1210198cba67e2324b493118f6f20e425d737f791d4dd60e7a491dcfe53ce4e1

Analysis

max time kernel
89s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Galaxy Swapper v2.exe
Size

4.7MB
MD5

4bacf7451e3527f4d4b33f6194d1fa07
SHA1

1799413946f92bcb306604d557e7c73422913ab3
SHA256

1210198cba67e2324b493118f6f20e425d737f791d4dd60e7a491dcfe53ce4e1
SHA512

674a92f36a0b6130a7c7cdadd8a137bbe388eadb87c1e4621993eb45000c69182b768f70bb57e5e63fd06e4876908176de59ee8ddda1a410d43d1c8c3e5432bd
SSDEEP

49152:uMwkjJCUR8vJiIwBDwXkYRY6BqatCNO4JT2F8aHE1vTvO+cq2+qwZ9z+my7iA84Z:TNJuhFqwXXRYgqatNcj2ZTeDluupSR

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3644	windowsdesktop-runtime-7.0.15-win-x64.exe
1160	windowsdesktop-runtime-7.0.15-win-x64.exe

Loads dropped DLL 1 IoCs

pid	Process
1160	windowsdesktop-runtime-7.0.15-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 404133.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
228	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	taskmgr.exe
Token: SeSystemProfilePrivilege	228	taskmgr.exe
Token: SeCreateGlobalPrivilege	228	taskmgr.exe
Token: 33	228	taskmgr.exe
Token: SeIncBasePriorityPrivilege	228	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 4980	3088	Galaxy Swapper v2.exe	99
PID 3088 wrote to memory of 4980	3088	Galaxy Swapper v2.exe	99
PID 4980 wrote to memory of 4316	4980	msedge.exe	100
PID 4980 wrote to memory of 4316	4980	msedge.exe	100
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 2896	4980	msedge.exe	102
PID 4980 wrote to memory of 4484	4980	msedge.exe	101
PID 4980 wrote to memory of 4484	4980	msedge.exe	101
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103
PID 4980 wrote to memory of 2756	4980	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper v2.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper v2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=7.0.0&arch=x64&rid=win-x64&os=win10&gui=true
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc32a246f8,0x7ffc32a24708,0x7ffc32a24718
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
    3⤵
    PID:4484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
    3⤵
    PID:2896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
    3⤵
    PID:2756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:3328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
    3⤵
    PID:4312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
    3⤵
    PID:2824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5080 /prefetch:8
    3⤵
    PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
    3⤵
    PID:2644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5428 /prefetch:8
    3⤵
    PID:1128
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
    3⤵
    PID:1200
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
    3⤵
    PID:4184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
    3⤵
    PID:3332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
    3⤵
    PID:3868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
    3⤵
    PID:3364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
    3⤵
    PID:4996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
    3⤵
    PID:2556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,3132592695599888674,12657497471797280719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
    3⤵
    PID:3332
- - C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x64.exe
    "C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x64.exe"
    3⤵
    - Executes dropped EXE
    PID:3644
  - - C:\Windows\Temp\{EA319AE0-A5DB-4885-A6C4-4DB8AE20C4FB}\.cr\windowsdesktop-runtime-7.0.15-win-x64.exe
      "C:\Windows\Temp\{EA319AE0-A5DB-4885-A6C4-4DB8AE20C4FB}\.cr\windowsdesktop-runtime-7.0.15-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x64.exe" -burn.filehandle.attached=564 -burn.filehandle.self=560
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1160
    - - C:\Windows\Temp\{C06DC702-6A14-4322-813D-EA760E6CDBA1}\.be\windowsdesktop-runtime-7.0.15-win-x64.exe
        
        "C:\Windows\Temp\{C06DC702-6A14-4322-813D-EA760E6CDBA1}\.be\windowsdesktop-runtime-7.0.15-win-x64.exe" -q -burn.elevated BurnPipe.{53C850E6-59F3-456A-9E6F-A434F41C90BB} {29866603-AC27-419F-A287-F75D65FAAF25} 1160
        5⤵
        
        PID:3912

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1388
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03536080F8D81836588C168861FEB78B
  2⤵
  PID:4444
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3D14D78A0280B961D3EF14188BCC01A7
  2⤵
  PID:2936
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 27A5166D54FE8D77E317F4E83199E9B5
  2⤵
  PID:1016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 22A237A4ED2CBAA0848006C8C6D4D180
  2⤵
  PID:1768

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper v2.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper v2.exe"
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58a2f5.rbs

