meduza | hxxps://github[.]com/Apietcsvmy/xeno-executor?tab=readme-ov-file

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Apietcsvmy/xeno-executor?tab=readme-ov-file

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Oxoxox
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
3.145728e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 41 IoCs

resource	yara_rule
behavioral1/memory/2724-305-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-308-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-318-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-312-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-317-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-314-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-313-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-307-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-311-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-306-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-326-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-325-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-329-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-341-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-340-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-336-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-337-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-330-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-342-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-383-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-377-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-376-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-373-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-371-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-365-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-389-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-388-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-385-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-384-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-364-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-358-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-355-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-353-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-352-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-349-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-346-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-343-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-382-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-370-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-359-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza
behavioral1/memory/2724-347-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp	family_meduza

Meduza family
meduza
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	librarydll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	librarydll.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	librarydll.exe
772	librarydll.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 10 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	camo.githubusercontent.com
35	camo.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
100	api.ipify.org
101	api.ipify.org
110	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1228	cmd.exe
4752	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4752	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4860	msedge.exe
4860	msedge.exe
4464	msedge.exe
4464	msedge.exe
2820	identity_helper.exe
2820	identity_helper.exe
4736	msedge.exe
4736	msedge.exe
3064	Xeno.exe
3064	Xeno.exe
2724	librarydll.exe
2724	librarydll.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
3908	Xeno.exe
3908	Xeno.exe
772	librarydll.exe
772	librarydll.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	Xeno.exe
Token: SeIncreaseQuotaPrivilege	3064	Xeno.exe
Token: SeSecurityPrivilege	3064	Xeno.exe
Token: SeTakeOwnershipPrivilege	3064	Xeno.exe
Token: SeLoadDriverPrivilege	3064	Xeno.exe
Token: SeSystemProfilePrivilege	3064	Xeno.exe
Token: SeSystemtimePrivilege	3064	Xeno.exe
Token: SeProfSingleProcessPrivilege	3064	Xeno.exe
Token: SeIncBasePriorityPrivilege	3064	Xeno.exe
Token: SeCreatePagefilePrivilege	3064	Xeno.exe
Token: SeBackupPrivilege	3064	Xeno.exe
Token: SeRestorePrivilege	3064	Xeno.exe
Token: SeShutdownPrivilege	3064	Xeno.exe
Token: SeDebugPrivilege	3064	Xeno.exe
Token: SeSystemEnvironmentPrivilege	3064	Xeno.exe
Token: SeRemoteShutdownPrivilege	3064	Xeno.exe
Token: SeUndockPrivilege	3064	Xeno.exe
Token: SeManageVolumePrivilege	3064	Xeno.exe
Token: 33	3064	Xeno.exe
Token: 34	3064	Xeno.exe
Token: 35	3064	Xeno.exe
Token: 36	3064	Xeno.exe
Token: SeDebugPrivilege	2724	librarydll.exe
Token: SeImpersonatePrivilege	2724	librarydll.exe
Token: SeIncreaseQuotaPrivilege	3064	Xeno.exe
Token: SeSecurityPrivilege	3064	Xeno.exe
Token: SeTakeOwnershipPrivilege	3064	Xeno.exe
Token: SeLoadDriverPrivilege	3064	Xeno.exe
Token: SeSystemProfilePrivilege	3064	Xeno.exe
Token: SeSystemtimePrivilege	3064	Xeno.exe
Token: SeProfSingleProcessPrivilege	3064	Xeno.exe
Token: SeIncBasePriorityPrivilege	3064	Xeno.exe
Token: SeCreatePagefilePrivilege	3064	Xeno.exe
Token: SeBackupPrivilege	3064	Xeno.exe
Token: SeRestorePrivilege	3064	Xeno.exe
Token: SeShutdownPrivilege	3064	Xeno.exe
Token: SeDebugPrivilege	3064	Xeno.exe
Token: SeSystemEnvironmentPrivilege	3064	Xeno.exe
Token: SeRemoteShutdownPrivilege	3064	Xeno.exe
Token: SeUndockPrivilege	3064	Xeno.exe
Token: SeManageVolumePrivilege	3064	Xeno.exe
Token: 33	3064	Xeno.exe
Token: 34	3064	Xeno.exe
Token: 35	3064	Xeno.exe
Token: 36	3064	Xeno.exe
Token: SeDebugPrivilege	3908	Xeno.exe
Token: SeIncreaseQuotaPrivilege	3908	Xeno.exe
Token: SeSecurityPrivilege	3908	Xeno.exe
Token: SeTakeOwnershipPrivilege	3908	Xeno.exe
Token: SeLoadDriverPrivilege	3908	Xeno.exe
Token: SeSystemProfilePrivilege	3908	Xeno.exe
Token: SeSystemtimePrivilege	3908	Xeno.exe
Token: SeProfSingleProcessPrivilege	3908	Xeno.exe
Token: SeIncBasePriorityPrivilege	3908	Xeno.exe
Token: SeCreatePagefilePrivilege	3908	Xeno.exe
Token: SeBackupPrivilege	3908	Xeno.exe
Token: SeRestorePrivilege	3908	Xeno.exe
Token: SeShutdownPrivilege	3908	Xeno.exe
Token: SeDebugPrivilege	3908	Xeno.exe
Token: SeSystemEnvironmentPrivilege	3908	Xeno.exe
Token: SeRemoteShutdownPrivilege	3908	Xeno.exe
Token: SeUndockPrivilege	3908	Xeno.exe
Token: SeManageVolumePrivilege	3908	Xeno.exe
Token: 33	3908	Xeno.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	librarydll.exe
772	librarydll.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 2108	4464	msedge.exe	83
PID 4464 wrote to memory of 2108	4464	msedge.exe	83
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 436	4464	msedge.exe	84
PID 4464 wrote to memory of 4860	4464	msedge.exe	85
PID 4464 wrote to memory of 4860	4464	msedge.exe	85
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86
PID 4464 wrote to memory of 3168	4464	msedge.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Apietcsvmy/xeno-executor?tab=readme-ov-file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeca0746f8,0x7ffeca074708,0x7ffeca074718
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,17301202322020647440,18229686488121285538,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2340

