88f12c6fc3de84fd90dbdbbcc877f883d462b6ec5882631412328e89493e759e

Analysis

max time kernel
1378s
max time network
1415s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09/03/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Galaxy_Swapper_v2.exe
Size

4.7MB
MD5

1d0c228d384719d8348c7ca2213055dd
SHA1

a994f33dcd502f50c5849075e06f4d0e9867aebd
SHA256

88f12c6fc3de84fd90dbdbbcc877f883d462b6ec5882631412328e89493e759e
SHA512

9d5b16bf855b4971f65f62f54934648ae739171c19b55e14dff665377c70ebf76cb8fdb02b2d02e8cea5c1374667774f670d4c3373cf9cd89532726860e61b6c
SSDEEP

98304:e3JuhFYwXXRYgqatNTOb69GeDluupSUD3G:e0hyqYgRNTOb69GeD4us

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
2396	windowsdesktop-runtime-7.0.16-win-x64.exe
5084	windowsdesktop-runtime-7.0.16-win-x64.exe
4708	windowsdesktop-runtime-7.0.16-win-x64.exe
1632	Galaxy Swapper v2.exe
548	Galaxy Swapper v2.exe
1644	Galaxy Swapper v2.exe
3856	Galaxy Swapper v2.exe

Loads dropped DLL 1 IoCs

pid	Process
5084	windowsdesktop-runtime-7.0.16-win-x64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ef5af41f-d68c-48f7-bfb0-5055718601fc} = "\"C:\\ProgramData\\Package Cache\\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\\windowsdesktop-runtime-7.0.16-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-7.0.16-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
311	discord.com
353	discord.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag	windowsdesktop-runtime-7.0.16-win-x64.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4E3F426DBD05F2A509C6867B91443826\B61D15F98E24A4A42882574055142AEA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64\Dependents\{ef5af41f-d68c-48f7-bfb0-5055718601fc}	windowsdesktop-runtime-7.0.16-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D7262B1034480C14790FF927CAF26D0A\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\170B71A1C66553D5E351152A6AFB2626	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.64.8781_x64\Version = "56.64.8781"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0EA7D4ECABCFF6845AF8BD3A26F6EBB4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4943F0DE11D5B484BA6E10C561374AAC	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\PackageCode = "4D303290B805CF34A86C47A4FB5AF5B0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4E3F426DBD05F2A509C6867B91443826	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}v56.64.8781\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_56.64.8804_x64\ = "{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\SourceList\PackageName = "dotnet-hostfxr-7.0.16-win-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_56.64.8804_x64	windowsdesktop-runtime-7.0.16-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\Version = "943727181"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D7262B1034480C14790FF927CAF26D0A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.64.8781_x64\Dependents\{ef5af41f-d68c-48f7-bfb0-5055718601fc}	windowsdesktop-runtime-7.0.16-win-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.64.8781_x64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\PackageCode = "81EE9E981EA60964C8935F11B77FED8D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4A096B1A1834D04ABA4F3A8DCC57E79	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{ef5af41f-d68c-48f7-bfb0-5055718601fc}	windowsdesktop-runtime-7.0.16-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}v56.64.8781\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4943F0DE11D5B484BA6E10C561374AAC\C4A096B1A1834D04ABA4F3A8DCC57E79	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64\Version = "56.64.8781"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64\Dependents	windowsdesktop-runtime-7.0.16-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04147B1B3295B4161C8ED46FA6E46912\0EA7D4ECABCFF6845AF8BD3A26F6EBB4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.64.8781_x64	windowsdesktop-runtime-7.0.16-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.64.8781_x64\Dependents\{ef5af41f-d68c-48f7-bfb0-5055718601fc}	windowsdesktop-runtime-7.0.16-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_56.64.8804_x64\Dependents	windowsdesktop-runtime-7.0.16-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4A096B1A1834D04ABA4F3A8DCC57E79\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\Version = "943727181"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\SourceList\PackageName = "windowsdesktop-runtime-7.0.16-win-x64.msi"	msiexec.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Galaxy Swapper v2.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\memz-master.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 932978.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.16-win-x64.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 115222.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3468	msedge.exe
3468	msedge.exe
2304	msedge.exe
2304	msedge.exe
2460	msedge.exe
2460	msedge.exe
668	identity_helper.exe
668	identity_helper.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
2756	msedge.exe
2756	msedge.exe
2068	msedge.exe
2068	msedge.exe
1172	msedge.exe
1172	msedge.exe
1800	identity_helper.exe
1800	identity_helper.exe
3220	msedge.exe
3220	msedge.exe
2056	msedge.exe
2056	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
4244	msedge.exe
4244	msedge.exe
1632	Galaxy Swapper v2.exe
548	Galaxy Swapper v2.exe
1644	Galaxy Swapper v2.exe
1904	msedge.exe
1904	msedge.exe
3108	msedge.exe
3108	msedge.exe
3856	Galaxy Swapper v2.exe
4144	msedge.exe
4144	msedge.exe
2368	msedge.exe
2368	msedge.exe
4060	msedge.exe
4060	msedge.exe
4348	identity_helper.exe
4348	identity_helper.exe
3728	msedge.exe
3728	msedge.exe
3088	msedge.exe
3088	msedge.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
680	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 63 IoCs

