elysiumstealer | hxxps://www[.]dropbox[.]com/scl/fi/6u29kv7ly5ag0e2mag4oh/CGDL_V2_Updated[.]rar?dl=0&e=1&rlkey=0eb8fpq3idfu39n4qbi2mgvdb&st=42ibvi5s

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/6u29kv7ly5ag0e2mag4oh/CGDL_V2_Updated.rar?dl=0&e=1&rlkey=0eb8fpq3idfu39n4qbi2mgvdb&st=42ibvi5s

Score

10^/10

elysiumstealer discovery stealer upx

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Support DLL 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\Distort.NET_VM.dll	elysiumstealer_dll

Executes dropped EXE 2 IoCs

Processes:

CGTraderDownloader.exeCGTraderDownloader.exe

pid process

4748 CGTraderDownloader.exe
5856 CGTraderDownloader.exe
Loads dropped DLL 2 IoCs

Processes:

CGTraderDownloader.exeCGTraderDownloader.exe

pid process

4748 CGTraderDownloader.exe
5856 CGTraderDownloader.exe

pid	process
4748	CGTraderDownloader.exe
5856	CGTraderDownloader.exe

pid	process
4748	CGTraderDownloader.exe
5856	CGTraderDownloader.exe

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4748-1175-0x0000000002B20000-0x0000000002B3A000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CGTraderDownloader.exeCGTraderDownloader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CGTraderDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CGTraderDownloader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 10 IoCs

Processes:

msedge.exeOpenWith.exemspaint.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4616 NOTEPAD.EXE

pid	process
4616	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemspaint.exemsedge.exe

pid	process
2536	msedge.exe
2536	msedge.exe
1968	msedge.exe
1968	msedge.exe
4884	msedge.exe
3672	identity_helper.exe
3672	identity_helper.exe
5772	msedge.exe
5772	msedge.exe
5224	mspaint.exe
5224	mspaint.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

5176 OpenWith.exe
3980 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zG.exeCGTraderDownloader.exeCGTraderDownloader.exe

description	pid	process
Token: SeRestorePrivilege	4996	7zG.exe
Token: 35	4996	7zG.exe
Token: SeSecurityPrivilege	4996	7zG.exe
Token: SeSecurityPrivilege	4996	7zG.exe
Token: SeDebugPrivilege	4748	CGTraderDownloader.exe
Token: SeDebugPrivilege	5856	CGTraderDownloader.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

msedge.exe7zG.exe

pid	process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
4996	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

OpenWith.exemspaint.exeOpenWith.exe

pid	process
5176	OpenWith.exe
5176	OpenWith.exe
5176	OpenWith.exe
5176	OpenWith.exe
5176	OpenWith.exe
5176	OpenWith.exe
5176	OpenWith.exe
5224	mspaint.exe
3980	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1968 wrote to memory of 4464	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4464	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2540	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2536	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2536	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1340	1968	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dropbox.com/scl/fi/6u29kv7ly5ag0e2mag4oh/CGDL_V2_Updated.rar?dl=0&e=1&rlkey=0eb8fpq3idfu39n4qbi2mgvdb&st=42ibvi5s
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff998d246f8,0x7ff998d24708,0x7ff998d24718
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7257405462408754744,2945579171005701613,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5564 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5176

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CGDL_V2_Updated\" -spe -an -ai#7zMap131:92:7zEvent8337
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4996

C:\Users\Admin\Downloads\CGDL_V2_Updated\CGTraderDownloader.exe
"C:\Users\Admin\Downloads\CGDL_V2_Updated\CGTraderDownloader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\CGDL_V2_Updated\downloads\tac_glove_039_viewer\thumbnail.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CGDL_V2_Updated\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4616

C:\Users\Admin\Downloads\CGDL_V2_Updated\CGTraderDownloader.exe
"C:\Users\Admin\Downloads\CGDL_V2_Updated\CGTraderDownloader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CGTraderDownloader.exe.log

