meduza | hxxps://github[.]com/Healix-YT/Wave-Executor/releases/tag/Download

Analysis

max time kernel
138s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Healix-YT/Wave-Executor/releases/tag/Download

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 40 IoCs

resource	yara_rule
behavioral1/memory/1668-232-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-234-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-237-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-244-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-243-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-240-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-246-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-250-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-245-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-249-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-239-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-238-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-266-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-267-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-270-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-271-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-282-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-281-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-278-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-277-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-287-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-288-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-306-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-318-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-324-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-323-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-317-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-314-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-329-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-312-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-311-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-305-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-300-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-299-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-296-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-294-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-293-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-290-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-284-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1668-283-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 6 IoCs

pid	Process
4124	setup.exe
1668	setup.exe
4788	setup.exe
4500	setup.exe
1196	setup.exe
2212	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 10 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
73	api.ipify.org
74	api.ipify.org
84	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4124 set thread context of 1668	4124	setup.exe	118
PID 4788 set thread context of 4500	4788	setup.exe	126
PID 1196 set thread context of 2212	1196	setup.exe	128

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1056	PING.EXE
1368	cmd.exe
1840	PING.EXE
4456	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3424	notepad.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1840	PING.EXE
1056	PING.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
2820	identity_helper.exe
2820	identity_helper.exe
548	msedge.exe
548	msedge.exe
1668	setup.exe
1668	setup.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4500	setup.exe
4500	setup.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2276	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	2276	7zFM.exe
Token: 35	2276	7zFM.exe
Token: SeSecurityPrivilege	2276	7zFM.exe
Token: SeDebugPrivilege	1668	setup.exe
Token: SeImpersonatePrivilege	1668	setup.exe
Token: SeSecurityPrivilege	2276	7zFM.exe
Token: SeSecurityPrivilege	2276	7zFM.exe
Token: SeSecurityPrivilege	2276	7zFM.exe
Token: SeDebugPrivilege	4500	setup.exe
Token: SeImpersonatePrivilege	4500	setup.exe
Token: SeSecurityPrivilege	2276	7zFM.exe
Token: SeDebugPrivilege	2212	setup.exe
Token: SeImpersonatePrivilege	2212	setup.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe
2276	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1400	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2304	1624	msedge.exe	82
PID 1624 wrote to memory of 2304	1624	msedge.exe	82
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 2228	1624	msedge.exe	83
PID 1624 wrote to memory of 3544	1624	msedge.exe	84
PID 1624 wrote to memory of 3544	1624	msedge.exe	84
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85
PID 1624 wrote to memory of 4352	1624	msedge.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Healix-YT/Wave-Executor/releases/tag/Download
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5bfb46f8,0x7ffe5bfb4708,0x7ffe5bfb4718
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16599569980632765378,13650164777675606639,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4840 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:60

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1332

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\setup7.0.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2276
- C:\Users\Admin\AppData\Local\Temp\7zO4E8DB44C\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4E8DB44C\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\7zO4E8DB44C\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zO4E8DB44C\setup.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7zO4E8DB44C\setup.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1368
    - - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1840
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO4E8B09DC\0000.ui.forms"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3424
- C:\Users\Admin\AppData\Local\Temp\7zO4E83E54D\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4E83E54D\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\7zO4E83E54D\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zO4E83E54D\setup.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4500
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7zO4E83E54D\setup.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4456
    - - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
- C:\Users\Admin\AppData\Local\Temp\7zO4E856C7D\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4E856C7D\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\7zO4E856C7D\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zO4E856C7D\setup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2212

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
ce6124234486918a4d5717a6695bb193

SHA1
e38661e7d1d2bae88bd7d1005dac8aa91338e23d

SHA256
879c2168bd23d1dd7fd87a60d7fc1e1b5f2def0332b309d4458627af70872e09

SHA512
280b337018720ecdd0fea071ad812745d31523c151b302ac6344d3c84b359af7b66f436c174c0e356ae91c8397ae67053099cf93af3fd5bfb5fd08d56dc35642

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
f1f4baf2b63e2a1f5b568aefab1ad5b7

SHA1
c70bcee074a5b87e5f125c84fca9531a86032a4a

SHA256
9d849b67e8ca2b1ce5c6bf4e9525f6ddfb3f7eab017812cf456bd756d1469cb6

SHA512
6a8dae5bee6cf99f207cff955e799a87871d75e7874530c397d4f529004bebfa001d9977288184c110c1a92784cf1c5b85c585003fb69dd5cc600dcc6ee46318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
76747b5746e0b5f918856d5171c5614b