pid	Process
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeIncreaseQuotaPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeCreateTokenPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeLockMemoryPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeIncreaseQuotaPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeMachineAccountPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeTcbPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeSecurityPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeTakeOwnershipPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeLoadDriverPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeSystemProfilePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeSystemtimePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeProfSingleProcessPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeIncBasePriorityPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeCreatePagefilePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeCreatePermanentPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeBackupPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeRestorePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeShutdownPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeDebugPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeAuditPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeSystemEnvironmentPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeChangeNotifyPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeRemoteShutdownPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeUndockPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeSyncAgentPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeEnableDelegationPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeManageVolumePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeImpersonatePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeCreateGlobalPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeCreateTokenPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeLockMemoryPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeIncreaseQuotaPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeMachineAccountPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeTcbPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeSecurityPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeTakeOwnershipPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeLoadDriverPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeSystemProfilePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeSystemtimePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeProfSingleProcessPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeIncBasePriorityPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeCreatePagefilePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeCreatePermanentPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeBackupPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeRestorePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeShutdownPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeDebugPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeAuditPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeSystemEnvironmentPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeChangeNotifyPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeRemoteShutdownPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeUndockPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeSyncAgentPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeEnableDelegationPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeManageVolumePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeImpersonatePrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeCreateGlobalPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeShutdownPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeIncreaseQuotaPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeCreateTokenPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	4708	windowsdesktop-runtime-7.0.16-win-x64.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2316	MiniSearchHost.exe
3468	MEMZ-Destructive.exe
3564	MEMZ-Destructive.exe
912	MEMZ-Destructive.exe
3048	MEMZ-Destructive.exe
3324	MEMZ-Destructive.exe
1792	MEMZ-Destructive.exe
2152	MEMZ-Clean.exe
2152	MEMZ-Clean.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 2304	344	Galaxy_Swapper_v2.exe	80
PID 344 wrote to memory of 2304	344	Galaxy_Swapper_v2.exe	80
PID 2304 wrote to memory of 4032	2304	msedge.exe	81
PID 2304 wrote to memory of 4032	2304	msedge.exe	81
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 2424	2304	msedge.exe	82
PID 2304 wrote to memory of 3468	2304	msedge.exe	83
PID 2304 wrote to memory of 3468	2304	msedge.exe	83
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84
PID 2304 wrote to memory of 2152	2304	msedge.exe	84

C:\Users\Admin\AppData\Local\Temp\Galaxy_Swapper_v2.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy_Swapper_v2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=7.0.0&arch=x64&rid=win-x64&os=win10&gui=true
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d0873cb8,0x7ff9d0873cc8,0x7ff9d0873cd8
    3⤵
    PID:4032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
    3⤵
    PID:2424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
    3⤵
    PID:2152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:3308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:3088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
    3⤵
    PID:4684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
    3⤵
    PID:3956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1844 /prefetch:8
    3⤵
    PID:3776
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
    3⤵
    PID:3260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
    3⤵
    PID:1516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
    3⤵
    PID:2388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
    3⤵
    PID:984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
    3⤵
    PID:3080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
    3⤵
    PID:1780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,6972647680427204988,2449168614637449701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:2756
- - C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.16-win-x64.exe
    "C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.16-win-x64.exe"
    3⤵
    - Executes dropped EXE
    PID:2396
  - - C:\Windows\Temp\{AF58B3D0-94BC-437F-B9BE-1AF5325C7A1F}\.cr\windowsdesktop-runtime-7.0.16-win-x64.exe
      "C:\Windows\Temp\{AF58B3D0-94BC-437F-B9BE-1AF5325C7A1F}\.cr\windowsdesktop-runtime-7.0.16-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.16-win-x64.exe" -burn.filehandle.attached=592 -burn.filehandle.self=600
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5084
    - - C:\Windows\Temp\{DFC9AE2B-5BE7-4B8C-B9EF-2F9229C2B348}\.be\windowsdesktop-runtime-7.0.16-win-x64.exe
        
        "C:\Windows\Temp\{DFC9AE2B-5BE7-4B8C-B9EF-2F9229C2B348}\.be\windowsdesktop-runtime-7.0.16-win-x64.exe" -q -burn.elevated BurnPipe.{4B48D8AC-D800-4920-9C12-2016B0982F36} {5F15AB63-053A-401A-B523-A2B1C126A8C1} 5084
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2468

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 209F38AAE9A51EC1DB31B487E206A64A
  2⤵
  PID:3412
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E104D0902F57DF4374F707EEFB93AB2E
  2⤵
  PID:3544
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 54A6D598CD3161994E4EB507915B4EAB
  2⤵
  PID:4348
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D4C9E1397E79C655BD997065A81533DA
  2⤵
  PID:468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4080

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff9d0873cb8,0x7ff9d0873cc8,0x7ff9d0873cd8
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2364 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3424 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7656 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8180 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1812 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4244
- C:\Users\Admin\Downloads\Galaxy Swapper v2.exe
  "C:\Users\Admin\Downloads\Galaxy Swapper v2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7604 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,12713917151249315946,5433449860150168552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E4
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1448

C:\Users\Admin\Downloads\Galaxy Swapper v2.exe
"C:\Users\Admin\Downloads\Galaxy Swapper v2.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:548

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E4
1⤵
PID:4804

C:\Users\Admin\Downloads\Galaxy Swapper v2.exe
"C:\Users\Admin\Downloads\Galaxy Swapper v2.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1644
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start https://galaxyswapperv2.com/Discord.php
  2⤵
  PID:2356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://galaxyswapperv2.com/Discord.php
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of SendNotifyMessage
    PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d0873cb8,0x7ff9d0873cc8,0x7ff9d0873cd8
      4⤵
      PID:804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,10209981550582627901,10828227605996398568,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
      4⤵
      PID:1804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,10209981550582627901,10828227605996398568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,10209981550582627901,10828227605996398568,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
      4⤵
      PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10209981550582627901,10828227605996398568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10209981550582627901,10828227605996398568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10209981550582627901,10828227605996398568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
      4⤵
      PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10209981550582627901,10828227605996398568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
      4⤵
      PID:4472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4668

C:\Users\Admin\Desktop\Galaxy Swapper v2.exe
"C:\Users\Admin\Desktop\Galaxy Swapper v2.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2316

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4572

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1044

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4268

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ff9d0873cb8,0x7ff9d0873cc8,0x7ff9d0873cd8
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,4554430983485381699,6048610397811528946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3564
- C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:912
- C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3324
- C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1792

C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Clean.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Clean.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+get+money
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:1636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff9d0873cb8,0x7ff9d0873cc8,0x7ff9d0873cd8
    3⤵
    PID:2800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
    3⤵
    PID:3500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
    3⤵
    PID:4512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
    3⤵
    PID:1588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
    3⤵
    PID:5792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
    3⤵
    PID:5944
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
    3⤵
    PID:5708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
    3⤵
    PID:5520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
    3⤵
    PID:5572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
    3⤵
    PID:5624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
    3⤵
    PID:5988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
    3⤵
    PID:5192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
    3⤵
    PID:5400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,15404463834493741262,4321321769055697101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
    3⤵
    PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+remove+memz+trojan+virus
  2⤵
  PID:5644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9d0873cb8,0x7ff9d0873cc8,0x7ff9d0873cd8
    3⤵
    PID:5592