Filesize
847B

MD5
f8ec7f563d06ccddddf6c96b8957e5c8

SHA1
73bdc49dcead32f8c29168645a0f080084132252

SHA256
38ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed

SHA512
8830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
113KB

MD5
8d8ddd29a8bd31ba969f4ba6fa8ead01

SHA1
fb73c3a9eab8a40fc42566d133e4c19236081db5

SHA256
d3a6442c46ec396cc5848b3cfde6837d8dbff89a8be6601990bcec81987033b0

SHA512
d3ad9d3b00b7cb8ca713a49f1f0abb32c364f16c25ff8608791ea40f19515dc57bfc51bebdfaeefeb7d5eb6ca6b04ce437f296256f72eff402b80715f1265ca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
85KB

MD5
e4506b7856112042dd4c8408a2acdce6

SHA1
d8d52a68c7981fe85b21a144907b4f893d52f30c

SHA256
bb92cb73839e356b961e73108f8f6d62b7c41724dc6cb806f784df47e0b2db7e

SHA512
103f86d240eaeb6233c29d07efee1f7471b44a5179f1d1343bf6a23f09172707b6222bdb4bf141575149b2f4efab6bc10693565118476cfe33a291d925e58daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
57KB

MD5
23fc98cb43cabc9635a22a5325915d20

SHA1
09ccbeba29d8f6f07dd0574a83fcb420ca3fa94b

SHA256
dcb645d979ac7fa559665e4856c10d14ceb25bd50d8467685fbec519f96b16a7

SHA512
19a8b48a6b9efc1cae392fc1620e57d573ebeb12c81141c4addc3ad9b759227fd7a20b478bb201467db6d3f6181ab627cfe5fb72fff7ea512312164233fa560f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
106KB

MD5
f49f5ff909db7c838f8c4b18b66f92a2

SHA1
8b1abb1a1e54d4767335976b2da78ad06fce211e

SHA256
8b5ad282febb2ad14db3ebd8f0cbd484c2db40899f4ddbbdabc6a7a8648a567d

SHA512
d6cf60b709907deb2b18dbca8c57a4231169d31b54163718540d4630bf342064959d1897507cae69884ca135fc1673dd28615f57d9b6996281bf22560f1f8c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
113KB

MD5
b21b6e8c68f03a09ba2d6c9f84a5219b

SHA1
7888bcb564d6672c0de9d5acca7ac1749f66b83a

SHA256
9c37cab0fe4a5819941dd27d44a9027c91e673b00cf2a208c8ba5ead45e2e2d6

SHA512
c7a4e7a916b60f4b262090b5469a44082c722d39853fd6f643fb68e2fb4a0a2cdeee1faccb2bc932a650c4bbfb21e7447d273cdaf198aa4dde6f325ed959c287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
55KB

MD5
dec0c1b6789c165b6cb6404022b9d8ab

SHA1
f7ea4683e536846b30413f51ace75f4d4100cf99

SHA256
199f0d0985bd3150a0e04a4326d70acde490b15f7e493da2195cd3cdb212a225

SHA512
e5a22a538d8506aeb86582cfe7a90004a4f24225c166cf4c7f971f653aa9544291c2ca85db054324a967b15ea79f0dbdf3e20422991c783d5239a970c68559a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

Filesize
18KB

MD5
0b4ca9d95b2c6c50b7b3ca4fafe36b74

SHA1
953847f7a4dbfbe1107f99c5593fb5c8d0169600

SHA256
a37760cf1e81445eaf068c5ccbd23cfa58bbbccb6a11cf0c1acc9886318882e2

SHA512
91bbdccf411c0ffed59b89974be14b670af4f803bc74139406a9d66984049b0b041d170c0d5d017eb56e0c68a6cc7ace2a1fd8627d465eea54a9d17e3dd61af7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
24KB

MD5
c3115b9d64c504eed5bcff4e38548b60

SHA1
193cea6052e1991c7083f3f8934f23bf500a2d8d

SHA256
c5d4d12a19be48b9d8c49ec82d710005ffbf24d5620534059261eb3fae0c263a

SHA512
c6d7d851ee5c3994cc01b6ae91a605853a35905c2c836729c5082e7931232c75a74ba47cd42c4d03cb98345dbda58e450577bcd4a5a740f34ff8e34c58931560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