SHA1
80371003a3371d19cc6d5be76fd2b382f56dde01

SHA256
3919439c8944c4fd47e4232eadda4fa6f327c79dc547d10d7e45e44a0609baec

SHA512
15276375ea1a7205cc2d8c045994c45aed036ba05438df91cab0853d5c729b43b4da1890cee1d44c22b70c527f286f2233cec7bf7bbfa278863d467c4e6264f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
fdedbd0e5c33f5cf252fd8c447267914

SHA1
10a8ef23143c5025dce8201ae9f650b8ae8af237

SHA256
d4d43b98e11b4e7c1555f8be52ce8fba9887a9b056ed055bd5c773b472a39706

SHA512
352ffe30cbba7672b95cca815246cf61e471b6b4ec435557669b34944b8c62e0c2150817c6a77ff5ee7855869b1fe30c0e798c96de45ba71ff710614e435751b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
f82a04ecf8d0b46c4b2199a7a6af618c

SHA1
de86dcaa214a91d550871ad8cda2729d7abfbc8b

SHA256
470735a7b74cde7f93083390658134f0e8103513f555876d508c868cd77a7db1

SHA512
7d0f556c64605b1805036f5dabec3a90739d52d0f6af58894ec7658bbbcd3bab44f6a33d4dbfc1242c2ec031b7e983281d3b466970fda2e852db86b3a5392f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
10KB

MD5
851160b9900da204b8b3158f74dd28d5

SHA1
7ac6debce642aeab9c243a29dd0220a7e2a5bd4d

SHA256
3a6b49fb4bdb9b282caf4b4521b9d2fa15aaf630cd9913a8deae0e9f89bbc952

SHA512
41c7b37757aaad7d9a7e222d8aa40ca5fb75f162d075e1be218ee6f5e83a14516b85b1a94a313d5c26750a4c591f98fbdd8280f63b3d3860c33baf7734d274c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
c458d9bedc6ba03864ecabb22f502482

SHA1
43c857c7c4441e344348c82ca140cc4b67558970

SHA256
9222b2e2ffcf7bf7f4b11bc1fc02ed981d64109cabb11c2300ae8ce4e532aa94

SHA512
67976457b701003d7efebc4b7088538fa1a14d421f848c3fd73d82858d4b42e7e493abc5f73ec529d0cbb1c83f142a48ecc1c17c467386394982bf09dce2b4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
34a72154ed9746a609b29d25ad8d6469

SHA1
ee1fc6413972b90af4973bc1c158c47011e757b5

SHA256
629a1e55ae58d7e9e13caf2aabc58ad73415b514df679a5e15ac561b1b549f10

SHA512
2789dcc6843a73666ed06d51a7bfb8e92dd7c0a82062dc0d252d883e4c943fc229932fdb1410e9d40d7a7dd965623f3df582640a0952adf7feb7e05a68e37d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
378ed3648269096370f344e136ae8faa

SHA1
b767a7b64aa97cbfe8806e0fe343ef1987f323cd

SHA256
230acbfe545d88544e5bc95b6f369393cbed18d1c506c913ffb15d82e64e5b33

SHA512
7d9463bff792d07ee1875dcccfc7a7068388fdfbbc8e0fd42b6f921f36faabe9210acdc9465ece4a1134ae1fa4fc2842568758653c22c82c8fde54767adfcccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
798ed4cac1dc5f5c7367650afbdbea63

SHA1
5e6c9e90deb87cb61bc0ee06256f7996332d8518

SHA256
67785eec08c2971cca9cc6a9d8014e954afaa87ba490ffeeac1b3cdf69d3fc4a

SHA512
9f384ae781a91ef2ef25f6489621745c2efac237bad0bd980be9ebd274b6fc0883638b7f48a623667b8c1a0026abb640c0bac7f33e8e0918b37a0cf01d4fd655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
23cab0cae2801306c792eef607177455

SHA1
5371acaed52d5528bbad3f86c07550425a981d92

SHA256
315c1dbf81f42566de5fa41d649a5696c66eed7d6dc5e08704e297ec035e98e2

SHA512
1142c2903feea9b4830752c6b5459d3a2413ea004659c9e2d7a0501ac11221233902d069876aa9a35c244c721c0018bfa89bd59571a2f51e5146df151933a794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
518a855ea82a243577b39a4339508253

SHA1
f24386f8895347aa945ada0cfe607267dcbb60a7

SHA256
f562dce6d6b7fb12f545c3cbd5cb2853ad271088e39864ec5d16676442fdcf8c

SHA512
6c1d2081ae348445c22a8f058a79518b363ffb602f085c1ea3ec8887444a9119b6637ec2f47c7002dd2bd7f1063b25c471e1799ff784cae6b07e7d4a33928083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
80ede1b61b8fcae8cdd44e9752540704