Filesize
48KB

MD5
af71a63207a1387fd4eef143b8b9024b

SHA1
99e14787444d541ae1879db709a2658adf187bbe

SHA256
f3e488e18c30f05217649bdb9740b2c61774d42a519186e53c58b12b89f386bd

SHA512
91e3b5e0891c0ddab55516c83d892968564fb4b5c2035f3036027977a715e98a13ceb081603ae90ac99c53ee6b9819bc9ecfff7d08086ddac02691255eebe88b

Download Submit
C:\Config.Msi\e58a2fa.rbs

Filesize
9KB

MD5
bbe131c1929e64b202a8e900149a2f83

SHA1
7e644586a99d8ded479b561434b27512f88ec67f

SHA256
c611903fff3eb4f7eda1e99131d02385dd77e18012b668d86ae56c1b092d948e

SHA512
86a451ec197620ab90fd5f81e3867aeb0787de7019df55e1d35c8aabe27f333cf4858d0d601614303e08f63f9e74987dd0a269a12fb4442f46d366cf6dc744c3

Download Submit
C:\Config.Msi\e58a2ff.rbs

Filesize
10KB

MD5
268623b64e4657aa81b3d5c1c3c846fa

SHA1
acd129066ef9033afb73e5f1293fb2ed3b24cb43

SHA256
5b5ad22103d522ab5959f1a7a5ed1293e3ef1e8764ac2b81f42815ee3648ec4c

SHA512
dab561c22d063ffc3dbe38af745100f0c54868bc2b3a791b22b1924bd09e8b7b009d7518d038768fd23a8a2d2fe25871c059b18c29afd1b1d125eba01f4b9f79

Download Submit
C:\Config.Msi\e58a305.rbs

Filesize
87KB

MD5
fb576d30aa4d7eb1ba8b4f2d6db47314

SHA1
50e6bc8d605dc6a450b03a635be6b3934ae7577c

SHA256
159e49aadb7a879980e9d1de784fecff6ec255677d3b3194ce9b55ebfc632cb9

SHA512
080af89bcc18f92485c5423a7b194b55be5049dd09efdc56d2a2e36ac14236f221c2a93cf6f301a7af6fec2bb96326df5a693985027bd56cca1831eb25c3abd2

Download Submit
C:\Program Files\dotnet\ThirdPartyNotices.txt

Filesize
85KB

MD5
5c13a5ea8c8cc3474240981d0ffa88ff

SHA1
1d8d3ce27d9dc3d9fb4fa4b06c20137d25879d80

SHA256
4f9bb3901879bafae3a17c6c4009ee5c15384a06fc234bed78937969079c77da

SHA512
32ea79ff5194d8a18e75f277aed5610b4955db15b0abbcc2664cf07f372bebfc57eb665ad078dc3da3ce5ee0d8856140c2a1bc7032b578dd103d43998d682d88

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.15\Microsoft.NETCore.App.deps.json

Filesize
28KB

MD5
be8384aac1d3c314afc57ff9bd12b8ad

SHA1
333d0c43e72d3c307038fdd94612ccab756c4356

SHA256
a3a5a9d25f543496542ededbf3a465371c76df3a9d8e8d46c41db68a075d2a1c

SHA512
cb6748cda56a59b03f7bdfb78ab80161af4cd894f765e8f4bfe2efac57f362e19b74bab6cfe03fc4101e9abcc2d1b4b94e53b84269b370641fb883bd33d00751

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.15\Microsoft.NETCore.App.runtimeconfig.json

Filesize
159B

MD5
01da0d56ab33c0ed0e7ac85e5244190f

SHA1
9e1e4b59e590038f769e5fa01fb326109a7f38e5

SHA256
7133274dc5efab688a6efe2f43ca33e78a2498ef39efcad231b0e07ad2c26d17

SHA512
e11967ba33c719da1681a7f98056d40f450788d9b7c8b2f580d8bc7998fc35a78c53fc970301b097c527fab79fd477adad4eafcd75b4bb376d33c3fece9e8926

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Private.CoreLib.dll

Filesize
196KB

MD5
5ee66305b0037860f8dceda746b3836f

SHA1
ac25354c2a82b7f1017394e8e9a926d70cd92183

SHA256
2bb3e636e73f4160c5d2ff3426eb4044d76a11e65f56b26b9f4404429e461203

SHA512
19ee4f16f29d35d9718dba5bd8dd2c53d67d362c4546fda04796dfae80206599fb469a0eef5d7001adef8fb936c01bf9cce71cecd5b0f7aa542cd85810243c86