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E4
1⤵
PID:2248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5245c2e2-277a-4714-8d1c-8cfe22e632c7.tmp

Filesize
12KB

MD5
d6957f26692436f642aa495ee54ca5f8

SHA1
87a6838d1440821d62f07459d3a58d586a7610e8

SHA256
8740f65a332b234739d9a4c9818f89dbc967e03511842119dedfbcfb7ac269e1

SHA512
6989dc992b17a90b03ecc438ed460bc320958637cc85dfa29f644a746e7f4d18e814d5bb6e47584fcdaa483c106f47bfeafa6ec9af8324bc789a44938fdcc49e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4604cbec2768d84c36d8ab35dfed413

SHA1
a5b3db6d2a1fa5a8de9999966172239a9b1340c2

SHA256
4ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2

SHA512
c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6717e0d50ea1851baf2d5a15edd1e6f3

SHA1
becd46359368dc76ec2955a699c37510a3c756c0

SHA256
033b14c414ae8d2573d28daf055a26397974868b597dba57ef21bca6eb4bd56c

SHA512
8b4c6b8d554f20d06a8892b0ee06cea48f3dd56e129d44ae2c2494512ebee77bb5952eeb256dcd2408b2bcebc2ced06f2bd6e837deab1ddc9f0498934e632018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b210697a947d9b6de8ec978b49234798

SHA1
c9dbb44de9ccd61b6d74b3f0c3a363c482c4c500

SHA256
7e82fde11b678ae9b6cedcfb98669844d40612a411344a4edf73e8a39ec51f33

SHA512
42d92e4924b2c5db9e126e398aedb018c6e8a1a2f2c18c721b9333aa78748acd80d50306d67169cabab2374a11e13313764f17f27deb7563656c1b96eb42e066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5ba2eaa4529d915a87ceafe3e04bb90d

SHA1
b5a624f845e4a65caf2cd8abfd8fc694be797690

SHA256
0242204633206caf6197b98942f254fc44e10e870931d962939751b1b05df696

SHA512
46606c4b79126451179a2bb94bfaf0db4491f709086cb83ecf10c7cc3ebad46d3d0ecbadd3f3266c50db94f34db376b54af449dd95bdcad2410680b0266cb958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
577e1c0c1d7ab0053d280fcc67377478

SHA1
60032085bb950466bba9185ba965e228ec8915e5

SHA256
1d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158

SHA512
39d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2a3b34279f8373c745cf85d502ee0670

SHA1
4bd02a6ac4d600c40e4b4dd9d36c7727f46891d5

SHA256
e024391a7649fe69dbe86272e2d3d1375aa876c9aee7e5b1c7cdda072c41c7be

SHA512
3280d612ce610e1dc6034ffeb6f7e8b32f7ffec8d8cb3f7489dd8c2ee8bfd63bb3932905d0d37918ce891ee744afdcac61492be0f49ce95e5397cf1d80bfe163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cfb7f468d2475f2e567d0d4f4f061ac0

SHA1
35e30421b9426fb34b9825ff64523dbf89f869c7

SHA256
f78617e168fb0cf91669a1f5d3bd81f27cde5a4dc32256d036983f27ae9dc3ef

SHA512
eea8372f5c2c9c2b5270879c9b51162e3bd4a97fc386a460b27105babef146a9a5904799873779e89c4c169461ad1cfb63d7dcf9b4caf243d6c67679bc2b936d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
b52f52590e2a1cef0ae2a56d31843fda

SHA1
76731e50c6c7badfd0881267b18b784d1e78be71

SHA256
185fa9c265a2b508e4b9e24ff2306060535985bd4980781fc4062b25ff612436

SHA512
bab109f40f27c8e6e03fd98432b849bbdc034709312644717621a265bc3f61e9954bebd71561015fbd1e95a6e7b295552aba3ac79ce6ff34156a215e2691a4fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
192KB

MD5
dce3f93d95c9384d2268107a51d8aad4

SHA1
5d2eb359ae368211b820f775a35cc051500b769f

SHA256
733cf4c120d90e4b8ca0e476189c80edc24442cea20bbc829de2427bb3b1dda4

SHA512
23707a215167ab8197e8367ba357b808e4dfacb98c5b62b7527405a96e0c63f98354cb98e016cabbf7d34a15d8d929f503c0d6c3003b3efcb0ad299b53949bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
162KB

MD5
f2fd0506c0855762bf8346581c5db65f

SHA1
247f4b783db6e34f737a97fea71f3c3e71c197c8

SHA256
7c018581d08019d7e17a30c4d223599d6d555746f78c7acefaef859e8fdd0694

SHA512
894f2d14f8148deb4a4dcb8e2fcaf69388f08bc6e1eb046f76bf9f622b75f7d83f12cbe2bb231c039f1d08c8ddd0350e694f51922ff9d9461b8d9acef59724b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
128KB

MD5
79257865470ccc435199e575d627960c

SHA1
9629ed72a518df1e5058e61a3d8623d805f6f8d1

SHA256
e802b8896d45690ddfef9cd69048a5d969979c38e11d20eaeb84ca9bcf72a448

SHA512
63a074c378865cd7fd7ab41f3b0dfd40d2f2d2bd1892798117d6db5937d35eb6117e5b27806e4e08513eec8c10f8f7c2de7411668efef54d600a5bcbef28acd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
430KB

MD5
12ce568001757bb24f13d6a6e5161ce9

SHA1
9a4ae6c4f6bbf894123558fee1b8afc1137b36d6

SHA256
34cab69ceffb3a9f7d465ef0f2261e54d41e65cfb3ba548d1566bfbe570c6fd2

SHA512
3f63b9ef95edd17a691427f86c0c1a4d2236a563457a258e5e457dc00d2bae70902ef91b05fb686c13ce25395265a3d4716cbae3e6f80139bbf683458ef50615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
1024KB

