meduza | hxxps://github[.]com/ExXenoDev/xeno-executor

Analysis

max time kernel
286s
max time network
283s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-12-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ExXenoDev/xeno-executor

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Santa
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
4.194304e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 42 IoCs

resource	yara_rule
behavioral1/memory/2896-327-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-323-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-332-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-333-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-328-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-329-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-321-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-322-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-320-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-317-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-315-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-313-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-326-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-340-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-341-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-344-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-345-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-356-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-352-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-351-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-355-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-374-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-373-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-398-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-397-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-392-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-391-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-386-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-385-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-380-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-370-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-368-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-364-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-362-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-361-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-358-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-357-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-388-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-379-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-367-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-401-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2896-400-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza

Meduza family
meduza

Executes dropped EXE 4 IoCs

pid	Process
2720	setup.exe
2896	setup.exe
700	setup.exe
4448	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 10 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	camo.githubusercontent.com
24	camo.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
45	api.ipify.org
51	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 2896	2720	setup.exe	105
PID 700 set thread context of 4448	700	setup.exe	115

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3516	PING.EXE
3532	cmd.exe
3240	PING.EXE
2852	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Update.zip:Zone.Identifier	msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3516	PING.EXE
3240	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
4760	msedge.exe
4760	msedge.exe
4756	msedge.exe
4756	msedge.exe
4064	identity_helper.exe
4064	identity_helper.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4808	msedge.exe
4808	msedge.exe
1232	Xeno.exe
2896	setup.exe
2896	setup.exe
2328	Xeno.exe
1564	Xeno.exe
4448	setup.exe
4448	setup.exe
4240	Xeno.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	Xeno.exe
Token: SeDebugPrivilege	2896	setup.exe
Token: SeImpersonatePrivilege	2896	setup.exe
Token: SeIncreaseQuotaPrivilege	1232	Xeno.exe
Token: SeSecurityPrivilege	1232	Xeno.exe
Token: SeTakeOwnershipPrivilege	1232	Xeno.exe
Token: SeLoadDriverPrivilege	1232	Xeno.exe
Token: SeSystemProfilePrivilege	1232	Xeno.exe
Token: SeSystemtimePrivilege	1232	Xeno.exe
Token: SeProfSingleProcessPrivilege	1232	Xeno.exe
Token: SeIncBasePriorityPrivilege	1232	Xeno.exe
Token: SeCreatePagefilePrivilege	1232	Xeno.exe
Token: SeBackupPrivilege	1232	Xeno.exe
Token: SeRestorePrivilege	1232	Xeno.exe
Token: SeShutdownPrivilege	1232	Xeno.exe
Token: SeDebugPrivilege	1232	Xeno.exe
Token: SeSystemEnvironmentPrivilege	1232	Xeno.exe
Token: SeRemoteShutdownPrivilege	1232	Xeno.exe
Token: SeUndockPrivilege	1232	Xeno.exe
Token: SeManageVolumePrivilege	1232	Xeno.exe
Token: 33	1232	Xeno.exe
Token: 34	1232	Xeno.exe
Token: 35	1232	Xeno.exe
Token: 36	1232	Xeno.exe
Token: SeDebugPrivilege	2328	Xeno.exe
Token: SeIncreaseQuotaPrivilege	2328	Xeno.exe
Token: SeSecurityPrivilege	2328	Xeno.exe
Token: SeTakeOwnershipPrivilege	2328	Xeno.exe
Token: SeLoadDriverPrivilege	2328	Xeno.exe
Token: SeSystemProfilePrivilege	2328	Xeno.exe
Token: SeSystemtimePrivilege	2328	Xeno.exe
Token: SeProfSingleProcessPrivilege	2328	Xeno.exe
Token: SeIncBasePriorityPrivilege	2328	Xeno.exe
Token: SeCreatePagefilePrivilege	2328	Xeno.exe
Token: SeBackupPrivilege	2328	Xeno.exe
Token: SeRestorePrivilege	2328	Xeno.exe
Token: SeShutdownPrivilege	2328	Xeno.exe
Token: SeDebugPrivilege	2328	Xeno.exe
Token: SeSystemEnvironmentPrivilege	2328	Xeno.exe
Token: SeRemoteShutdownPrivilege	2328	Xeno.exe
Token: SeUndockPrivilege	2328	Xeno.exe
Token: SeManageVolumePrivilege	2328	Xeno.exe
Token: 33	2328	Xeno.exe
Token: 34	2328	Xeno.exe
Token: 35	2328	Xeno.exe
Token: 36	2328	Xeno.exe
Token: SeDebugPrivilege	1564	Xeno.exe
Token: SeDebugPrivilege	4448	setup.exe
Token: SeImpersonatePrivilege	4448	setup.exe
Token: SeIncreaseQuotaPrivilege	1564	Xeno.exe
Token: SeSecurityPrivilege	1564	Xeno.exe
Token: SeTakeOwnershipPrivilege	1564	Xeno.exe
Token: SeLoadDriverPrivilege	1564	Xeno.exe
Token: SeSystemProfilePrivilege	1564	Xeno.exe
Token: SeSystemtimePrivilege	1564	Xeno.exe
Token: SeProfSingleProcessPrivilege	1564	Xeno.exe
Token: SeIncBasePriorityPrivilege	1564	Xeno.exe
Token: SeCreatePagefilePrivilege	1564	Xeno.exe
Token: SeBackupPrivilege	1564	Xeno.exe
Token: SeRestorePrivilege	1564	Xeno.exe
Token: SeShutdownPrivilege	1564	Xeno.exe
Token: SeDebugPrivilege	1564	Xeno.exe
Token: SeSystemEnvironmentPrivilege	1564	Xeno.exe
Token: SeRemoteShutdownPrivilege	1564	Xeno.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2896	setup.exe
4448	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 2176	4760	msedge.exe	78
PID 4760 wrote to memory of 2176	4760	msedge.exe	78
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 2660	4760	msedge.exe	79
PID 4760 wrote to memory of 3096	4760	msedge.exe	80
PID 4760 wrote to memory of 3096	4760	msedge.exe	80
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81
PID 4760 wrote to memory of 2788	4760	msedge.exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ExXenoDev/xeno-executor
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe19353cb8,0x7ffe19353cc8,0x7ffe19353cd8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6628 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1744,10477893152928555258,2373978947138774106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5100