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Private.CoreLib.dll

Filesize
329KB

MD5
884cfb4b97e008745e4c7859a19508be

SHA1
1b02cc3c47ea758ea81254bf77675021ee6f9e1f

SHA256
c596899d5a890a5ab9f5818caa276546c5c164766ed8174c431f9c67643036ee

SHA512
d2e679625d5c9ec7d66712466a815548509e6475a137ca2a424303a097e29e5721f342247d6757aaaf5c18aca388198397d6608ea52f701fb30be1c09a76a44b

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.15\clrjit.dll

Filesize
329KB

MD5
cb2d425aeaeaad951cfc708b3f9b03fa

SHA1
769850b422af176364eedc770a961f15b0a09169

SHA256
f5a7339ba81ac182668e1b285db56bd12c87eccc84bb1e2e782745f713602451

SHA512
211e8cb23037d5d92dc5db91a0ecee2759cce04fcc1d17c807db217be7a4c55eaf0290336b2c3909d1df01efe58aef2f1481474b924cfa9824e11700c5e7277f

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.15\clrjit.dll

Filesize
264KB

MD5
a77d8f1238bbc4425a1e95f64738ac4c

SHA1
e29faf7e2b3c3e3dab3bf1eec66a9cb8152a0b05

SHA256
92ea0b2ca8d67ffa25cf4954b614d389d39bae64017dcd4a6ad908a89adabc07

SHA512
987ff582b738e12481217cb65c07214da066b44907d37125a8d4ed6749329874edcce2a3507d07f6dfb83ef80b0a7145fea07f4296aca1cbe00f994eaaebd740

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.15\coreclr.dll

Filesize
410KB

MD5
e48ac5a964bee771ee88ad982e82e2d7

SHA1
92f3b8822b029c8410c935bc0047981c89e1e22c

SHA256
6d9f56b648ccb70d8cd7eeaa34d32046eefbee89ff8cfed9a29e30260a8481b5

SHA512
600f963d19f56637805fc1deb469b91510382f707bd3f16101975d00cdc39d918dfed133f52710e8b527244926a43371460cafcb8d6997cf261003cbab44b86f

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.15\coreclr.dll

Filesize
216KB

MD5
ea994ccdaad0ee952bfa0096f4e7925e

SHA1
7d3886be3c64fc610a35f12d69c3064fad897fec

SHA256
cd6d1a5292cf5dcf7a52490f2af8ca9f0d9e38aeb8777b43ca76134ca993cf2c

SHA512
facc33fd6b870740a921a697d44223e800d91dffdaf9385a90ff18670a94a644d64ba69e1e0f27500fb460576704faad7606484432c24ae1711f04eafa5a5e52

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.15\hostpolicy.dll

Filesize
190KB

MD5
79442f3edd362b01047c22883f7db6b5

SHA1
044a804549b7cc1952794e9d101aaad81b37f1e6

SHA256
9b1ebfa60a3d64010d8ecaab04bbc5d21484ee6467b519c26726e3a74d3f0682

SHA512
6246dc209fee452c4bb2563570230fb0078d4c3401e62f83331e5e5bd780b5ebe0a597e71c41c64fe2923af43a7605029415f56571875c0e093150686755a602

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.15\hostpolicy.dll

Filesize
385KB

MD5
32cc3926d9acee1bc0a2ef4de0ec9f1a

SHA1
7f27d77a4fa192716d4422129652ebf07d8f8007

SHA256
3ce0332b790d5b10e8b0fdfd9ad101fbc0fe3f34028c3509b6961e4ed4956e26

SHA512
7b865719f4bd805236da7ee99c722a75e116aed26019a8700ed518de7d01d5088175a9085b5fff7468609322331cdbaae3e6a6808ce49d8ed4b50a6c46addd7e

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\Microsoft.WindowsDesktop.App.deps.json

Filesize
30KB

MD5
e6791276e353a74412b9887094645591

SHA1
c4936840050ef9eee33bb8368542ad602aacc535

SHA256
6050fc3eca001104bcdb4fce1547c63c0e9f6fbacf3cf0261c8437cc51fab004

SHA512
0d6bb29c138b41a7f88f1580ac370f794098f0622b08d5a57c9d1848d15cac9a66ab7f755245e5ad2d97ef2e5f119d4d0696a9dac9f9cdb29bef6e2d83fcacca

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\Microsoft.WindowsDesktop.App.runtimeconfig.json

Filesize
289B

MD5
763285ee489811f3def989d2c3583c9a

SHA1
d45a44af18abc8ee24b9e51c895de5aca997b23d

SHA256
3bf0907d4374e967f7da3451c60dc0756ab0bbfa438582523028ca1aa4902dc4

SHA512
472da531529692e7c725051bcf19450a97198f29c3df43632593de644b7a369329ed90ed3cfb456be9ccba4c1f8353c6e59e07f8a448bdb01c688feb301aefdc