C:\Users\Admin\Downloads\UpdateV4\Last_Update\Xeno.exe
"C:\Users\Admin\Downloads\UpdateV4\Last_Update\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
- C:\Users\Admin\AppData\Local\Temp\librarydll.exe
  "C:\Users\Admin\AppData\Local\Temp\librarydll.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2724
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\librarydll.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1228
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4752

C:\Users\Admin\Downloads\UpdateV4\Last_Update\Xeno.exe
"C:\Users\Admin\Downloads\UpdateV4\Last_Update\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908
- C:\Users\Admin\AppData\Local\Temp\librarydll.exe
  "C:\Users\Admin\AppData\Local\Temp\librarydll.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
04c135696806f4f73cef0b39f67b95dc

SHA1
6faeccd7f14952e01c09381132a8be6f68474c3d

SHA256
02bb41d22cfeff7a513f24cfb09d5d8b55a41a0061b17d18eae67a6183cbd254

SHA512
097101be94432d559822b62b22075d2b0fc79e238621c708cc93edb4d1fd42c31ecf9acb6a6221a448ab36330ea19dbb9c46420980d24f009dee8bde639d2103

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
f60b9fe29becd867382c4e1484808685

SHA1
d7c5960f0e7168f27a2a268a94b1ff4578674406

SHA256
842637c0ecd0743e1fb170d99331fced15fc034c29eff59d516b30f4f3dd1ca0

SHA512
03bba995adf742c46e74e8a2fff2ac836f815317e215fb19e5567344677a89890070b36d60f96c99210b14a29246289ce441f005a2b4528c2d28095fc3436ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xeno.exe.log

Filesize
4KB

MD5
23f8e6a7110e076eb9bf651f14da779c

SHA1
91d6b17996e1bc42b96c3bcc02863791282694c3

SHA256
71d661d77763286f20fd75c36eb90cd6a2336aa9f179e160542ad035985ae10d

SHA512
d76a11bebad7411dd6b34c7d828144dc70ccc37045719175bf2575a56fac1a28f1bc16855d227bf9c2434977538247b89c71b277edf013a4f768a24f38df052c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
df59e083f1e8af3c81878a4e61849f30