C:\Users\Admin\Desktop\New folder\Xeno.exe
"C:\Users\Admin\Desktop\New folder\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2896
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2852
    - - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3516

C:\Users\Admin\Desktop\New folder\Xeno.exe
"C:\Users\Admin\Desktop\New folder\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Users\Admin\Desktop\New folder\Xeno.exe
"C:\Users\Admin\Desktop\New folder\Xeno.exe"
1⤵
PID:1532

C:\Users\Admin\Desktop\New folder\Xeno.exe
"C:\Users\Admin\Desktop\New folder\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:700
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:4448
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3532
    - - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3240

C:\Users\Admin\Desktop\New folder\Xeno.exe
"C:\Users\Admin\Desktop\New folder\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
acf47482d0c76cfb79bb5ff77cb8dd04

SHA1
525c812023aaaef2528959be152c680a273898ec

SHA256
efe947200418279872b32fe39771b9a7874ba81d5e6434ea6cecd0643672b761

SHA512
5df3e663b1bd27f225e77e39e67ca224227af9a26da2a57d96bb73e634b20d777e4a0c823dd02520804314b302c83429492136a5cdb280dead71e09ce6c4f283

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
572d9014eddff77f38963bb17819b7cd

SHA1
a1d9952cfc527697109b0176cb8930c750fb5ed2

SHA256
32e16b97f91282da507ea84f909a4711557e93257e588a52d2d6261ff2d3ea93

SHA512
4d9bf81274ab419b3cc43ba02fa4253fbe3aa7fc7fe6f71a4ac152dd4aa38a02bfe77644a3fd390c6f91147e3c89ebed2e062083aa65c078402f49fe3df3e4e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xeno.exe.log

Filesize
4KB

MD5
0ace11e93c1e7574c7a0a57e32213c49

SHA1
4dc4e21f5c1ff2cf9b96380126c4b18cc0be43d3

SHA256
c16b5064f526011aba6e40444e0f8f2cb707057da25a33d5a8653ef749f5e785

SHA512
c5a4736f6a2b97b7aa8cf1590bc828c1b366cfa3e944ffcc2373b5c7da0287f7f9ee01ecea86d80cbaab62227d89ea17b8d29fdf60190984a25b25c89666108b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\52eafce8-2532-46b8-a047-e4df26816bb1.tmp