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\PresentationFramework.dll

Filesize
296KB

MD5
01833e23328c649423f7629b1b160508

SHA1
765cbc147ba29fff937bd88e55054c6009ae83da

SHA256
2ad6b9593c2cea823188fd91b6b749acdd37f71e2c768425a024418e3ce517c3

SHA512
40dc6eca354ae8bbee2acb98c97b44cfd07f6632d50fd8f77ce63c91b70f8c81749bc883dc92a2a20b68f721aa4ffc15f23bc73430174e2b23e4755cc2895efa

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\PresentationFramework.dll

Filesize
213KB

MD5
f34fb01210978d2e372cb5bc6d234e8b

SHA1
3c1d380d452e600433c2eddf8dd4b9cfdb236f5f

SHA256
36a259c510b322500a8444665d53f79b224f97f8a5f58d572c66bf219ac540fe

SHA512
d00313e98820863da9e3ee183351795ac27f767dbd27ec9c0fbca716b36f81d59adf19982aa8a7afc5b09cb5e5816eef877d0161b458d1aaa6fd40e3d78fe1f3

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\WindowsBase.dll

Filesize
306KB

MD5
62beba014bb40f876587bf14dca9f908

SHA1
7ed6ed4f0650df9a71ba192bc370e8d71a758189

SHA256
a27590141ae127c33447c28a1ee66df50fe042ff22fbf2c2e4a1988866033615

SHA512
49f8f08185807cecfe3cabe0d3dd77108faf7d557d03f7b419116680c493c60dacf419a566a9fff4304b5cd25250dac685bf999c9964c9e49b7ea89a4ed6c829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e77545b7e1c504b2f5ce7c5cc2ce1fe

SHA1
d81a6af13cf31fa410b85471e4509124ebeaff7e

SHA256
cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11

SHA512
cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
d19b69f547a9127a222e30686e82a201

SHA1
4c66909602fd922f00ea97323b882124bb5a0be9

SHA256
d8b3699b37c2103ffcaee0b850e087676b05a393b23a19ffa1a4603d47bd079a

SHA512
144020790840806174a0cc32530d709ac3284c204e9c9cff18c42f49c69e794edc76ad190113d95e7bd175f3a1904953248c05c3ae9f400aba0ee9dcc2cdf026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
902B

MD5
1da4fc28ed649ceaaef30d74cbfc89f4

SHA1
3c3be0e02d5de043d9be9b5ba983a39145ba35f1

SHA256
bb38829e6af0771c1ce707c12aff73b50c329220fabce45c7ad141e376fe3bc5

SHA512
a1234f2a19fbd6248ae7a9cf9be52a1bbeb46ea492d79096503ac394358c00aa5363b85dc87c3667b724aa9e720045307f2d538f1f161340fa52acd42e1be310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
17dc9f761ecc72733d7203002725000a

SHA1
00047c222041d39c14567ee2cf4b8c9421770f6b

SHA256
2787e85c689e3be2c4e636ee248c183e36cf40c1ca353936da339267c8c0edf9

SHA512
58602f13c95b48130c99d63c087ec5d327796a2115a2f271d24834745b08e9639d02a7c28baa034d920a8199ab854f641c1096ac020181dbbb9eefd701f74846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f7a67ce06ec633fe50115179079d378

SHA1
ae04f08f73e30e63d5acbe5773a38bf2018f83f1

SHA256
7b3dcfb680c556425c86d2a19d766226b6f450db771114b7f1bbe200024d2cf6

SHA512
3fc8a600387fc850faa1728d3e05bb50d752c79a56ed2db785d377fc97b1d451944c86eda7fedc1e7fe6e3c61f2f649d725d7a31dec32cb5114508718111e75e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4fdf281981543efe83794456428f6197

SHA1
a7124e475663620e73233fc7fc3ae2ede71dd9b3

SHA256
dfa97a315bdab087f3fcdf1c280f4930398320fa15fdeb00e2910f10dc7cd1be

SHA512
d2416b2f6a6679032957f045b315c0b862ba2ac0707dfa1212c00a64c4489856d7a895b0acbce565de4f61a5e7083c3c75d233541fb5b41e09ff542487e56151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6db2d2ceb22a030bd1caa72b32cfbf98

SHA1
fe50f35e60f88624a28b93b8a76be1377957618b

SHA256
7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4

SHA512
d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2587ebf6de1b4347bdaf76584d20f26a

