meduza | hxxps://waveexecutor[.]com

Analysis

max time kernel
150s
max time network
154s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-12-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://waveexecutor.com

Score

10^/10

meduza discovery stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3576-702-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/3576-703-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/5316-780-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/2088-782-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
20	discord.com
175	camo.githubusercontent.com
176	camo.githubusercontent.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5440 set thread context of 3576	5440	setup7.0.exe	134
PID 5996 set thread context of 5316	5996	setup7.0.exe	142
PID 5380 set thread context of 2088	5380	setup7.0.exe	144

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\aee1727a-116d-4257-b86b-f081e111f00f.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241229145139.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5564	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1540	msedge.exe
1540	msedge.exe
1976	msedge.exe
1976	msedge.exe
2756	identity_helper.exe
2756	identity_helper.exe
2744	msedge.exe
2744	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6008	taskmgr.exe
6008	taskmgr.exe
6008	taskmgr.exe
6008	taskmgr.exe
6008	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3576	setup7.0.exe
Token: SeImpersonatePrivilege	3576	setup7.0.exe
Token: SeDebugPrivilege	6036	taskmgr.exe
Token: SeSystemProfilePrivilege	6036	taskmgr.exe
Token: SeCreateGlobalPrivilege	6036	taskmgr.exe
Token: 33	6036	taskmgr.exe
Token: SeIncBasePriorityPrivilege	6036	taskmgr.exe
Token: SeDebugPrivilege	5316	setup7.0.exe
Token: SeImpersonatePrivilege	5316	setup7.0.exe
Token: SeDebugPrivilege	2088	setup7.0.exe
Token: SeImpersonatePrivilege	2088	setup7.0.exe
Token: SeDebugPrivilege	6008	taskmgr.exe
Token: SeSystemProfilePrivilege	6008	taskmgr.exe
Token: SeCreateGlobalPrivilege	6008	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3256	1976	msedge.exe	81
PID 1976 wrote to memory of 3256	1976	msedge.exe	81
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1812	1976	msedge.exe	83
PID 1976 wrote to memory of 1540	1976	msedge.exe	84
PID 1976 wrote to memory of 1540	1976	msedge.exe	84
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85
PID 1976 wrote to memory of 1636	1976	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://waveexecutor.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffec2d746f8,0x7ffec2d74708,0x7ffec2d74718
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6944 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1948
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff683a65460,0x7ff683a65470,0x7ff683a65480
    3⤵
    PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2348 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2449273384282794686,16670172892217686860,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5888 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3644

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\setup7.0\PhysxExt.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5564

C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
"C:\Users\Admin\Desktop\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5440
- C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
  C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3576

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6036

C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
"C:\Users\Admin\Desktop\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5996
- C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
  C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5316

C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
"C:\Users\Admin\Desktop\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5380
- C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
  C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2088

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
913cd25b0de81960e841c81a7bee8b19

SHA1
2c4bf2a4de37c06bea3e39898c9a98ee611b5455

SHA256
b01953744098bc035aee2a21976607df9352ca42abc3e01d769e2ceee1c9bd5f

SHA512
e5a879cdd1f83d6b6ee13117924522c967e2413c29722b5507b632514e28a0defbbcc942e7176f819e05df7bef37ca5133ba5efeb67a91c34b3736eec05ac8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de0e1d3019517b3b005d7731bbb8a355

SHA1
ddf1f15c241f72585595cd30de12c4c3ce4e2f97

SHA256
4ceef5b8daa774c456edd70e46668746b8fa086bb9515ed5975e6737e40dc3f0

SHA512
84f7a069fd6f0713fdb9d35f17839b8755671047be477e49102f5777e8ebeeaa6421d3816727dd37f1241f4653c063fb0823ae7bab1d3001635c5075c2ba464d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
4303d41c732a00943e584e4243842c04

SHA1
084582c7f25413cb85675632bb8fdc0e3ecc33ff

SHA256
484c0546d411e872e4baa98f866e984eea9386499fe8d320f44bb757bdcfaac1

SHA512
0a4fc7bdbe3eb950e6b0ca7443b1f5bf16085822232a581d51552495b2921a88e899705cbc6b758cafefc366f5895904f6cffee807d2009b6c369d27b10cf84e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
910c42078899c64e506a875710ef216b