Filesize
1KB

MD5
e65fa9b5534f7c297012051acbae3800

SHA1
8c14e85e1a284a9caf03be474ff10623c57c0870

SHA256
45df6fd355498b0fc1a8b1231014e9f1ad45e726560e0bdfb8082c802072152f

SHA512
2347502b524f70de3097d1dfd95d005a1d70c8a5840037ad4a46e0281a92686cd13064a463d91d87920e2639084ba2712eea3707619a622c9dd72522f42cb112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e01c4d4bbd4871f6e40770b8458ca61a

SHA1
76964fb5d65dfcf229ef8dd3ccaf7c679dd105ef

SHA256
dce71bab33b77d1c01a6eb28f871eea9ce5ca54a8dd1b398e0225ca203a7d3d6

SHA512
cdca8c0945dfb4567099dc03b614b5ce9e5f63857fa7ac671c4315d78c2b2bc1478146ce28ac3b9ddedafdc12182a09538a61f86483521a8a77ec3b3db3ac954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
d0abf02065fdd2433f027790da61fa3b

SHA1
ae7ea7116cc489c5abd39ad420af9fa279e995ee

SHA256
c0099889ddb1ad95a889338098ad7b2584d2f7d3dd6dcf569e2945b6961f6522

SHA512
c5fa82dd3d7873ba99d426cf0b91994d46637c6dda0669501c7452ad7633852fb132e3b8e446ab2f737008ec67427ab1639818742b662f36f7b1d6db43b49c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
426665c47c54ee6b926af062298f8b0d

SHA1
4e32fb85553b6ad45c5e5a2d298d08f9ffade227

SHA256
731080bcb9410c5e07610d720d8dfd73e4b0053e8745b741d6ac512862c350ca

SHA512
6358cc9838e300e5e177b707207e985d6dd3d682c7de9271f0987a477978e92de42bee4fd5890c2027cbfbf1860cb41e7e8842b6c2ae531bb610c0e5c4b4e2f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
11KB

MD5
1197b93310656c3949c2dd19445f992f

SHA1
40b32b54da135f23a57d374c4451b6f2e1f95ce0

SHA256
df733b70d8a0edf1a5eabbc065729ebd9817c0efb066698930e1bf2c8d3ef147

SHA512
dcdcbd61db4279b0ea7f2a9855a6390feaf3fd74ee7ac2356a672ac3bf456c9f2d4468ffe39ba4f8022d673478d064ef8e9367ef5b02ae05d2ab7f96ff586372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
63e40528fad6e1e467ae775fd654f694

SHA1
9d46a3e83ab7e09ccdfff424e8cb30288bd5d204

SHA256
80dd677e9807371a2c90643fae06e2f54a0c6e5c32bfa546f1397abe8026e0b2

SHA512
d45988fae30888c374f8e4932a0066fd504cb90cf1d04711051e111a69393511710b3af748c6b798cd8bf90f048200857877a95701dbee1aae413f834badbea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
744B

MD5
87c90faefa3ac95821fa03ddcac4be2f

SHA1
776899a261a862b8342515a0c640f4438deba8a0

SHA256
5a5ecf3a48e1d5e74a1be1dac17e2e64886e1a9042440b113b5e4f3a2f6e7118

SHA512
fd7b9471e639c1b3e8dfffd376f91ac2bf15729f42cf3dce668148ebe41cb03cdc811a9d0994d7eb7ddb13b158fac525379c861c3454ce2103aa1e20c041a9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bfcdb0d3b6ace2b577fc134a511c1faf

SHA1
17a4e5f2ca27654b7e439cea63f7f34ccec7495d

SHA256
c02a3573413cf5bea14b6987f4d30d0554218ffa67f629aa3b973fb07d406c41

SHA512
54b61eb416790aae3938be1565334d9c24dcd5eaf45aaa06a98b1d7a704cbb175b39edc2abaa145bbde30d3cc95e172f1ac9fb9d243caaf9ea811bf02c902b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e924aedb5fba75d4650562dcf8e14e0f

SHA1
52f440c10d4369245986da340fbacdfe0593fc52

SHA256
25e5093cf5f755668b8c92601ce0c25bc09a342266301248695e2762c69846a8

SHA512
fcb76d7f66c43cca052b7b5b77821afa3603c16e7728b48236f79f5733a4136230116e418b5035896a8c65fed5854119f55cf769817eb8d04b8e9fc764936717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c6bf22d5116f9314f5468404df252a72