SHA1
8397572d936930631d8b87655fe97e17abace9f2

SHA256
d2c59698955e01e1931b89b87b4fbc85a856655edc605cdff3b6d7ae1d537a02

SHA512
b8aeff4c8d750ec90c5e0600e47386c4fdcdad8087d237a9404f7901392e8cf8f5dcf432d86f80a6e9a8efffa2e12fea82cccf4c89cd87776ec7b5d9ff295cbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
005f5be94c6021701877ddb90aff0ec7

SHA1
5c3489801c1cb3c206cea62c7968533642ca9bbb

SHA256
c5d8a1127d3198c43a7829c348df7d5dac3afd27c624a3e1a4f7de6667e2da16

SHA512
4a9edece3291be36f792e43765bbfceef3204e5a7bfeb1fdfba9a58011cd4b8197c0fafb10c2d89542bdb93701a384cff86e05ced969e96a142418473519ec76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
10f4133f0dae9a2f1a3293b571769bbb

SHA1
8adce85655dd704549da14fd9b7e728ff17663d8

SHA256
afc2e20669e5fa2a44f9e758efd5f282a57f9603dfe7742966c3c4293a42eedd

SHA512
f30868a0507ab8b0963b01698e4f5433a7930fd7c9e27efc5b2719498847b745226b06980169e0fdb6fa8bda9ae19009499ebff804c9f5cabf8d923d9a0fd124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
779193b07c103f36fbe89de3618d7a84

SHA1
314669040cb39b70fef4fb04c6a1770fce58be46

SHA256
d6b5749a16a949f6da6c272b6a35c28a3a2fa0dee22fef492a29aa7c4a5517c3

SHA512
6beab235e94c317bf2530c5ef6d278bdd0b220a3e33e8fa494bced0cad3b37435f0363c3d8f1fadc1a1bd8a368e393d13ec90b5abe1f8b8448ef485b8f38221b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.15_(x64)_20240126163415_000_dotnet_runtime_7.0.15_win_x64.msi.log

Filesize
2KB

MD5
faae7b8886d63b01c7bc75cbbef31be8

SHA1
3b55db28aeca7ba9910614398e7175149e8bb782

SHA256
90ac2accfe4efa334993822fb14c5d3f9fb60f3aae5e66da46d7e9b40c1ac641

SHA512
30811b0fdd055109a2099aa09c2c2d65da6cfc5135732da01efe1c4746b2c007bd0732284b93c21e53b39cb85f38548d3bf5bfade7d1b7670380029649306870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.15_(x64)_20240126163415_001_dotnet_hostfxr_7.0.15_win_x64.msi.log

Filesize
2KB

MD5
a6c63097b78013e965f6673ea1217c33

SHA1
c09100be1de88d26bad1a13ae81fe1926262e932

SHA256
89822c24bf899bada4f88cd4a028800e6b3229b134b8bd17b1f305dd552f9988

SHA512
60e1e2770b16a998957b85f1d64a372938d645407e071b4b06fe6b6454beb73951f83a38220f1aa933e8c76fc107298d44f85b0ed27e3c1b9c78ea669f554e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.15_(x64)_20240126163415_002_dotnet_host_7.0.15_win_x64.msi.log

Filesize
2KB

MD5
bc611cf006b60c7315132b3f8b3234d3

SHA1
68ceadc5fbc161f7f6f13307a1dbf96c1f025fe8

SHA256
744318ec197ce9dfb9074bc400ad87e2343b3f9d05025a8263fc95dbb1725c66

SHA512
29299a77924477cb7af1cf466d84b618c74cf5668d0569edd4101fdd1d1d4da5d23eac10c0d149be27204c5c47c8e1af3f4527291d7a409f89ba4feddab5bf86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.15_(x64)_20240126163415_003_windowsdesktop_runtime_7.0.15_win_x64.msi.log

Filesize
2KB

MD5
1a5d5f5d9aca466c426e8be8cc455a54

SHA1
753c147326ef6a3bf6fbf4462a9b98db690881f4

SHA256
14247ab3c21bc5de5700d6c8a0c01494e55a8ef8556e7add4f90e74cb941a19e

SHA512
ff4f13ce35120658cea241de796d0cf2ce8fc5f67f9c1042cc849b54f5a14b626e3f7f9bdde7d6b211485edba8f6cf91fd95acad36fde8d6c3975b73d563bd97