Filesize
25KB

MD5
b0411a6860f7bb77044a34d14bfd9d90

SHA1
160822a547a4facccb275fd22560b8116c96f76d

SHA256
fbb9de12de8c1331bf44c311600319cc478ba8250cce88fc95515990e0c543ce

SHA512
fe8800383e4e4e71d1f2108b0560d563779dcaa3537ff2cc03a259edc4d894e9226c46b71e69b404d694399e9058381c4005dd13db5af6b321781321b2b96381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000040

Filesize
40KB

MD5
67371d8f8dc3cab72990cc9bcd99feb1

SHA1
0e40d698f1248cff0939964d01633fe3e8497311

SHA256
1bbda0f7641bb1e47e4f33166533318640b20e06f614325d4fe659ba45bd4bde

SHA512
e4a77321120b53c9538dce2a990a11fc9d5dafdcb24f632e4efc4066203e77f563908c7a926b0942a1b8c5f525af41c2e8ce2f1e7a708f45929f7bd48ae9e7bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000043

Filesize
45KB

MD5
1d7b76230af93d43837bd4c8c88dfebf

SHA1
f79765fbbdeb5f6cab9938779c969443016dae1c

SHA256
3b2d1f512638b60a318c6223ab7c5a494c026cec0581c1c70777d797500cd061

SHA512
bfb20b469e2c66987fb64d7d676e2bf25b48d957a0ff9c1a177d9aea9735645e2238278dfb67b88c20c474f6fc4a2b4022bd2999f1f7691551dd1064c3f7ee93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3ee698c9faa704ef735a3620aced1e70

SHA1
7924adbf5b86f3d15bd0ff49bd6c2ec2a69c226d

SHA256
531df1a5e38be6617ead73a89a3de2151073a89b327e65422a478521c2aa9d52

SHA512
c15992d1d1aa78076a888e571c7993d7cc085b6aa41cb4241893e01a2bec579ab4fd147c5bb6c88083d0ab9cbcf7bd2863d96324a156f901900702d3e93c666c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
6fb7c5598aaa936b07329731e4c3f718

SHA1
688441ea82db0f96ed4d54455b3b11986759afdb

SHA256
9e49fcf1e79d34654dae0aa7cc2ef80a8ef38dfbb9c9f7dcc5ad08fce3f11dc5

SHA512
0c3694f962705d04dd449e87f7538879e542122c0750fb84b5f705db11888a95eb9b26215ec8eddaad44a4b84dc6097ac7aa8fedaced6e2157d73413d92cc3a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f24738396a68699aeb225c4657c5f9ed

SHA1
6d0887bba9eee35da1467eceea8887761206464d

SHA256
8ecfb0c656a074063596e262b97238a31370c1662ba07e45ddf31f981ad72e3f

SHA512
ec129be0146cf5e6810761faaf1dac2a8b26db07a08913fa6f4597305a0bdeef7fc6c1de82e80cc11c0c55417a07a5733f4799110aa3af00e7b2c5544fe5a4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
edae76a49b1b6e43bde1fa6db86e9470

SHA1
8817a89d0639328906b415cb7442730c40e015a0

SHA256
5d297508bfc2f7b6a8053cedb180436c0dd33f8edaecf1e2283e16d30e7522d4

SHA512
b52f9c1a279a3ef893df81d260a8a6431a903b3b54b99f4b7e5505f8db362807fedb1c1f3886d5d56dacf5563432690460cffce57199c8550c0d68693e1d9ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9419d37538bde7d4fa65e8d191050712

SHA1
ef8e31952477aa1277de856362fcb2702cfee17b

SHA256
57c593d0cb0fc8e338ccff36f5cbfb424b898d6bb1f92e4bea368658b2a47dd3

SHA512
cfd5e2a8c1b07f0a68035bd1a97aa3ec882ffbc58a9a1ce05af06a1ca35a9f4a50d5487fce06158b8a6504709cdd4ab54e9a43c576a79ca111907b44c6bfc3d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63f1d2559f685dbe54d20cbd7c6e432d