SHA1
f975c9bb21ee57f6dbbaf4efb6b8bdf50aaef693

SHA256
dd741c7b91c47da337457e4e8f6717587b3e1a9bf3e66362e78fd60ee9c95926

SHA512
7b6d5674d2620ae98fb7993c4cc18c3b29ae63e43094ecf5f19d91d05344a8dd0ec4146810ed6c7169d8d53ee83fb95d676013561d7ff07436eed76501a5f555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
4f237af9665e94b7eb8df90ef339ed9e

SHA1
f511ff3deafd90772914f43de547b1fe27c9a553

SHA256
6a827591cf398ecbcb0258872bd15af245377ca5c3aa05889b95a99525c3a93d

SHA512
1b24d95ba33d279f8078eebfb4712669d5b09b373ee81ecc81b2ab8a093452d383356fe89000ffcdd8822ff201fbe578963cd0265b1e5d53c99c68f697f0e08d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
f3a8dce1e70bd001c7a4615eb9b4859d

SHA1
ec17df3dd575cad80b7f584d0e2867ab8ab42236

SHA256
82d3e487dbde2751cb68df62835b722a9abbb9bf59e9b79557a7a71ccfb67948

SHA512
98261ffe7a1ab387ea8cfef4738ca7875e9a90c19681e4ad6c7c53e8139699511f38319391f561772d5a33dcf79c135a5e4e063fee52e89ea5444e2ce421bb8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
12KB

MD5
502a181d632ec29707a73bf51ec072d6

SHA1
f688dfe431aea5887dc2094a55378cb65a5a7b56

SHA256
4f7c08064d17bca1ee20b77c96ecd7e1df22baa73abc989a4e3d904c3734b408

SHA512
dc7c7cb74dc42e553aca93be7937ac2f4e675d3f6ded0199ecebbe67dd11ef14d6cd3227a40534fa427cf7af45b3714d8815401996d098f049afc82ab3e198bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
59a192fccbe6247a3f5fb96ef0db3691

SHA1
d40cb7852df93527780ba735fb9712648d790efd

SHA256
8ca75a800c29f85b3fb0f127e9aeabb352437eee407d4eaf35dc1cb4797914a1

SHA512
7488afb28b4434d4a044f15485381baeb73a2aaffa45c62f084723d56d27ded05a0166d88873ad366ecb371e102dc79f8e8ac89bd1a1d744d0244d01c50c02c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
744B

MD5
6cb81ef9b7397c8bd36eacfb3587d411

SHA1
b40d4c4fdbc35c7cb3861fdc90afad0d9f54da82

SHA256
6a747efdaa7bf9f6f0fae00a6aebe681db61283539b58682f4bea28724841da9

SHA512
4b706a7ee879818d970e8a4e52693c453b8e312a6e68ab444da5a2953adcdf8b96af652c90d8a0e096a06edc610eed5da50c63007d6a8347fa4648fade9f5fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
44bed5a84cd8f026660b4b0036db9fa2

SHA1
ed10cda760072a679a6dbe85047509a7ee9a093f

SHA256
e4b61550d2ebb6559fc19636a8fd6802b3d1ed964863830dc518027eeee185aa

SHA512
ce7f82d0496846541bd491a20593bdd027b51a9fe8726c66bbf87e951630adad470de73b42e64c77969b9560f3a78e2f12ed7ac9ac084b68652c66c71a8c542d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ffd03c309bc2f2fc266eff31f39d3e40

SHA1
de9ae6f15516093524b3da7e84346e306d3cfa8f

SHA256
40ce6d0f519a0029f68553884c6b135172e71b4cd95a77a51f37249df5928f83

SHA512
df3344915d5580a9e69de337690070a894f53c163ebeda247ecab0c993ec9476d1a605ab45235f4d121ca7a31922e69f2abd23d01bcd740eb6a4162087461297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7ebd3b80a50d78b4b36f0be46cb15d70

SHA1
78c261e3371c95e0bc3286676b9fcee5d069b610

SHA256
81d709bb029b31992f8c690999c3ececde25e92f5b94c33778451d6995d9d330

SHA512
8269dcd6900011545b795e316f83d2cb32f70f18195c0058c38094cf65463311ffeb435babd6f60f944f27c1c86a841fc6ec5df555410e3a5f7298fb3fea1d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cf75.TMP