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x64.exe

Filesize
14.9MB

MD5
1b3194aa9d83cfb9212a17536046ed6d

SHA1
9aa71b233e8de4d5a5972544304e4dbdd308594a

SHA256
03697b5ff62fa679218ef49825337e05769925211fb35de996c38a82f93b000d

SHA512
d8899b71be7dd54b1ed1713aa5ee26d629ebf4eaa7486d44c636e8b5dc7d8b92b8e593111f129a497af6afafa14ac1350ddc07e655d8ced71758bcf0e7f72034

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x64.exe

Filesize
3.8MB

MD5
02f0ff72332eb572f0778ab94e5eb10f

SHA1
b55f13aed23554d5e6efaccfb157dea41386957b

SHA256
8d29e3491d26e2f07586872dc83b2e3ed3a4f5d2be4ce28123fac80e0c18b1c3

SHA512
5e37bb859315aaa223011e83d23621941a8f307810f688ceb2648d88cb2c7868c93d7c4b7f0d8387a6a2df2ba6b14444e03fa9641ba7d72805735bfd740391f8

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x64.exe

Filesize
3.2MB

MD5
a17e7f32cd0c96b4da99c428943319a5

SHA1
80c8399626998c793cd8df792b3cca4bc358edda

SHA256
be06298e60afb9798a1e99edbb2faa8c974e9aad3a661a8407b675a28be93dca

SHA512
b6db719df1fcf0928c84af1880b6e2ad5ac5bb0386f7e22c4eb8dea758099a8764fb987131b885ac8e06c83e25369090b7ef9a18bde9c0888504e7b30a8d4bcf

Download Submit
C:\Windows\Installer\MSIA41B.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIAAC7.tmp

Filesize
220KB

MD5
fdc6ef0c3eafc438557f7dfdb469bdcf

SHA1
36298fa984ca3db91bf011fe264c4643479e2fa4

SHA256
e1ba1147fd4147082576a84c728f241cfdcd9be4309a7c81a157373f246122dd

SHA512
a3438a09b1e4ae67937b6dd2d0a574101de668e2954e24329f87480fdd7dad8f29006470a4bba285cdfd9b8d8ebe4f24294360acc6a9f53b512add4aa84c9ccc

Download Submit
C:\Windows\Installer\MSIACDD.tmp

Filesize
181KB

MD5
40d45c4e9a079059c0343718b21c0a92

SHA1
3b7d014c06be055597dec1fed33714094a578fa4

SHA256
e874651143dbc855e12a3030028e2bbd80f617e646df37879125149ee558732a

SHA512
87a824cde7b68e30b9a304af52f147377ce86fbef3a4cc402e8c5a1bb61d562ff4becf1f50c75bda2b0f1b21443a1c80912115a862c62757e04f230dd1dda3c3

Download Submit
C:\Windows\Installer\MSIAE07.tmp

Filesize
212KB

MD5
3aa2b417b338a4edba3a9926cffb1328

SHA1
fb1b6603f0b26597627c3e6e3ebd5c1dd62970c8

SHA256
8460d2d7c7163fcbfbd7cd8b1449300635d6082c8a39f259b5b038949e739add

SHA512
b4985c5b55f5efa75cc25c2929703a172b0b61eff6277251d1c89f8dee322ca79abc6418c77969e0ee1f08d4aa15ad13c983f16b12568bef2b936a74121cf206

Download Submit
C:\Windows\Installer\MSIAE07.tmp

Filesize
163KB

MD5
2e1a0fcc536267294fe74c42e04fbd23

SHA1
b7409451f6fbf0cd05dc03a92894ad7c1ce8f834

SHA256
8525f6759271bc0b35b9200ca65b7734d5fe3690ad322a7d77b5b106bab541da

SHA512
636db32a357cddb4beda92068d67f508365ea3c889f009c76bf39960738e9aa76469aa97a4b79aa9ddad67f4dc4adaa224b21593750210909f63043120710feb

Download Submit
C:\Windows\Installer\MSIB6D3.tmp

Filesize
204KB

MD5
4d664bf99fff6a188011150d3dd2a869

SHA1
aab7d739844f6e67f2c91379dd7453bb7a990110

SHA256
c780fbf7db922b118fcf4654b095e295d094b019d7b2575156217649c5ec30e8

SHA512
f9a5504fc3ccfbc8e1d9914883131a0f9b64e7c29006c70e83af33ba39cd72aab4ef064d392957063cfe5a146494d0e8bef5ef74a29e7db4540005bb73e4ccc4