SHA1
30a87b3c629eab40265d3cdb1911dd1e247bd53f

SHA256
f3296c68703bcb0fd587c9b7e02aefaef02d73ac53293ef82ba0b3a6938d322a

SHA512
728363eb06e5de49cd8b65f19600d9134fab9e70b6f8a17b8ab1d5f0c1380482d9c9fcbd7b34c5445c45710e9b86b38c4f251619b62d834198967a9b9f0dca07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b940640b71225005a5cd9f7964fa8a48

SHA1
6fd12aa709d600650e0c34b78d16aff9f4c6db31

SHA256
aa3d38a94fb005556328adcd2bb7d98caf7ecfe20bb50a9f87d9cddac8772ad3

SHA512
a0d125a7963b65f6cb1ada67dd675e7e3d6c7cff0c7602fb7a24171d264834cd07f65814b1c9113d9bc8b26e708c9e8ff12c090db60971b3d66837b7cc183710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
30b11ba628e5872de86f5a629b92d9b1

SHA1
05c49b90a1cbeae5b7777dc2cec6f521e20116d7

SHA256
956716c718ba42dbd545dee76dbf7490b6823929b73ffbbc0779e45530e9c4ee

SHA512
b5207f0671ff647b429db193c20c5a0852595f631c8752863420d7a2fbaa3f03b87dbe5e164f2012c5b1ae508884b5501ee95e9d9bd1f733b442645100b1f19e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6d6215ef2f5e2d73df07127eddebbb1

SHA1
f5c881bcd5dbc87917a68c19e566bffdbdd82193

SHA256
2f0dfb66686ed3de143b521cab9ddfdfeef0de586b3d5d2b8898f897703bad6d

SHA512
fc316361fefc49fca060a353cf37fd5b792be0c57a55158351229e0f15b026f1ddd72f983cc43fbf9dca5fa0c822c7c63a1a55df4758e240b87e84fd7589c769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a59d55e38f828ae71dc0ab183fb52f8d

SHA1
a9e73101f76f511a68d64852776bfd075cdb79d1

SHA256
0d7f739a02378a9df5221ac63c03da2b5c9e6fc3eed17d925700072c8e308c6c

SHA512
ab9f8378f0d6259dc7cd73152101e01c558fd821fa2b3ef7c5094dfaa49ceee0771821dc3ebf85c9d586706bda56d5020aeec76123121b88ace147464b091ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
7b39d45e2a471081087c6b5106efdc21

SHA1
d52d58da30aae99167cc329c5b4b4ee3ab5b514d

SHA256
6520fda042da206faa3fb74daa9f117cc8da5a0515f56be56a92aa1157cb11b1

SHA512
bbe11a1a9b15123498e9aee216c655e141621f478ff9e1b30577e3065766934144c0ee92765c0f020f6f51c51b4f07258a04e900141864de1253a27cc642bcae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
0fd775998709756532d1f7d429be3e48

SHA1
b932b081be9dd1f80744e3dfc026719b582ed034

SHA256
296d658a35f2330b137d5c073452d5b39a6abf01a73c21db0902352ff589175b

SHA512
5e36a05259f19f055050476fa609c3a27632772d5f9ee6c0084be3b5f307d2cfbb784d3570ed038f96d70febb472c1a3a75ac965d76d45d5720fcdd1a29bdb9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
ab6c644e27262dfbdf0878444d07c32e

SHA1
e64e2101770185c96d226641196d0332472bd534

SHA256
352bbad18446f713d7852295375117531437ac37b3164bf5f503c5f4e90edeca

SHA512
61134de9199032ad4920bf746a97c872f79135c499ceedea3cce38344ac0626e2fdb979b983cf13e0001a603dc1cebbe49f34727e9dc6718d28163c0ec950907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
180a66dafff0232d31bdbf33140e330e

SHA1
137f04122de27759eca30f9c9b21cd4d87d241fa

SHA256
974710d38166a16898e2c6813d3f73a8f2d89fc5b56a0ca151e1fc934afba7b0

SHA512
3facce9459e9dbf1a66d9ea0054c973f9c677d923edd935e98204858c4134f5639440ceba404b9dcf7de814f626b2190d4a644c95273b8deb3e72e48cef708b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
d73547a941361f68b5258ac870dd80cc