MD5
8c4cf15a41626ea5fa18079e87251f6e

SHA1
bdfbc484823bd45613ccd2b4426d2a4ef59dfc46

SHA256
8744e46d68f2ddd11b68240af4ba3873530de0233d2a0a6b971ec4ba359e6bb0

SHA512
5ee565aa7698e5413f02db609bf175ebc566b410cbebb9250080e20b6f960a64cde390639d2af3b65798d5e848b9bb6601958695051721f42869cdd798debe71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000ac

Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
7f1835fe5c68dd642bd11fb48b6b711a

SHA1
797780c1a5aa1eaa499d53829c4167aa2ec695b2

SHA256
c67885480333427cddd412cd2a0c1715692f1cafe7069ba3b2e4237a7a60e423

SHA512
ea24059a61221761ed48c30cfbf4f1620e76fdf2e2953d8591a1b690371fa7c2ba31c1dd9b532f8f62721430af61066d4780f2d4d18289e2691be264d2d6e67a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
d3dd25c926140bef4e5eac29cdac95ee

SHA1
a05babe03d95f9f44e84cef4aaa6414e6a5a1efc

SHA256
1c956d019e818a2f4204419e213bc1b34481dae2dd0e4a0ffc687303b5af5129

SHA512
ff3f41007830c6697dc745674fb1b6555642aba2276111db8e0564cfe5a9008fa554c0a1256314242d35507c4e6312a589b6c645dbe1ecc5ba635cd77141c42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
485483cc6d280dacf488dd0cfdac6386

SHA1
a874e8a2b888b69f07450b18f95b9006571b2bc7

SHA256
805b93c8178b6b8c852e62967d1e6b79c0c4bc9d3777be60aeb3cdc0d238e951

SHA512
ad9e375ad684c3742021a713f11fc49a9f8c4817c44fb39d6328160a0b748108c5037bff1dea6922abb5299f98d54f3f6d4dce1627f4991c4b8a6678b679bb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
44feb7b890e38f31340d2026757052d4

SHA1
a8dc38ea8a294a1e6eed3e19daad864977f7755a

SHA256
95ee4ace7f540da39771728fc5f4d82ae32a555f728562538b41f344a11d1f29

SHA512
bb903a3c9b4a828f05cf91e508da33686e34e9695d07ba7604735605e603bbd5e5cb08124f4fdc4e28a39e3afc60605e35ae6f4f52e8dd3cb8e1ce812effa6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
b4a59a2b7831cf4798a0ae888cdbde30

SHA1
65fe21628dac33a9e7f2965fda2086316364a07e

SHA256
b71f3f01f7c241702711d33eb3ba72f8261a28703a6ce49c20504248bfc18c00

SHA512
1b2f10fc7d9d5d9e0703795c4f3e06e4a27dfe80ca00ef0d2fb06134109808a2abf69e7418250218904fa75ff5019a42da0d04a841e99e50106b9958a6870c1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f1f2e3dbb0960f9b679324e1a5dd59eb

SHA1
4552ea4f757d2fdc1d69e74b656dafcf0ae21a1b

SHA256
8a664e96850c090fd0513d06e8302305231d67e54fa8aee90b607689a8443628

SHA512
b009b42ed123a54d1ad49c4fd63024ba26c9052627e41ddd3aaa6ee457e5cb5b8212c032e4e3cf358a0e41e1e3a31074650aeb04edd0d4077492b8f512c8e8b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
59df65f058162b813541740d9d5705a6

SHA1
3ab68887b877f41dd5c498d3089451eb0ce1d16f

SHA256
0b26f683e7bc1d32fc4c8c66fb8fbeef7807181774ad13a3f7abf1617e064bdb

SHA512
ebf8f6c856bfa54768c3977b9c1c6b517d37f203c2a29125628160f50b75bf2bff7049dfa7375d6790ba7890d305f863d7c01a1ed8d9195c72e31bc57e436d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
37b63ad4645f7e50e3061d31ed4fc6ca

SHA1
e26169c83463f98111cb3030fd9e980f4885b44c

SHA256
2a65bb947568b7623812a10c3a41aa527bf0c6435b128ee1f78047462f9ca6fa

SHA512
49ecb8fce7ac1dadc882ee052a447dfa327e66067cd59a85f5cddd0b075dcbcefd8f1233d477fd0c10a6fbd5164b14cca81f34ce9b2a8090265b1f2914f898e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
5cddda9fe573e47490033cf7b2be4507

SHA1
48d3a330769069a615b9e18537a2ed1c35e1e4b4

SHA256
0bcb062e71925704192dfde1f51a90db5588c14645c960c928b2f3e7ba6a5257

SHA512
b9270e31af796e7c188897ede9a62d935a84fe10640adc6f617ef46cbebd8d1040618d430694ca9a905491bb9a81ba8d44bd9cd820d5fa21c769d1bae8c17172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
57cfa1a8bbde274e356ed92ffb0e99a6

SHA1
4ac9ac9707e36f5b22aacc044a903cf61e898924

SHA256
3bb8e4befedd5c25759b5f613ca9d6d32ab72df7fa64efe76ec30979b307f32e

SHA512
87de08f683819e873bf48e34afd6ab3f367aa4d7438847515e03fb511c291a0be88d539a6a8528ea53bd0b8a7bff833be37589a3a5a423ecfec36910b68277ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
2KB

MD5
0a5d73081fa9de95ae4a65676750535d

SHA1
f76853d9096e278261685b80d9eda98d33ffa80c

SHA256
13a6a635f93d836790eff069803ae59f5f2c6c203a9f2162d72408b3bc10ac3c

SHA512
7591014d81a638302305c9288e0d89649bf486abb5dc5b8aba5c1f68759c41119773e118fec9ca35e598d152692b3d5739732871b68fe3110ffb1218b706d6d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
276B