Download Submit
C:\Windows\Installer\MSIB6D3.tmp

Filesize
219KB

MD5
51e76a146b0661762023ac6a39453e8b

SHA1
3880c4c155707b5df8bc7e64c597ad354cd1ceae

SHA256
5d19834b7be17a72c8e5290ad3bab2eb3d2f103c40b94faf411f464a59bd5cd9

SHA512
9199c145f532d8a01d65ed934224de39c44da517edcdb67347b57c70602d4174973eccc2bc134d9f9e9cb822b785908cc3f47901bb32b03316db0198beb55b85

Download Submit
C:\Windows\Installer\e58a2f6.msi

Filesize
252KB

MD5
41197459cfa580dd791797f7b998a413

SHA1
72abc5f880da7c6c77e404bfb1fb5fa25171bca8

SHA256
97a85d28767d512d6dac6214216c1766e9536ac8cd65dab312c729cb0b9ce565

SHA512
13d8a4b4db04d6115f082eaa307961c1adaad101af268e4bbc18ab8ead6498283d9215a534af21dca1456c1ca4318c064ac64f3eaf886730cfb6d4f76f30efbb

Download Submit
C:\Windows\Installer\e58a2f7.msi

Filesize
252KB

MD5
b6db8e165b06c6a4cf797e1ac7fb3084

SHA1
fbe78baefc6e1af5fe0a474852357e246f1c4cd9

SHA256
128e79b22a09692f9010eed598e088d4511dc169be37c1756caf9573136ec60d

SHA512
b60a865f3ad0faf8f5a036b25f5ebfeee09150798526b4b5af9392e9eaf00bc823f2f6d89bd563f4274c4a0da5342ee872e4b101d5f679d77e82864bc120bc8a

Download Submit
C:\Windows\Installer\e58a306.msi

Filesize
356KB

MD5
5a753a3837c86aa3a00f40f327d70d1e

SHA1
02654e2ad52de7050ec8a2b0ae6cf93880c2ed78

SHA256
3700ddaef9cd3955eacab071d5ee2b94b1a7761caf4b05872b916df58725529f

SHA512
eaf4a4cdcf73f2f9a384822705d965574c37d9ae31665546c97cd70678dbee437233a6754dc0d7b5e88c67f2ace9c2f5afaabd80554c3e8d069578b3980e8874

Download Submit
C:\Windows\Temp\{C06DC702-6A14-4322-813D-EA760E6CDBA1}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{C06DC702-6A14-4322-813D-EA760E6CDBA1}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
C:\Windows\Temp\{C06DC702-6A14-4322-813D-EA760E6CDBA1}\.be\windowsdesktop-runtime-7.0.15-win-x64.exe

Filesize
348KB

MD5
49c9f3700fcefbdcb89ef7f9f99fddb5

SHA1
33f08e034466884ce3402d00f5bc4cf85839b89f

SHA256
0b2aa77064d433e178788dcfa23d24a81ce26d4f90e170bd607669f0523f6d26

SHA512
00ad8d30842f4c9e8bbda6c34d0adb9e65dccc6f4a83cbc1d02ee7c70f4d1e49dfe50db5ac1ddf76774a31400bc0052508c6852a49d62ff983a18435e89f43b5

Download Submit
C:\Windows\Temp\{C06DC702-6A14-4322-813D-EA760E6CDBA1}\.be\windowsdesktop-runtime-7.0.15-win-x64.exe

Filesize
583KB

MD5
680a701368e0dcf9d6baf12c0433d33b

SHA1
06cc75587dca5c624ff0f24384a030bb1ae927d7

SHA256
2112bb9cb2a05fc5e3b0d2eec52c30daa6fee68db790b3f121a1b11b52ba5fe0

SHA512
653941ef0b6f88af4b4a49fe4b2ff34c0686fa98c1835179c0e3dd8ad7c6b3bc7e1855bc20bcb1b6ddaa85c51c5157b5413b076608029ec58b9cd74e157cc930

Download Submit
C:\Windows\Temp\{C06DC702-6A14-4322-813D-EA760E6CDBA1}\.be\windowsdesktop-runtime-7.0.15-win-x64.exe

Filesize
315KB

MD5
dae989c88b1fed735ae05fe380859b14

SHA1
a792f82dadd588e0028e9b941a2c873652df75a1

SHA256
8c8913bbc3eda2c7bb7065ac3036c8569c5406dfe09298c3c3255e4f661e1a28

SHA512
bd3f512f5cba91beba858c9f1baaa17de1458c2570cc2191c8c8d92c64f6481038dd0dff17fd8d9e561588132da7257088e314c3006129194d06ea441fd790c0

Download Submit
C:\Windows\Temp\{C06DC702-6A14-4322-813D-EA760E6CDBA1}\dotnet_host_7.0.15_win_x64.msi