SHA1
341c100790141f0250358fe2ae8a9015b895ca26

SHA256
f3f317dd2d4a27281a52f695631cb19104bcf5196b9dc387fbaf838c5e0aca50

SHA512
061641eee6cc7807c133509ab08ee59a328bb3c2bf8294b57b07de74143e1499af997dab6808c8040e09d157b467f0a9ca852ad9be0381d1b40ba1da98b162fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c4d79c5284ec27ddda3cce060eec4f67

SHA1
2db4a9e47371aa01b1eca96d5bcd6e26507f2bcb

SHA256
dbba47cddbc6614226647b5dc11208c6abc5c98a884bbd9d34195332fec1c2c6

SHA512
70aeb4e22c99e75a982f8deb5b0f741e72b9880144f83313566636005114da3de31b18bfd18e43fcccde8a045f3dfb1efd594de82f9de3c29bebd9405824add7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
49d24ebd50805e8cd1ada58e5e5a755b

SHA1
9ff314cb6b61bd3ff6a9027838d2a8ee1fc7392c

SHA256
87c28ecbde49913338a64be5ce0ea6f9aeee3490ec4ef86d5eabf2ba4717727a

SHA512
487617ab3915c011254127f296ab8cf23a2c328d48b0dd34bc5803335aad469a3e4d42291a9b589e5b241bd0f87aab308a127deed31fa441705fa53ff9f472dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
696bed33212c1b7130c8a99981989a5a

SHA1
4c8e2b362e685cf429fcf5c8757f326da4da2a04

SHA256
9410920bed27d6a5f7a015bb0afb8ba2552d447f98f9b0a0b77f0623e5ba1a4b

SHA512
1aedd2b780ead54f8e5fe2eb728384e42d7fc414c78ee9fdc18441251f16c7e8c39e072a87d72ddaf4461df1a832b4262e68691f8b5453930cf9fc4bef3a57ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5f2beb.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fda63a6063f59c5d692e0c4594468dc0

SHA1
55c5a4934642323892e87b63baec01ca653952bb

SHA256
0c3d6f3ede398015502d034e4bc7450e584a0588441752b1e4e1795be183c044

SHA512
43039873832c0c78898f36619566e437034ec2b33246f6ebc79c5f07b5253559250c2e5cd9a07e4395299cd1677369cfc7db532b1506aef3eda7e04992f2b845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28074e9ee1c1281326eb7788b5732e35

SHA1
7b3390d641e6244ad1cd67db0baa2b215b4b06d8

SHA256
8a47741f6c12f6c2549fa9b0f061e51eb0391e4b9c591a97fa7cf096cf5cf782

SHA512
422a7444dd617cdd47d1e9a71e279eb2df25aa8c18c54f0266ba8bcfc0419566308af81fc5311b482a68e60b2e25b3b4386fceee2254625506c1cf9e7e28fd0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3496be67ff56dbcc3294a8220a728080

SHA1
015b5b37183a0df5b64179be9f8dbcd150527407

SHA256
d3b60dcd6e7ca39db6e2372b6523bcd8533e8c3ce71fa17ca1de10cb2c89517e

SHA512
984e6b352f13610c6c25a5bd4c848c4b8bdfbb71670a02debd5b742a91daf4b1d02ce149cf0b536343c8c7e988e2f24a49eff39a767d374ff450bf2250966be0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aebb960713bb3b61c17d83dc0edffac1

SHA1
1ab3948b3d81cda905335d97f9f8262c2e496287

SHA256
c62ccedcc7397267291b6cad9e056e9b800f1ffd1ad2c0fa329da779c4b939dc

SHA512
1bd3ee023bb2c6fb1c073164aebcb9ad482435e57b09f0add99005f5d67e25b6640a2bac99443d1014a71ff6fda054e241e3073b4db2f2777a76ddf2637beb2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c75acb23ee0f8566ad1fb7abd2b5c18

SHA1
9beb29a3081ef3fcd1d7d5bd6f7430fb906940c3

SHA256
5f168c94648c9071e11b5c876b00d04b649656dc5773f730d8137f7e9fa27056

SHA512
8225237e806156aceceda004c797591dc28305eab87e47da8a21329c8843f8739f6967743cedd56822a1a58e8fb74b62234f1831abffed4d782a6714160e8368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5789a41717834298b9c0152ebc36bf18