MD5
cc7a07141f8b6b31a0117b0d83d0e5e4

SHA1
d53c0fdaccff24d9c65cc0e855f6dedb850f0972

SHA256
5486af8f12477b262160e92e31e23b844fe9a53ae6cff3621c82b844f074a98f

SHA512
72f51efee6adc3221faa1c9fb9e10462abca0c29060190a40a619a4e2d0bf170d847b586145b8ff4c604eaf7cecc7b7e154f46b0fce21a785d82dabf1eff248d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
11d562c1df0513d7467e3c482eb6e787

SHA1
d1480f1e684a724c5d90bb1b835b63cc7612160c

SHA256
182277605ae75c1abba233aebcb0d96d89370e15345e57b3f64807cbbd157f82

SHA512
808c9dbc4c7cac8ecb551748e78821444cca354487e50d44c74573074b9ecfb3a1dd861df98b347c4afedff65baebb50b5c0ff32738ec635b570763576d2675b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1002B

MD5
46b4646dc70e7e27921454f474179708

SHA1
222d59f2c5ee97cbe1100439787874d5a3c7a15e

SHA256
ac9182b139f053ce430ef69862e09fb5d343e50ff3b2c912d8a4777eb8ffe02d

SHA512
bbbea3fad64c7ad1c0e16a009da2d227cd00594d04af9f05ac9a0f9fd5e09c556a8e68fb49e8888aa22f1252e00cdf476301d2bd79c90dfa7fa368855f8c45e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
9eab076142093d1772a3140401692312

SHA1
b5d81449b7880c1017b66a5e5267c8ff04524de4

SHA256
5642c7bdc37160f9358349e5a4ffbd56812de02dec097db929c0cf5c7e93c656

SHA512
034ada31cef367bb7541f758185862fc8174102420efb82ea7e8af9b9b123a27422e0540a55380963065505ecd0a9ce9f38e0d62cb31a2c14e5ec8c79d602a6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
29a51d1e83a4cdd771d5ceb2895fadbe

SHA1
ae79e707fc2512e3e0ea07e003ca8a1836fb967c

SHA256
31ca158526157fe2c79ad8482ef67a753b42f808007685af9e78f8609b99cd9f

SHA512
5cf2fcfdb2b1229298fcc5fadb17ef8a6f6d86a8aa8c19cea709d39f3f19d8ffb5c51f3ad363a932a1c3bbcfe3e61af20a50c58f41bafb9b96434fdce7e8375e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1002B

MD5
0d2691e6ffe1773bf3d85f32edd30749

SHA1
2eaa6a6a97e0cccc4c6e890abdd0751c5fa540f6

SHA256
5264d4364e200bae361755047e46e542c0d77cbc8f8d2b69d26043267b6db52c

SHA512
e19706c66efb8b8b2b77f7f1f8e191263de924500ae28953e6669096c5122dc4ca1904b1359ff2dca5c8029726ad6bbdbb5e25000303dca4b6bf2699fa271b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
3643f74c6f3bdcfaec048239ff9243cc

SHA1
b4d22cb570d4d2afe2b70d1510f9fba0012e32f2

SHA256
d8b1a145e0afb7bd11d9ac988862346d96ecd9725d6fa15bec6d59e6731dddbb

SHA512
478ce9179d6b6b12afe5981abf13d1ae7a89405446c6cafb779d1b3ecc1fcebe51d3956684b2bbc49dc55b8913405a4ebb2d829f304b29d773b6681019d52d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1002B

MD5
e5be0ae50129888224457950c1ff6501

SHA1
d2e44f6c226280ed281d19e62bccf57bc5f9719f

SHA256
a651e83123237c6628c0cca528f42d0a1325cda9609aab22981010f0da707073

SHA512
a0ef810341bce5992dddccf0cfc09ca85e0f30290ce4d66862d260a838d96b0522a7d268af83b40f3cecd11e11fb06b593b0d2049dc1b471238d1d7f09ffa8c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
d54793d91fed006ca118143b3cc73a33

SHA1
a3c6e4431acc778414133724a5a1d73678cfcdb5

SHA256
6cb260669578d1899cc3dc01df1e2da036fa3ecaf5574070bbc4ba63173d52d8

SHA512
542f3ba33a6bb2020ea74121c944dfcd71c91751800e01108014ba7e5ac7b750b08c981c2cfe26b383af8e4845ff4cdacfdb6a1e1db13f35bf3cfb2acbfbfe2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
e1b7af99083522cc7b094a684301d99f

SHA1
3fb6eca28742980ace3728df930a38ff0abc3061

SHA256
4fdc97018975cf6136b6ff5db712958c38343102ed883875c4d4fa168c192922

SHA512
c2e9126afd7151b815b6dfb1c41339caf5319a3408d0020c59d991c79815bfcee827e7d043a05470d6f5470cbcfbc1b3ace542991731250551fb94debb5e8379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
453990e883199349cad956b388fb1669

SHA1
6676bb0a8b698b65cb2d825fc7c404bbe90d1547

SHA256
dd9fb2a3bdddbc27479099de3622603d6c56ebf7e76d4aafd2f9b59115d32a0a

SHA512
7ce33fe9d589b87e64033e73dd4a06347ce60a5bf232a00beb26dab415e88d1bfb43715f92fe576699b91b7e3a93465d9e1c780a3d05fceeb07d4c87605511df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
32b876be3e7ea57b48c3d5553c024037

SHA1
c541d2a7e49fced1bc7efe6aeff1ac3631facf64

SHA256
6e4222d86ba9ccb9c3b4eeaf40a36b3913a2ebc0ec98d8f7060a61bc8b3fe87a

SHA512
fa4634137e5ca25494f3c51960dec93d0887a32b18610a3bf665f8df86e1b00857377bd13e94a6bfb489e9b153e512d089d7f652e1c2270c3e5a4d453fb33041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2def41c5430f2ff7c4f1d39474d27428

SHA1
5cc9cc2be4bc8b65f2ca444f66a2ae6483605bef

SHA256
b1a05c69d3ef14d5066ee0b3a22f73c2c636d79ca5f038cda635c4ef6ebcedd9

SHA512
52759a39671035ba807accc261ad233dbecac929ef6b34e8eda303b8cee470a11c2171adbd43376c31a7364a55c0d61dab6c4bb034c7eb8c484bfa1a004d2ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
aa2fd1069303d91d88fedbf977ab7572