Filesize
268KB

MD5
bdb6104aab442b7c378733ce67cd3d82

SHA1
a2b53c969a394254a8ef506a4dd8a921a4f5b247

SHA256
e6c3395cbd32cde219ddf33351bcebe9ad810db4419cc4c092f1ca4e1550cc6b

SHA512
8c47c27d41ecd94dc2cfee6137038aef567ef0138229718c7a18a02f1cc39d556534f35c5852bf6144d94f6e1f958c4233e527901936e4b8382132f104ec08d1

Download Submit
C:\Windows\Temp\{C06DC702-6A14-4322-813D-EA760E6CDBA1}\dotnet_hostfxr_7.0.15_win_x64.msi

Filesize
219KB

MD5
5b31eadeb04a59461d8d5de0af3d6e53

SHA1
73e3e72403ce170dbf27c3f79104e1cf5e31e412

SHA256
08aa9ec6427191c3475e070134547b0a3cca99fda06b07453247e0a39fb3043a

SHA512
9fb408ef80762725c846cdaf1613fd9ea4d1539f393f063cbdf4973db353eaa9c773ea80b223a7bf64dd832f7dfc93f0c29dc9129a06b726a9ba42f0b515dbaa

Download Submit
C:\Windows\Temp\{C06DC702-6A14-4322-813D-EA760E6CDBA1}\dotnet_runtime_7.0.15_win_x64.msi

Filesize
240KB

MD5
480aa6c30cebc28ab38391840406f46d

SHA1
51b9cc925f34d0e33467f0559e8d2ca65465cd25

SHA256
5fcbc52e6bd80fc5a4ae894500c26bf93195c658d156a73b48273296c80dc95a

SHA512
41725e2fefebc18e477e89ef233ce487817c45e7b4033d33582886519139d3bd9c44c3057b0105955aec39ce51ac1be63bec73dc014915d28905fdf5df0f80bb

Download Submit
C:\Windows\Temp\{C06DC702-6A14-4322-813D-EA760E6CDBA1}\windowsdesktop_runtime_7.0.15_win_x64.msi

Filesize
144KB

MD5
b761f1556889ddc38ec9945a7b861263

SHA1
f553528e9bf58f0674c5b2a03f4f507db347b72c

SHA256
5592d9b84731332780bedbbd3805082388f45a874b7b9c59a80916b127ac298e

SHA512
33dda6fce7e776dbc8795946f0df2335e18dc7ba419f0588a30b71b608a4d400a1ce7d7e747ae921ad4ff56023cb11925e9ed09482c5d7e8b9ddcdbcbda34021

Download Submit
C:\Windows\Temp\{EA319AE0-A5DB-4885-A6C4-4DB8AE20C4FB}\.cr\windowsdesktop-runtime-7.0.15-win-x64.exe

Filesize
610KB

MD5
ea1e554e02b09aeba526503524f53129

SHA1
0f4b401ce6bc9ad17da0aaa23c02b2061b9d1d44

SHA256
4178b0b96f8d16e799d53bd83cecedf7d8ad36306061acadfa7fc3886344c825

SHA512
638e1a2224c5d4b5e397f86b5bc8a43f6fed36c29888c33916b99c9ce9208bbb28218870f9980ec0594b3feddff0f50493194ae28a51a3feaf0a99f19ca643b3

Download Submit
memory/228-12-0x000001BDF03A0000-0x000001BDF03A1000-memory.dmp

Filesize
4KB

Download
memory/228-2-0x000001BDF03A0000-0x000001BDF03A1000-memory.dmp

Filesize
4KB

Download
memory/228-11-0x000001BDF03A0000-0x000001BDF03A1000-memory.dmp

Filesize
4KB

Download
memory/228-9-0x000001BDF03A0000-0x000001BDF03A1000-memory.dmp

Filesize
4KB

Download
memory/228-10-0x000001BDF03A0000-0x000001BDF03A1000-memory.dmp

Filesize
4KB

Download
memory/228-8-0x000001BDF03A0000-0x000001BDF03A1000-memory.dmp

Filesize
4KB

Download
memory/228-7-0x000001BDF03A0000-0x000001BDF03A1000-memory.dmp

Filesize
4KB

Download
memory/228-6-0x000001BDF03A0000-0x000001BDF03A1000-memory.dmp

Filesize
4KB

Download
memory/228-0-0x000001BDF03A0000-0x000001BDF03A1000-memory.dmp

Filesize
4KB

Download
memory/228-1-0x000001BDF03A0000-0x000001BDF03A1000-memory.dmp

Filesize
4KB

Download