SHA1
4aef1e71b065fed7300cf009973ff4f6d9ec0797

SHA256
5421e23825ccade2813b850179785004f5dfacf440644d4ce78f53d887e21b9c

SHA512
51ac7f7958270a0ce0ecb31fdeb462adac4b1f2daaeacb294a80cf6c72d846198aff3dac38334567b019b7e67847763eab1dd6c920ad07b872f16fcfdadbec3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fda5253ec830f16fd930d5b6d8c45e19

SHA1
abf7ad4461f05726357515a01823eac00ed68f2c

SHA256
e2057d041424dc75a70ff7c055e4fe1713fe7f384704bd856c9e5844c98234e5

SHA512
d89ab4ce898f791a235483213ee18923d35172cee0ca658f9d04aad3f39465a231dda637b15f5a744f4e6ecf104316c8f34cbdf46cfe28b5226464784935377c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3d5406b7a95093a95121a73fd45b65d7

SHA1
f1b8bbfb3bda1572d50379d5e6cf403f02026123

SHA256
1e79f2b89c1232d9f0c405072fac7cdff041f9cb9968910538085ddc6acfc4cc

SHA512
d033181ec94e373dc0b72ce8782c9f94582ad625f041b16cef85ac33bcceb948d0eda5af8f8d221f151d60c62b4656846f1c0dffd1497ce65a2e288833e94d21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
cc420cc45f686797b102b94f6bfda2ee

SHA1
2b0b5d4848cc346c341cbd51d5fc6ce8a08910e7

SHA256
23f845e57c6718a65f93b97ac9c425d7abaad84f75e77e662c4df298305b9a19

SHA512
2410ec9ef56e8ad547219c4ffde2d02ab4fe8ea668c51f6519e224805770375427a4db95eab5e5f062ebdf36323c5bf03d1633508776fa553da2e8c408846092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
832b664db8c95c83ff39b95fac93bb5b

SHA1
9d244b3081440efd5dcb15c341b2e790e5af359c

SHA256
d1d1d00928970105a43609aa8e2516b41e9473ac285cb591fecaf74b69213487

SHA512
0d46d177ca250277b341f04e3e4565b048069a14993bd1d89d38d03ac8cc4b499dcb2c181bd86f12f903054923a3bb47787d229ee975d900dfd6297db22c246b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a3d7d81612c82479454ec1c5d4e740e

SHA1
39bc6a1f04dabb422fca914a1d9a87b9d9fb8214

SHA256
e77b41ba3cb2be314e7550c15e2bffed53371c8e2036dccfc0d9efe7dad61357

SHA512
635c1a29ecbbc86055c4529e69261669e9b832206c7cda3ba9505b8fde25145b8e4d47577ea64d81158f12897fac19c569c567176d16387d1da0841695442f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b007fdd5dbb45870312f6eaa3d9788a6

SHA1
abe9d269ed1ec6d67416d9d6acfcbf5bb542afa1

SHA256
392934988ddec09f2e10f05618e9ca1ffec0ebbc985ba73d5b06a4d7688c293a

SHA512
1efd79ecccdc2de5dfa200d753dc228771314bd06efa655e1823f28cbb302ce9cfcede2853f0654f8b5573f1278e63084a8d06f516fe7f0137c5c91e13cbd1c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5f1352.TMP

Filesize
204B

MD5
e3357336dd8f9b651ea690a1d7eb0a11

SHA1
0222d927765db96d5f07a4aa79f92f637faf31c4

SHA256
19b560442d596c024b286ff95e0623e954496448093aa3f1e324ba57c9d43ce8

SHA512
8e0d8759b5efee849dd5bbf837ae822f2bb52740f8982eb1b2c334c18882df5994bfcc3572158419c8fa5a693e129c5a7f8e46583ecba2f636187bb395aa1569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
977ace12ab8bcfff3deacf2248bfe5a3

SHA1
701c6ea55c98a62e94777df1311c0c932cdbc9b0

SHA256
d9f9b5f2e08f7b1dcc114243ffb5cea183121a6744b0e2d6a87aa57babe3d0d0

SHA512
fad98ed6da0849b175bb54e065e69192211ecb1a2b10b48784e3a2ee278535e321aff462f02628dcfaa37d90fdeea272e63a5e8188ad0dd46141b7b37d3cfbb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b3a73820b304aaea469206461b67c44b

