c384cd9f2c419c3e057af1468db338b7e2830267e1ce92787441e1add115186018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
4KB

MD5
eb9a862c43a3e7dececf9fd3d6df686c

SHA1
65248ab307197686a45a6ad3d520f5bfe2658e04

SHA256
b2644253f20e5a5ee811d0482e6f4d3b0608674297604083086d3f2a6e682597

SHA512
e6a2f9807e49d492d1ddf46a7886abe8e7ecccef0d1df465b1afcc80dbc680ff329422c5da7d218860c0679a110006e390241a597e36dab58a75f320ded7637b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
01d348235691fc1ea7ac47ac2710da76

SHA1
7e8385c478417659a8154a74b0a05ff6d0027edc

SHA256
c6bb881c65d6320c7fa27c7c1b44bf8957f5a597041d8f27cbc14f3ddfafa676

SHA512
966f75517ed5e7be9a2c484c214cb44cef140119fafdf2dd0f74aaa9f4c43f729773b1370f4a4ce8ee4c2e0cb6b9cd906f7031c80a7fe1625d022abca687807e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
aa9bdbf02ea1a25a8b2c4a4583e1b11b

SHA1
25f68f9ec76763054dc388afd8ed33912bccb841

SHA256
81e003568d5f234240811d582cb300a74bbd150f33699b02ba117edc7ea8b0e2

SHA512
ef207bbc040e7e1f7aa5bca192617e2e85c53f4dc915e92f4d09abfc3e9e3addb0550a20ce2c255066ec23e526794f24b91bb4ba38112dd14f401f50e156b47d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
238170ab3bbe0fb442f4433cd94547d8

SHA1
188842b67156e6c53330214b5f868dc738a9a201

SHA256
cce35ff91b6c3dd09503687ac9f7bdd9ded451bf63b37e4368652a94f666c589

SHA512
6e45ab9a3ee9301b8e1a4fec0f001145759ae837eea48f6620c3e8f7c2285234b0eee9d17aa7f35870adc438bdb9ba4852091567125b038599a971881f57e32b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b3a1e814f695d92fb5ac16d503b4be22

SHA1
ff8ab5d992490dd2c1fb134043c8e51dfd1bb938

SHA256
bd246fe8cd21032f9c5769d2f93b40952b29caec1e64093ebbb9389ec6e13059

SHA512
daac230520dd4170dd0e87f0254d7a83ef599868b5de559ae96f7ee13d91a99572703db06d00f06d37f746525227195d1abb5bf382225e9f178d4ca476575a17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
6fcf05e93a105d579749adb16900b450

SHA1
3b9d3593304dc22d0afa6e1542250d11a8a38a2a

SHA256
bc93a86a327aa82e069c953487a018ef08f6bd899ced0f39105861ba644a239d

SHA512
503a7d1815b8629fc7fed8b852837387b503c54c8ab79c3364367a6f41d5890551188948cac75fbfce3d9394f944f0c589594ab9050f25f67fae6850de920c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
ee88626f7d618808ca3766b980e5f747

SHA1
b60c83a2dccc2d76e4fe959ea9491eb3d79c9272

SHA256
b5873f1d73a389f7b6013e804fafdc409e0ce188aeafa14ad6e1947dcd7b5bbf

SHA512
e420e49bd5876b559f19e217dd89d93bf3ad9cc8e2cb2957a77ce1793edc6a2de452710c1d9693acf88c9be68476a2438d1661d7dac4c1458fcd37b905bbe085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
872afadaaab2c68d7b0635ecd81c0bf9

SHA1
f2cf056fb663da7027a9911f070d38e95e9d8cb5

SHA256
f38116e40835c19490e68af5ab3fceeb1bd4255b435f8cb1f6345c807d283653

SHA512
b52eda6d4fdafbceaecc4f6853329e2e331e3644804e8c727af17575eee794cab629232de5a4bdc064bfc84e495ab5fb238a5a74c9ba00ab3fddb8715d5596b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dc46.TMP