SHA1
f80742e25f40b4df235b65e278383790b51dd2a2

SHA256
569f6cf6c59c24176139dfb3fa52f4a557bb99b7faf8a17489d07ca90c7fa3ca

SHA512
ef585817edf513b7e7c5f6a74cd1dc202da9ce49c611c32beceade550b839327062747fb8e19bc188eec8580fcc0f60bccb9272af7110c4365db5854729869a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
259262a7b34a30cc1f7982ad5e6840e5

SHA1
1396fa2d8165b187cd83d48a32873ae9d40c6500

SHA256
80d77757dcb2e06f1ee8a3d0e1e962eb68c5d6183a3c5aedd0d4b90f1ad488ac

SHA512
5de231ee4c60f794897a3572e29abbb2740320f13dd76ee31fc85e7c729e0f67e00cdea639f05f426e168414bea36631e281f8c396565d2580e2cbffe29d5c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
1f088adcfa65afa41cacccbb2560f6bb

SHA1
e0dc287eefe59c6ce86e386fac590c6d8e3ad461

SHA256
20f8ba8689d3c4b511dac0cb5361285841fab93cc33837e45a8b52c3925eab5d

SHA512
067848374080992952985d5eabc09738a42e709cc42d48a2f67c6f3f5f746e0641d87a1f9aaa7cc39449bddccbfd22b032b5ca90ec31cc587d695feb982527ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
dd172a7856af5d94e7e23961721e8abe

SHA1
470689c6c6bb323221093a1a4cd9e289af27a7c7

SHA256
4de4d7c67e8b3565dda123d469d0aa83c0a1ce7fdc65b17824557da5044fb5dd

SHA512
10f12c7c4471065b5cc77769db5db49c8d177c86cc5ac37da29fc518d3aa39d4fa0898b54eef6c69bd5de52fe7cfba4768e7da3beefccaa07474649148b935af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
1c1981f4f673042726b4cfb2a2372499

SHA1
7effad63d2b83784c4990bd319f9453ae22cc925

SHA256
d0d2446a5eae0ef1b6e172ac8d5a58600e4625d89108e96afeb215f29c019a6a

SHA512
58ba7db4c1409436ed92899e054609ec9972a9f5ddd818403c97c31795ad124b7b69c26daa1fcc6ca6b32b18cef773a3c64e20d9b64649e1209be9ddadbf255e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
f072e36024d35520b5998e7d89e34f0f

SHA1
7b09fe77cc20a9fea76c7dd405850c9faa11a618

SHA256
2c7b9b517f637443e2771c8732c4d53b76f556d99eb1d63d7f534dd250c3e48e

SHA512
af7aec067a48b8d192343af3e010bdeb17dbcd64e445ed4a98135ee0f286da2d2690e9fc58219027adfbcf4514c05bd97b811d75a17293a75bae456e1b676c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
0c3092cc103c10dfd1f31fdadf8e9a6f

SHA1
9e56005246b53490d4e87c5f92986d1bdd0a01f9

SHA256
69f9d20f46f3296bab9dd1c8256a21595d04110348ae19023697964a9e5e896e

SHA512
bf64d2f978a04792b497ec067a8e8e2ac82c570168c75a03d16b9ab16d5cb2dd234c66007a4d9b4e915e003468832d34c4434937b42610ed1bb46f063ba342d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
eb2b58a154f1deb8839bec26ac434711

SHA1
2cb5e567b402aff1b435fa607a2fe60315d7e4f5

SHA256
e960b5b4af754c4ce99e47524305c058677071f77cdb4fc1dcdce74498aedda6

SHA512
0642a3d390a8542bdf91f05a6fb06164debc6bb543c4b1d19604ea04692904eb1cccf25845a629b9d553e03d7ae3714658559cda3f90af3abaa22b2e036991d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b3581ba75b543b85e5f37636b52429f

SHA1
0a9e1e73b4bdbfd54fc46f242d9058886a255df1

SHA256
cc3a0bdb76286857a5a76f3a868578102b7ff707cad009a165eb613bc1fb1082

SHA512
d4052e058dcb377948f6696a6980c79fafd1c8c9be2480889e66574040f5be5870d1178dd59fe068ec202ee6e1c653c32fb42ad4be3b8f6d72019dbfb0eb6fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ab73a90ac98adbb4a504364c3c1070c0

SHA1
b832abf45524f4deb760527d7ddb6b780ab61800

SHA256
7a27bc46fcb7ffc6a1c8ebbb4525830084aabbbc72a074081c337a0ccb4fde1a

SHA512
af51af87683be2f43b133915e2e0a76e8f30048c5a5c0a924b6a157a2c57b360f241b3046bc3c8da2cee2441b1bfe149c46ed0fcdef78a05df38ebab3ee81a21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e62772b5f74ebbbdb201f8383f792d78

SHA1
3d6d5c11eeaf6f94d305e20ebba8694b8aa4bb75

SHA256
3692e8b5239f18da6ae3cda10ccd2fcb0811b8dd0b04dad54ce285e9769b3cf8

SHA512
e3d2de618a1322b2d2c541251fb3139cd3d67c8556a9431c6b2e76bea85713c58ded1f9dce66e977a26df1a5c80d53842c3f164bde0810af395dbfc63d45862b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2b38994a911100f9597064424ca123a8

SHA1
fdc948b806cf20912bb7b76d9689e8e974e3453c

SHA256
d631abddf2d5ac7b7b86d8d9937cbacd42747316b46fd5d8e096015837f393af

SHA512
cafb693b2899bb50b19f09b6d55d9040cdb626b3bd02a1c75e71d5748529f08db63c17d940ff62d9eb2cd3f5434ab52651dfbd8fa50f551ddee7bdb7066c54bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
51b6cb6355228f5786582e26623d2402