SHA1
98dc275916a9ac95e465d4ccbccc91e1665f2592

SHA256
270419c08c92e4b00bd38bd1c393e790033abdc2cee8122dc412aa1275ea1d82

SHA512
a1fb20ab152f2d3367d4b151f25740720a58eede616896d06297b54dc78902f50f3250b98c636e0b4d59df01bfa2eb19f85f7ed49065cca45200c038d2881b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
22b2be63bdd087ac7f0f8a5736ede4d8

SHA1
233d718a4c5b010757c964a63f348141184d5f34

SHA256
dffec4dd7e988f99d5427970d1042b88411216397fea0c86b2e0e9c0679374c6

SHA512
0f0cd27ca8d0a3f44db027d01e7d9d97b793d9c9b3e466a3e778fe09c37b43b43380d026dda80a70e0d6e605f9a767d522b49ff03aaf384070fd00af0af4fa6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
bdf92b06aea218e959449e88683dfdc5

SHA1
7358470c8f8e82e18ae38f910198aaf181d13092

SHA256
2722217a810bcb19fef5511e79c3e762a72db6f8e76380fea56f1171f6d42699

SHA512
a8d485d8f04ac7ed9aa87f649c8976934eea1328eb1b02578efd18f62e0f14b7a30c87be141940bce576a758f5750bd837b8602b18a603d4666cbea790f92bf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
86a271a8390720d6200f145aafd215ca

SHA1
0df5ed5d3e09d075281e669bde6b325267f6f49a

SHA256
3fd143ac578b07a4fafd84123c4d8ae3014a83f45d28309214dfe975e9e3a8c1

SHA512
cf5ebf103b12e6dfce43224c4a9bfbba62da3f0b7b2d19c67228462ebf98ae0febec2cf9d35589a4ec27519d887b32eba3dd26da5c74502430a9786f78f51eb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
d50aced06955be05c9b77c7983d11b69

SHA1
ff7a6efd6c030806d5879ff0e78d0795c8f9a7c3

SHA256
0da0e502978b1b59e0666d73e2b5304f83cebcb461f1f3a20ccee3b864ec4d40

SHA512
db72192be23aadd335fd539a15e995778a1106b531d3fd291c41ce4f0760fc63881256bdc4ea495676b1c4160e07d19f7ded4590b34ea6a3c4d9dc4ac6b59808

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 123869.crdownload

Filesize
2.3MB

MD5
d7d4d1c2aa4cbda1118cd1a9ba8c8092

SHA1
0935cb34d76369f11ec09c1af2f0320699687bec

SHA256
3a82d1297c523205405817a019d3923c8f6c8b4802e4e4676d562b17973b21ea

SHA512
d96d6769afc7af04b80a863895009cd79c8c1f9f68d8631829484611dfce7d4f1c75fc9b54157482975c6968a46e635e533d0cad687ef856ddc81ab3444bb553

Download Submit
memory/2088-782-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3576-702-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3576-703-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/5316-780-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/6036-722-0x000002299FE10000-0x000002299FE11000-memory.dmp

Filesize
4KB

Download
memory/6036-718-0x000002299FE10000-0x000002299FE11000-memory.dmp

Filesize
4KB

Download
memory/6036-713-0x000002299FE10000-0x000002299FE11000-memory.dmp

Filesize
4KB

Download
memory/6036-719-0x000002299FE10000-0x000002299FE11000-memory.dmp

Filesize
4KB

Download
memory/6036-720-0x000002299FE10000-0x000002299FE11000-memory.dmp

Filesize
4KB

Download
memory/6036-721-0x000002299FE10000-0x000002299FE11000-memory.dmp

Filesize
4KB

Download
memory/6036-714-0x000002299FE10000-0x000002299FE11000-memory.dmp

Filesize
4KB

Download
memory/6036-723-0x000002299FE10000-0x000002299FE11000-memory.dmp

Filesize
4KB

Download
memory/6036-724-0x000002299FE10000-0x000002299FE11000-memory.dmp

Filesize
4KB

Download
memory/6036-712-0x000002299FE10000-0x000002299FE11000-memory.dmp

Filesize
4KB

Download