meduza | hxxps://github[.]com/hugodq/Wave-executor

Analysis

max time kernel
63s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/hugodq/Wave-executor

Score

10^/10

meduza collection discovery stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2020-245-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/2020-246-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/2672-269-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/2036-271-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
34	camo.githubusercontent.com
31	camo.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
74	api.ipify.org
75	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 2020	2572	setup7.0.exe	127
PID 4836 set thread context of 2672	4836	setup7.0.exe	130
PID 4428 set thread context of 2036	4428	setup7.0.exe	132

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1184	msedge.exe
1184	msedge.exe
1932	msedge.exe
1932	msedge.exe
2852	identity_helper.exe
2852	identity_helper.exe
5020	msedge.exe
5020	msedge.exe
2020	setup7.0.exe
2020	setup7.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	setup7.0.exe
Token: SeImpersonatePrivilege	2020	setup7.0.exe
Token: SeDebugPrivilege	2672	setup7.0.exe
Token: SeImpersonatePrivilege	2672	setup7.0.exe
Token: SeDebugPrivilege	2036	setup7.0.exe
Token: SeImpersonatePrivilege	2036	setup7.0.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1772	1932	msedge.exe	83
PID 1932 wrote to memory of 1772	1932	msedge.exe	83
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1264	1932	msedge.exe	84
PID 1932 wrote to memory of 1184	1932	msedge.exe	85
PID 1932 wrote to memory of 1184	1932	msedge.exe	85
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86
PID 1932 wrote to memory of 3472	1932	msedge.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/hugodq/Wave-executor
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92bda46f8,0x7ff92bda4708,0x7ff92bda4718
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,16229251608212169980,3427215812139269962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1984

C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2572
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2020

C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4836
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4428
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
df4159608bd71b6861684ad1623df30c

SHA1
7804a7ccd375287ee7365c2a24870144030628a5

SHA256
6533c6d47087e66455b67b070fc8697cce6c30b7b9250507f0cb2ab3da9c299b

SHA512
7e09a34c4b1880c2b7241ee7444f252b33d11734f7e515405ced3c12ce6d827bec3e4ba1abf7657f076ad6831f1b0a338bba3f17df266323bb2b3e83814335f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
b2b972ad2ca2ee86670297c10138d798

SHA1
146b98c7eabef059692a6b9e596ebcad987cd2d9

SHA256
920d84a403179537787b19e22be518b4f00bff2b85eff152d05cba40ba61658a

SHA512
da17a4dd9898c4ab0a3a84af31ee723026ecf045435bf3895616c2e73ef026d3bb16c885fa5dab2a9a9c65d9702ce1fa6af3fdc37baaad77605311c872c17076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
d1d496f745079e28b8155d379682dae0

SHA1
0389d64132a043ea96c6ec58967828db052e524c

SHA256
8f5a031da776ef78f576052744501bc9c70d51119f37fc4048842ef715863f16

SHA512
725e8bdd8907ab6533d640560b38e9f80fafec93c1c35275fd03fefcce055d28f17b2126b0d6f5db86e81fd88b60485d0bdba29c7a6a2e9f98629d0c5cfb1c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
13KB

MD5
f23ffde880eb57e6f38a22fd7ba49624

SHA1
850c5087a599f947629af60881db54309ddb6326

SHA256
5bf8744106b86330682067217588f27aab9d4b6dba0349b613d335a38dd489b1

SHA512
8c9d4625cf23ed040a7c8133073fea95a8805a3552ecd59feda16a3e157c30caaa427c8380862ca799a4183d37ef3e7f08dc707ea67329d3d429813f87eb9800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
bae62886d99281a26397d0410bf84bc8

SHA1
7aa438c4a1c0fa8eb4ce350f04f0ad95fa497f4e

SHA256
92aa4ea47b448b250662c6700bf4f3d4374baf12297ec5f5293a3f34642b7043

SHA512
c373591c6a91b0e896fd08c67aa3e6bf800e4378ee4561aa0f6794b0add4204de31ccaa120b0ec4dcf4d892852588d585eb8ab6cf9d3d684e49effbb8cdb65c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
64e6a9595b22e50476c9627b604394f1