SHA1
217f6aacbfa5ef51910337928171dd16a039ddb7

SHA256
6d316fb80f247614eb81d946475c3d07736beef378c7ccd157d5336bf0e96ec7

SHA512
e536a79d898eae6fde2fa201b8718025d406b24c71c63df2611647de3f431ee9bec95842efb55fc0b01c0332b7fd6d400688042a23fd1d8548dde1aace5927d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
c441646feae6b6b6b410eb3ab74a47b0

SHA1
066ce6134dacbbf4bea987ff699f11a2e0060aee

SHA256
f8ffc54265506315945a7e6afca749dcc7f2f8ee9711eb87f76b7431c2b1f200

SHA512
2ad176fe03382108c70e27f37c77c61500970afb4f25a8ad438ef1b6634a2048690c73f75e61a8767960f7a3f0479464bbe087117bd88120d747628103060d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11ca4f99fe91bac2198f7c4a2bdbc494

SHA1
bb96610daf14ce09e7b3c3917adac8a495ce71a4

SHA256
b288fd5606fa7c9660bf5e61008d0d074b809776bec871da22133f7936f3d202

SHA512
dc75c36aa433d5680b4b4909a1285da32a2a90cc804d964b172d811cafa448a4da3e79e036b7f01b69f30d52b06f56c2cbd08387b236f4540ff9077a579d1a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5c6e1e5b6f80071a135242bc46a27091

SHA1
f7653b7635cebcb3c4c3f3bce01258e537ea3423

SHA256
233e7c0a9b1115462c09abe834c39a2a1ce041721416f159369ed94ea622d849

SHA512
afb508f2b5aaac3c8794413c31d3f33f8c52a89f50a19ee904933eb2fe7b12989929c0b4626e6ec47be1d3fd2f8f4e205e5c11677998d1b4407e767e27ca7b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9703e76ec41b8367b5a37b367b2476de

SHA1
d107304ec3686449bbbc2f58f47c831391a842fe

SHA256
e2d4e52866c93a2416941ccba58c5c63b5e7171bfcbb037cd59a29fc331e3df9

SHA512
f52fa6f577a0af46e4596fa759ead1e27b3c4a8c69487c80713b34522f2279ab70f19ce9a57bf2145d161e563a43a531932cf830954270bbc08ba1a29c77be66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fe61d3ba72c28ef196a0e9e541f7619f

SHA1
62f84e47e87b559ad38fb9c95914167ff119d3c4

SHA256
c61ecb9ea0038a830524936e34ba59856723e8f312dbadf4d799ad69a07d6339

SHA512
0015bd57454cb4c7792395557d469b5aeaacc674a5d958fb26da74baff238fdb1f5394bf33a13a2d439a186bfe428a74200a793bfe7db2c4f101ed9d712d50ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
1KB

MD5
71d0486abbf389e332925ef15b688c1a

SHA1
5cbbb0e7db7b6d95deb3f9d8fe422e81268d4a58

SHA256
46d4edcc24bd203d8cadd84e87ece0324460f62977af88280afc744aa2ea4bb7

SHA512
43a828557252aca1348e32428b3fe04c1eaa03c3598e46f782f126c11be930272e85a028e3920dd63d884d9864134cfa299f28400c5df877f2c5784802e73fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
92db4bb79ac7e03a61a65cbfdb49f952

SHA1
a6b42319520cad12dddc418e4f610815ab7c4fe4

SHA256
d41d66300969af51e9865f56b3e8adbefbd0e5d99f4b296e03d64299f736c06b

SHA512
880255aa5f9afadac003ef2f6bb223de7d803f6391abb91e10f47a41ef74e6b90823aff1898491e067202ad8c5ec4b73b95f069e41eca5a6fc61d9131b015a89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13354481651882763

Filesize
2KB

MD5
5f5636d20eeb7a4ad29ced049bc81b55

SHA1
b703abe54cad05e6ebbfede67abbcf8de68732b7

SHA256
8319278ee9f9c49eeec2a4794cea2d00ef5d1a710ead8c9473b092794a96dd19

SHA512
50737a1fcb7b3d00cddeec2ddf21f2269aa210da3e0f32ccdec09f8a397a98f3433e7123a354cc89b240798aa6ca87e5ada38d3e563879a9e3760bc2391cde92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
dbfe352f7064725bdaab4dd112a28d35

SHA1
0c9b72cfed91bb52ed03ce0ef7078266cbe17d44

SHA256
ff6488b0718e50b92e384ba3418227c2b0b24a9471d46c3ce30a4865c88d8b81

SHA512
55432a95c532df75b727f87f84694631a807c1eeae1174de399c9c59c784827b059ed4e8b072e0cb42b444685f23e47afa02f02eef09ef37576bf0a380270123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
344B

MD5
bccaa97c437a08cb376436d348e437f8

SHA1
7b3ac709ebddac81b72b47d26b51eceaa10d8096

SHA256
dfcd279ad5b6fb128392793dace1f9728f1c7b925ef55c658d54a3e158039ddd

SHA512
5aedd46c74a22a0f12360c15584ae9657845978beb317a8a92fa8dad45c77187dbdf21de512be9299914506bcbd926842efc10049353baea59a37cbab3e1c502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
320B

MD5
9e34f9602082c18cf2f6981e3bd85418

SHA1
47f5dcc4e42ca04a5576a648500cd30097830be4

SHA256
e234617acfcd055c91843065918f1f009001745f5f69eb2c2db9c6a3278ba08e

SHA512
40c72100a688f5e2ed6443cb9f6f2349a6a5acb5eb178d6545f5227ba52762a2602db8f555c405449b4110a0621c7e7f0d0e2d697e1de557b78626ecb3a3c76c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
7b32191a8656159b03492d8b488e6880

SHA1
570987a9156d42655ab0ddff8012ad0d4b062545

SHA256
c7c04ba223f955c96f5265b9be933eca5c027234c54db7becbcc4e396ed208f1

SHA512
ac14b360bf0f520039cb8aad71c78d5fce1d95e9fbf3bb7cc36905e306cd709c6420f258186b5104b853174464b8fa52b0f414e83195969414e997f0249fca75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d72530f5f1570382a55e1f6dc8037cd1