Filesize
1KB

MD5
ea94510406f65c59a468fa702cc39828

SHA1
0a45e8f333d66ca48457fc8b6a3abbaae44e5d3d

SHA256
080a48fc2c92c582be71f7ca8d3bc6cb48c9cadb5f5f998e8d92c89dc81731c5

SHA512
0f9e4d4525d3ae3331d41028b5b4875e385ab0db4bc3e9e6f997f81979011ee54114ca53fddfdae8b780d35580a313b4cbf326d54869861b295a317c29ce3888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec20e7916677afcf951bdd4a3a749775

SHA1
0a7206959d0e65f5d426c99119608c137e22d7bb

SHA256
b4eaede1f23a8b8ec57075d35e79ba9d3f641c3e74e6888347e03cb412ffdd84

SHA512
37b325b0a250a1e4539c9d24f164a6f47870583bf1bfa6d3e3bc937f817b67ff15ddc56d34d5b4eaf157a82d277cd114ec488205b1b6b0afdcbe6715205a8559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8adbe8f73eae5e20fad8a894109ea7f0

SHA1
0c38ec0241771bce4c2a3bfa8c63d05340fe4d59

SHA256
a5207ba7e20dcae6516ed9edb54dc7ba67e95f3beabba56020eb00f6b0fe92e7

SHA512
bf65955164e3511624f2ee8ca2e558c828e416de057d477fc0a8806adb3e7f680b613df2ae7eb140de75c40dab063721e279227e03373c0c895396d3cc8020cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
620e715b2d911a624082f02135ed3134

SHA1
19ecb02e19e47528122c6a77c2300d40b71641be

SHA256
0058efc820fab41a09f7b9037f5ac2e5a67bd411b3e83f9ca6ed38f855554c47

SHA512
9482e692089b4649baecd637c241fb9dba99dbc38ac06c0c9c368415979077914a44e7e3e453124f180b9c5adfa8e18b98e8879a5cd2e3e9aabdf01d3789f1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
fc3efe479324410856822cfc06454fb1

SHA1
684ade4167a5bb9d788d8b50fffaea72bf5b2b32

SHA256
956cb9889287a1bfd31f462a9ed76f67c3be7310cff4bf3f148968069f82ea0b

SHA512
c06a323aa7691641ddb51fe245c4dc4495b500a02759bb87c1f8e685d6e71854aa26f926294512c434c5d171372190d8b6d3a60f866d05c6b3c0d6f75dc439a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rq02ipzw.zbi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\librarydll.exe

Filesize
3.2MB

MD5
64e8b8072013432ff67405d9365129b4

SHA1
50512261248e2122257d343ff897009e75533c91

SHA256
d020b6622f75cdcb553ef945f86b99f71480f74051986bc6fe77784925fb060a

SHA512
19921bd0e18d45f4f46c0546738cc2de1bb85293503c0675f7b6d23bbefef743f3c8632b6831f5ccb4b9e49821cd05df94805a53c671eb5dee119b7ec9217707

Download Submit
memory/2724-341-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-389-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-306-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-326-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-325-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-329-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-302-0x00007FFEE78F0000-0x00007FFEE7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2724-303-0x0000014E7D720000-0x0000014E7D721000-memory.dmp

Filesize
4KB

Download
memory/2724-307-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-340-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-336-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-313-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-314-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-337-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-317-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-330-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-342-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-383-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-377-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-376-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-373-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-371-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-365-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-311-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-388-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-385-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-384-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-364-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-358-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-355-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-353-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-352-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-349-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-346-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-343-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-382-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-370-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-359-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-347-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-312-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-318-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-308-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/2724-305-0x0000014E7D750000-0x0000014E7D94A000-memory.dmp

Filesize
2.0MB

Download
memory/3064-293-0x000001E9DEDC0000-0x000001E9DEDE2000-memory.dmp

Filesize
136KB

Download
memory/3064-283-0x000001EA00000000-0x000001EA01000000-memory.dmp

Filesize
16.0MB

Download