SHA1
ed26a9f4a3db4b51429be9ee2b1213c4ac89feb4

SHA256
bb1e71dc0847e0d6f5937488dca6f2254bdbcfb1e2338f655c5c95ec3566c23a

SHA512
592a011c33c48281448be64aac6e8acbc0aebc6a7c573d5c1fd7c5abca668ed0630cdec74bcf5bc37ab3cfcb41931e596b871e73dc68ab55657d350ea9a75c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
08b8c134b6a6ac0d26382cc78225c489

SHA1
a8edac197a57fc032520fea9ba6b681d9d59e73f

SHA256
36b142e1dc584066589b00f2064ba7d9508342bcaaa66a583f26918d71636e01

SHA512
44f1bdc090b464aba8faea478ee4feddd0fe606ee14d4f03aae09f2af053b9a5629822f9a6e26dba4aa4b131e625c23c13947e63749b6b970b93f88572088c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f84c97b1cb09c47eba9d8fda823e5a2d

SHA1
4eeb69675460559b23fc4d2f7deae01e9f12e3a2

SHA256
58395ed9738171436e0fce116651dbc80f2ebeb8312626dae843a2b230c3301d

SHA512
12f9e23071b3f619d4bbad7e6576dff1af0ff3e4c5219af4462380e71b190df1df418c56257d9e99cb01761e6a74b9afc1619780f9d5b3d8be1d923cd42dd720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
db3dc841514b43a09520327870eceded

SHA1
e7f0307152a398eb3ed0710189a6e923ce935542

SHA256
1d8f411a5cee76973daee6480c7485d05f751c899d9f52a2ea43731b41795104

SHA512
844cfa3f894d4760cb9aa07f72b9754fdc5398e6155d8944bfc9874bbd513ab0edba7c7b02344c9fb327de31ee1e8018e497567f5b3b166db9f729dc201165ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e0f0c569f1377d07aff0be3c24c70c8f

SHA1
f3f67e032c899fa9278fe301c7e4de58ad0e8db6

SHA256
4e309ea6626cc860e91616dbfb8a2d9d8a0634b9c3d187e8404c70b52bd748db

SHA512
fab9ede1230edcdfdf916fa74e533542c3d53b2f928917248cb0c983f203e3ab86b9f0ea8b1ed948fee5488139a85f35642edb9cc762d7c6426257c4343712f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f6c4.TMP

Filesize
705B

MD5
a09a460630b778080e30da49b0938255

SHA1
e025c31a034ea697ec646b3c2267af5c01994cf9

SHA256
7baabb26c462d79c37d5d8f0389b6c6812a14f01018972f14253aca21aac71d8

SHA512
b427a700ea5d0a12eac06671fc152f6b9d7aaed2a5a71a0af2b80ea33a7f0abed41ae42a4a21bf3661d9527b34563477fbabd6457079a40d41d7274e12140f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6e018f484139bc8a2d835569b385be26

SHA1
111c5aef82feae95f11488e131f1d99f4d9eb980

SHA256
1a687321d9587d8ad5ee201d87f46457b5f6b19c7c5c15d882b26f51212a06d2

SHA512
654754b887f9b68d85fdcd2c8672994c55c014c2038833a3ced69c751ac36aeada40e8f69c909168197a89ea20a8f380ed9252f056c6d181fba183ba4589860c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ba4324fb53df33b5d88599cd99edd70c

SHA1
d139ba6f822abbd3e5fed5147f790dbce2d47991

SHA256
88eeb5bc526401b71c4ee2c8f79cd88187170b1d29fc9a78a3c3dd66c2105ee6

SHA512
ba3bdfc9c7638a839b4b90866f67c154f203b012669e85402b38feec9a10c23e7e20edd07774c9931f4a107b046d5932c26ad283457206c39b1a58ce615278e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ef0638b2b6953bfc2d2ab191f8666e22

SHA1
92d23bb0cb5e2ebf39d484ae10d116285f409152

SHA256
63f2e4cf8d2ed5c1146c659e91d2fc1ae79f84d883fc5cc30a98e3ae86e43b74

SHA512
3834873997fe6bbce609b29b8b2b93a6c49464d727ff6ae60a6bae3e4199df8f1ab3ffd711b7fc72932decd0750ccd51fafbe934cd5836f487a39ef4ba7807ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\Distort.NET_VM.dll