Filesize
2KB

MD5
6f0cb90261f45a172ce502898f386eaa

SHA1
464bb4055f9b0e7f87d359d185d4d4904fdc2ff1

SHA256
2d51ab6314a9b5f6505e2369a384ce679178c04eea7b2f9c952f4dd9cb2ed493

SHA512
b6f3f0eb6beef1485966cf8da632325cccd5b56f56362f8ad27c7d5742a909c48a04e9d323e83c943a125e32e4ea2e482e602e98ab8941e0c278f46934d145b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c60ae5a08dedc9dea2803cc9e07c3707

SHA1
f1d5167e5b5fba9cf80cbcd46ff9eefaa89414d1

SHA256
a4703a59bcbba04929332226dd281c238eaef81c38a97ae3ee253e87e755fa52

SHA512
83a240afff8278d289802ab3f3dc21a3951619ec2566058c12c73c690fa8af8bd5f125b3ae71813a20446c1e3d6bd678d23ae681ccd75836da3952ce60276f86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9955318c7f7533117f2e6d1435fb8c00

SHA1
59a625bd68e1e12f249f80f2119c49ebeb90bdfc

SHA256
c610908cc1b825698be17e8996fb4cbb7591ee48bd142e017d939b30cfeb14d4

SHA512
92d4ef94984fd1eb3ddf9a72dfe3d0ad407139907f88bfb1508be450515d7759b93922f52f9a717b40dab87746a08732106489b5d6e02425205a86500811af38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a4107a98657b433cdefa3857f3321b87

SHA1
fd81624d8162b99cd057ee0966d40bfa6b797606

SHA256
6ad457ba4b554a363bd9e7b68c0099b68987031f98f9159abc1843a09a38b380

SHA512
027449894ba4082eefb9a062d873e2f301ca8ff431aa2c17c8c7e22791cb0c643c42e614c151f32b53bc1e02440712bde30365874e1c4552ce34dc5433027dc7

Download Submit
C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe

Filesize
2.7MB

MD5
3567ee60deb35afd811a25424c9b13a8

SHA1
850f2bf4dbd2e569a9aca863402c392226753956

SHA256
7a88ac88cd9a64ac367e048c1ce14a6fb31d5025a95e8ff6fc42730ac3f941a3

SHA512
a004731ba7d2abdf8bd1691ef98356da7e9119d1d7d281d824d9229a21acbf6a82801620250eafec63bbf5d09817b5ae93776d8721543a2a7e1bd2ecbe80c20a

Download Submit
C:\Users\Admin\Downloads\Kiddions Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0\Kiddion's Modest Menu v1.0.0.exe:a.dll

Filesize
1.4MB

MD5
9123b83c1df6ead534e4961f71c5f990

SHA1
8c52f400b274da911f63c2e99b72d9e23719298d

SHA256
ad9b9da90c157ffc51b1284a6d47f439119fd4e11f4c57063b4ba13c9889fbc0

SHA512
d3489aa96d8603e36728b99b117306b1f10fdf921db0043281680cfc9db344079a50ae5c07a7fbb1f37cb089c35cd183f4ab67b64ce2a03004ba99307933e39a

Download Submit
memory/2360-425-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2360-422-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2876-446-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/3752-426-0x00007FF795AC0000-0x00007FF795D76000-memory.dmp

Filesize
2.7MB

Download
memory/3752-427-0x00007FFE8D300000-0x00007FFE8D478000-memory.dmp

Filesize
1.5MB

Download
memory/4320-457-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/4592-448-0x00007FFE90DA0000-0x00007FFE90F18000-memory.dmp

Filesize
1.5MB

Download
memory/4592-447-0x00007FF795AC0000-0x00007FF795D76000-memory.dmp

Filesize
2.7MB

Download
memory/5884-458-0x00007FF795AC0000-0x00007FF795D76000-memory.dmp

Filesize
2.7MB

Download
memory/5884-459-0x00007FFE90DA0000-0x00007FFE90F18000-memory.dmp

Filesize
1.5MB

Download