SHA1
e922c3b80fdead9cea0728777c958a19edec270f

SHA256
847721801343e280499d47cd36da4bd2b37e9b82635a7a2d5504d558de73d1a2

SHA512
44192f2a545596368a6bf639422ca00a208f08ed5f340fb9c3b5e12e457ec66a673824cfb7f4d9c85656ff5764b3bffaecb19976c540bf13a0a1dbb4e67119e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e0f33a50767f10977b42c12120b775de

SHA1
f43c4acac15845d5806ad806fae536208efc7c09

SHA256
01a8fbaf1d63bb28648f5b20f15fedf8dff8866336a7f78b2e5d9bf62da3c44b

SHA512
04b7db294279e1c3213d82d3a7a59ab0bc8ec18559b0b821129ca7419154369df453f1e93530bfd9644f1d7ed76fd4d4dc9635047e65ecf802b3d80e27b5334f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
233117a8770e7d75c152931148cd8580

SHA1
9541e5c22695361c013a119e91491f65abaf340b

SHA256
149ec16f083214a8195385b2874912d8af7346fc739eec690ba124e158acb100

SHA512
bf9f1258df1d84743743310f24af69fd1d4f03edbe6314c85a2465b62cc5945f3a51fd497ffdf8203f2775750d341f5dd76d7ea5ba3a7dceec3972201e301aea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5fbdc8082c18ad81b3918dc6ca768f65

SHA1
75f94bd0bea796dd8b6f5d8182666873f458955c

SHA256
a268fb6e37216fc2cd9e0a56a3fe2c18f1220c38262a18256e4c4c3819907da8

SHA512
bad003b98191be31e26cfef02aab0ef51b70d5949e2b55ff0ebcb6a71a6df8032997393266677b55e942a815459f60406b1d779e339143196d3d03ec5202bc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f211.TMP

Filesize
1KB

MD5
9744b43577d9fdca22b010bddc1f1e53

SHA1
69973b97c2e84adb0e7ba898e85c2e36d555cf1d

SHA256
ce832d213ddd8f639208d4390044abbe74ef02a0161cc17b7cdaff9d76d0996b

SHA512
50c1d24e34496ebc405daf0fd1603482737ec3a1df50efb9e8b45d70210f893f4885d9ec4b6d33ec0f2b2d0bda8538aa2c56595666da14543694c9fd225936c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2875e2425980a943163f5ba5adbbb195

SHA1
5622474d971a803fa288e0538db1e60f0a646b3e

SHA256
42c6c04cc58d349d5b3638cbfb3155cb36468adef60ad8b5e5d658d49d235d86

SHA512
cc85675445ef034e20c3d6ac860b0c9d47318855736c44a39b460ab059fbd4e6dc4a0d99781f9f7e47e3398bd5518af2c5b31682dac7b06a0053791815f4988a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
33d3488e296b7ad3ff73c58301650b4c

SHA1
e6a063a281c04d94b2d357b9dbc31ab1ecbfe24e

SHA256
3bb2e11aac6779737f3adfd2acc18740d38dcc6af71b0df60b556e3f6c809071

SHA512
0cf1b068a430d9925c4ac79a0d6f43be01fbd3f5669c1445df2b90a21aff967eed4a013c84ce8dc2a3c4ec12a3ab76631c3ddd5812a3c56f24dc95add8395022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
264b310530f4c596350ed4747d390acb

SHA1
34ec7990b6f767e23ebc02985875f8a64e0da1a1

SHA256
de2d28841b67b45b1eb9344c70c5829fa8c78e36b4a9ca27188484773e59386d

SHA512
fd9e218956e62baf19afeffcd764c73579f1c7e2fdeb4a905222d3b9c7f4fabda078e4de696594125e64f59ab8167165038a0c445993caf84c8923e2d75d1b2f

Download Submit
C:\Users\Admin\Downloads\Setup5.0.zip

Filesize
2.3MB

MD5
d7d4d1c2aa4cbda1118cd1a9ba8c8092

SHA1
0935cb34d76369f11ec09c1af2f0320699687bec

SHA256
3a82d1297c523205405817a019d3923c8f6c8b4802e4e4676d562b17973b21ea

SHA512
d96d6769afc7af04b80a863895009cd79c8c1f9f68d8631829484611dfce7d4f1c75fc9b54157482975c6968a46e635e533d0cad687ef856ddc81ab3444bb553

Download Submit
memory/2020-246-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2020-245-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2036-271-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2672-269-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download