SHA1
91bd78979e1ffa232eb8c223ddb2a007bef031ab

SHA256
1f7ad2472104ab53f3052484735d8d737197db9f560b4bc8c8ff221587b78768

SHA512
59b54e8bb3fad3711a9d31b231b717b397fc5acf44f0dc8bae9ad65ad4fae9ecf953f37043bab414bd4f727d2e9bcd3c61741020a8b29e948c2573ee5de59fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
85cbd6cdf654a5a5857d1c3d25c707bd

SHA1
154b772d5037bff66e56e0d39676c9d949906986

SHA256
90bf2fa7db5902059c54782c84159f909c08c72d1ff82116b9eedae45609d8c2

SHA512
dd9762e4a7e054f2d8aaf35668b8989b88cfde81c51f05096a4157abbd6efa612a8ab395bd1dd8fc1b6037486406550b90663ae2f5a72964d727c1e6db44310f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e30d.TMP

Filesize
1KB

MD5
4e6eef2e3c89ec3443d71d0ed9e72976

SHA1
c7ace8612094fcd32ae5aa76bc9fccf221d8b8ca

SHA256
945334bb3417c225b4546a666f46b7d0f67a1a108614024b9ce2db31f05f097e

SHA512
5bd4559972e5c068a74cff6d8f691109093c013c8a94d73692261cadf473591304aa86fc6a8d9248fbeaf3a33dfe07cd8b90a9585bf42af7f8a4ae3a82bf9203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ea62b03d7dfcc64f18813205ca2eabf6

SHA1
efb47334c36dad4ee4eb5b1d49ac95d308f0f462

SHA256
2023edfc8a41462ee5602bb33bd2892164ac682a3f47a7c7a11a125f12af1df6

SHA512
bade4a46721f8e67ac684381db0fc7b1154f39b2d45a731562f1f2324f6a6548103edfdba43037df07bbef8be4ac669055086e08af69e4573238d56a2a54c7bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
07ac5b821187713b2508a84bfcff424c

SHA1
e00d3c5c039c2c341c3f5be44b68356c6a701926

SHA256
521906b15e7b962e07d15a001cbf8e27b79538554db731bcc85c9a92087c566d

SHA512
912410b6f2ba0e440af090a0f68e022401bbae01c79075e1558e439d342b148d526311454f2da67bb13616b4c23857ebc646223c6816f234dbc90068ebe91c97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
62KB

MD5
90536810cb19adaa10dc1a6809d3fd7e

SHA1
f3c8dd44452e0137cd94f47541e3211eb4b5f0c9

SHA256
52fbf990cee6f91a3e5b6b0d64560fa5a95cd46a707b2003143a4f838dc6ecfe

SHA512
478e69fb7692e5fc2620bd10a86466e0e98a9714a26cd9ecb2b8eec2a1092f150c48a69fb82affb7199900dc1cb959c804c318872b36b65ece042d5131181c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3pfxlela.olw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
3.1MB

MD5
f2553a783c86df932bd1072497da7de4

SHA1
ad66709a781fd7338dcc95586ee40e01af05f164

SHA256
265546e789253885efa16763b753b62b50720a7ad0a4813c92571f24dc9867c8

SHA512
a1f22e0a7362ff1fe0a3eacf594442eb267e65fc14b7dd56e762dad8bfd34908b425d33ddd4377c75d0809ca8df467e5deef7d59cd8b71faf70af13e29e8828e

Download Submit
C:\Users\Admin\Downloads\Update.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1232-312-0x00000215D4DA0000-0x00000215D4DAA000-memory.dmp

Filesize
40KB

Download
memory/1232-303-0x00000215D4890000-0x00000215D48B2000-memory.dmp

Filesize
136KB

Download
memory/1232-294-0x000002158E230000-0x000002158F230000-memory.dmp

Filesize
16.0MB

Download
memory/2896-344-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-391-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-313-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-326-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-340-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-341-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-317-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-345-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-356-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-352-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-351-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-318-0x00000000C0120000-0x00000000C0121000-memory.dmp

Filesize
4KB

Download
memory/2896-320-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-322-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-321-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-355-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-374-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-373-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-398-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-397-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-392-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-315-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-386-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-385-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-380-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-370-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-368-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-364-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-362-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-361-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-358-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-357-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-388-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-379-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-367-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-401-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-400-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-329-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-328-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-333-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-332-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-323-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2896-327-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download