SHA1
8f5e2afd4906908df0e3b0b62924fccb60150cd6

SHA256
77710df943985346ff13d3db166fc2d18d0900228d1475b9162cb7e1f1c84720

SHA512
472a8a4c47aa00c910809cc1b51f1145c95af197cfac089d6a663c69b40af7e526b7592286dd89a518dfa3037b9e49f81e6b96caffa61a3aa25a1ca2a4b1da13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c076a.TMP

Filesize
874B

MD5
04e4f90851432fcbd26540a610dd3ac7

SHA1
a9cc78cc1fdc28669aee4d58c545b66c3f23e6d2

SHA256
714002c6aacc0266bee181f1f9b4b4618ce8b44e674196b122df8e8ed2499ae1

SHA512
9b5e4412da0873f79c17166ac1cb9c54f0f965b3f1924853142a9b4e5cf8345930fdd083402b79fdd14f03e9b6ee46b7641589867791168f86784a3769f6b697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
22b8b0f3a2277318f55fb8a2a6175d4b

SHA1
9cbcdc5549fd8e00799b003876251a4f558693d2

SHA256
788e16e81b069fe71a986acaf136150ec44e70accb1ee9078eb4e28df4133868

SHA512
576457e65ff8a74ca13499eb9df77e60ee6c35ccea6b2c7a462f0b8981cdb801e240cd5f8b44143208d9e26ae1da67d21e1683aaa7ec247d50c2eac1fd271e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b693d8750c4b148ba116b94c6cba1e0c

SHA1
b37db87ae5d97c2a7fbc6192fdc16ff1e274d09a

SHA256
1bfbaca5efad7fb79ccc4437fd70f393fd4b656c56b8e6672029b621a96c30db

SHA512
06c95943d98b442d12b4cc526a1b786e350ab7191a44b4edec93dc8b89da2980008aa0ae3fbfaa65f340a5a42651cb6ded70d475d8c959b05e66c3081decbb3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ed0ee900aed640cde9daa0c8f2e14962

SHA1
70f4aa9678980b42f67685d1e2778be2cd845efc

SHA256
10614379a72d8bdfdc63bc099c058b1a9934b7b236437527c6d6a422df322447

SHA512
47a83a663ab4214a6b0bd7a4dc0bb64eb7312c428e92aceaf0f426a513e0adc77382f6031604bd16b27ad0d2f87667a538c783e19f9c1b08496b7d9d4980f2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4E8B09DC\0000.ui.forms

Filesize
60KB

MD5
a68a506afcfd78b3186b586c0bb17211

SHA1
69107a6f6aaf8613b84b2ae55d932d48d7d29e1b

SHA256
44783c068e6d2b30190006225d2bc586a98096d56f41f78e348bbae828cdbcc8

SHA512
7e8eb1643f670772a7ce1a42910847bc8133f463adee428987934110cf2225954b4c8586890e0ebc6d894c406bc5b61fe430c63b67ded4765017186119aed75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4E8DB44C\setup.exe

Filesize
3.6MB

MD5
3b7448485ce62f2ef5325b9e5087594f

SHA1
90262dcadd727ca8f6205d8d66667261d4f99336

SHA256
d356579db6e7184d800db8c6cd9463f6c4479ec4f60b96a83000ecc078c7b6c6

SHA512
f4520836d6924769341756ade4c7e5571f3dee051d4351c86a1380883e8456cd6e7d45f3ba985ea4abe0fab74afe7486786379cb9a626b5a0e51c40f47d935e9

Download Submit
C:\Users\Admin\Downloads\setup7.0.zip

Filesize
3.0MB

MD5
7996e34a143c410db77cab98f2934864

SHA1
a2c9b7d49a0adec33adcb1c8e870553e4e0c0b06

SHA256
6e4ad76ce29d87c7feba7c0e8ee368872d579715cf390ef5e18e072fe819f3f2

SHA512
cbdfbf715a916a38c8fd8d58821497d931fb4d592e67323602d4994b9074bd8226d04dee8598ff20c012b54851debece5b7fcfd4f94211ac1258348cba7b2a00

Download Submit
memory/1668-282-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-317-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-266-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-267-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-270-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-271-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-238-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-281-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-278-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-277-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-239-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-249-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-245-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-250-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-246-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-287-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-288-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-306-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-318-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-324-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-323-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-235-0x00000000C0120000-0x00000000C0121000-memory.dmp

Filesize
4KB

Download
memory/1668-314-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-329-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-312-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-311-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-305-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-300-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-299-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-296-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-294-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-293-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-290-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-284-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-283-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-240-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-243-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-244-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-237-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-234-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1668-232-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download