Filesize
40KB

MD5
f22c056c1acb6249583c8f2d757e7017

SHA1
12e77a7ba226f94d26dd4c0e9ac7e6117e420f09

SHA256
8f47a492db289ef0972d09f91cc24e7545bcfa59ccf60d3e3acc429e3e870e09

SHA512
d9e3c48def37b3a6f8c8d899ebe297aa5170fdb8e3dad520624dc81df316884c9479708a25db79cdec7834ced2ef91ac75786e1b3c78c559b6ea9b92dcce9e78

Download Submit
C:\Users\Admin\Downloads\CGDL_V2_Updated\CGTraderDownloader.exe

Filesize
412KB

MD5
e7b03bff6bb01d817da8a797062885f5

SHA1
77e6eba3bf335481db9fc877e8e65e18f2af360d

SHA256
88a2c53b2f1160151cb4353d6c3e2c5adc60ebae25584987f48f0aba48bd7079

SHA512
354f62db3220f2c49cbd401d30c7d80c98ece519f9ab1f44c4045349fdeddca1e805dad05997741b499be81c06f909f7b6053fa1b0448f6e97546e9f01e2e06c

Download Submit
C:\Users\Admin\Downloads\CGDL_V2_Updated\Readme.txt

Filesize
68B

MD5
73ab19b5384a8b11a9e724e2b845a6c7

SHA1
76fbf21ee48d47216a159afead0a748f6cf855ae

SHA256
22691776e945e9b12e156041bcc2cbdfa970a1984eef5b3e3cbcce7879edb805

SHA512
ac920810176ce26f6498c983810b5cabd42372318e11106b6686f271b3b4f807041acdcb2bbcb40dc234879ce2765f3154c7e40403b01c01f33649b4d80233a4

Download Submit
C:\Users\Admin\Downloads\CGDL_V2_Updated\downloads\tac_glove_039_viewer\thumbnail.jpg

Filesize
14KB

MD5
6c07818ff3050e72c7ab6dd6478e79ce

SHA1
e4b6e80c2fc5cf5ed24d9086f33e854720cfd78a

SHA256
75ded08013c6529c14fa98f31b951c258f50554e3ae93d511c102fec26a8e52a

SHA512
f29437a29f6d4954d8f6b43a2071eeee5b69f7af0ebca18590be75533f057ff12ebea875230e53fb75c672eb80064bc4a798fe4d02529833acf6e6093fe504c1

Download Submit
\??\pipe\LOCAL\crashpad_1968_MKYTCNGVVEVWNHGQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4748-1174-0x00000000006A0000-0x000000000070E000-memory.dmp

Filesize
440KB

Download
memory/4748-1175-0x0000000002B20000-0x0000000002B3A000-memory.dmp

Filesize
104KB

Download
memory/5216-1782-0x000001E3E5910000-0x000001E3E5911000-memory.dmp

Filesize
4KB

Download
memory/5216-1788-0x000001E3E59B0000-0x000001E3E59B1000-memory.dmp

Filesize
4KB

Download
memory/5216-1787-0x000001E3E59B0000-0x000001E3E59B1000-memory.dmp

Filesize
4KB

Download
memory/5216-1786-0x000001E3E59A0000-0x000001E3E59A1000-memory.dmp

Filesize
4KB

Download
memory/5216-1785-0x000001E3E59A0000-0x000001E3E59A1000-memory.dmp

Filesize
4KB

Download
memory/5216-1784-0x000001E3E5910000-0x000001E3E5911000-memory.dmp

Filesize
4KB

Download
memory/5216-1780-0x000001E3E5890000-0x000001E3E5891000-memory.dmp

Filesize
4KB

Download
memory/5216-1769-0x000001E3DC5A0000-0x000001E3DC5B0000-memory.dmp

Filesize
64KB

Download
memory/5216-1773-0x000001E3DCD60000-0x000001E3DCD70000-memory.dmp

Filesize
64KB

Download