SHA1
633debbec82a9dedc0a8081394f9a09825756a25

SHA256
c5e0edf5bf97abb7763fd1329757363b2b39425857e4abaaca6427f655ec2270

SHA512
c0a530fc57a6f5c5f984810018292526c02018186be4a249288c03a1576df746d03718a64449f7214df3dde96525285987a232f7187b20240c56f96f1ac8451e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
b2036a0c8fd5feb15f52faef731b8737

SHA1
72d89dca274789662bba46baede008701b86f14d

SHA256
0673ac2532117944875a53ed97291be322a36ca8422b98904d9fc5ed9c751670

SHA512
30ff58fab553fc822f496362e1e4eee80ddcf09c950aaddf547d5e3fc28151a82a2b5da275f904db81d43a2bce000d2ceb7f71bb4f6f5a646945dd2c6077fc99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
01aa45bf9deb0b0a573fab9a66305464

SHA1
38e16f12d8cea390e14b0004b11ca018dfdd6ab7

SHA256
cfd365ebf9ee5247d8fd6e76f12fc26d4028a50ffcb215440240bd34ddc6923e

SHA512
73c7355bfcec39635ba7051015541fc1906b26b0cfcb80cad7ba0c7e05cb7a96f76a662c169522e91fcd069132202ceb789386d51ce4c6c9307987297ad9666b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
767ca8bd3b50d287838e233801740bfe

SHA1
13a449355c83f6916ea0513e167c003a11ce3111

SHA256
643ba3be9623cf5d7ef180da386d88dbee5140bdef8e4c108b291863d62aed65

SHA512
5acd6ca2ea42a51a6ac8162ff4c18882a42c229d79e538c0e86fc1eaa2025b823b4f7ba21fab72271831489d4f4e27edba2efd5b8fa1fd3992d127f128cae35b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1ea86802a2e688fc417d06023910f627

SHA1
58219c520de3a5979d45bfd5aa8e0fb6fd9d82cb

SHA256
9bfd4bd6afae26d8c17200a78fc8b60e4bddfc0b4599fac030b16e1c886fd92a

SHA512
bad3a015104876cd03e0972f139ae13208995c02b4c8fd7309a7686c363202377c37e27a1c0eede4d14968e129c7515bd5ee531799bff8a1dc57daea174525f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
4c1dad3f20537ce89151c6ce89cbac98

SHA1
3020daf330b080d5b2d27c02d5b5a0b8ebef58b3

SHA256
440e20c978e414b779bdb1f27d9ec132e129e8e4a4bce81f2afd71134e9c370b

SHA512
b29c7ccaabda4c0bd30835b5264c8ed732895e63d0b1226a3fab52fa05b8e514ab84f6eea763795620b2caecb205bdfe179f9d2c3ba6dedc4d4d43e4f791c7ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7329bc5ce4176b152e961c5cda83ee96

SHA1
6fdeb5600a1459127856a05fae0154f9bb8bbc84

SHA256
2d96716321370fede3d9953315cf1092e1301708e4425eb4233b8ff06d0351d9

SHA512
691e2c1f6f0242d76e28df49109de7b3e6d360f6b317396222c128229db252f5edc639d410d3416973c3dfc6f94b005bf69427dbf07dd57709e0dced8153d99e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
53ef7d8d06e3a5f0ceb5921ddacc16a5

SHA1
03226d5faa3f6f270369e457340b3d74e0dc1246

SHA256
42a0df0394a4ba9288b30382dfed7e1994c79b4a3d0f0babf56ace846dd1ab94

SHA512
53a9fa1bd1807fe9bdca65f6c9ebabf0f17d33036413bff69b3a714c2c1f99270041277a3aeec68c5c59ada7816595203a659fc906d86ae083ac58c85f1147a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
04426055114fec30a9a9901a1cf7a1e4

SHA1
9e597b053f9b2e3c32cbd322e8f8b01c3332b29e

SHA256
5618e65c09732280ae982fe0e03b396d233732c72f3b935ebb8e8eabb1dcf0d8

SHA512
e92e767509e672eff07dc64206e2a176602d100695557e784c557bbc82767b357a3e330d972f734b3d84a2fe6651297fcf9a79773837700f0e4e6cfbe480729f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
e44e65f281a80ca0495818044dec8e3d

SHA1
008751d6e6e1e0d6632b2b3ce0299d90dd195737

SHA256
8b641d1713566c423884e74629dcdb903fb8362e6bb2fd462636f17c20d9d703

SHA512
e9ac61bb709798a634c32349cbdc7cd241f654e27e37fef2db04b4536e43065e6f06c1cf7680474e1c88459c2eafa04cce226f0f5cdd39ce3a05ec717b3c493e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
dbe44eb089a3d1d58fb461b52068c387

SHA1
f20d8b430ac6eae1b413f889593572adab626f3a

SHA256
a488f7c504ae0892852b36773e33a32d0e85f937e59877d2600090dc5c12b681

SHA512
79d4584b25259a9071dfd21e55ca0ecb1bf483eca9f9d46e65c97b71e2ef3021d996bb2931797f37fec336ea5402b512d4404bd620a4117600c3a665c47478b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
df077089a845f27285aa1bcbb504771d

SHA1
8c1fe8bf2604ae37534e3036d2c6c196cd373c66

SHA256
be2c76af3949cbcfc7be420bfdd1964f47be9047dae6683d7b7ffce13998ae18

SHA512
c579219dcbf4bc25f42b6c7ac53e6806e93d1a2c9c026a10a899533b1841ad698fa963ef22f908ebbe77a4b2aa30c4f38a23d13fd2a6e40eaf68804ba5e97326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58299b.TMP

Filesize
371B

MD5
1108e8331a6c2c4c7957a1f294d64a3f

SHA1
06f16cec86c892265c9f1742fa003e21f856bdf5

SHA256
dac4925e17ae7ea4995b3716ef02f293379f2b3ef1908f83a39d23ed20dbecf7

SHA512
40e3a1e83fb1ca18ac1fce05f18a6afe3f1e298c83c45e74418e07c595f8ed311448882df6cc16ec027fa1353e152dcff77a146eeccff5f5de77508dd26e516a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
b30804dc34857c6561c01dc132f2b90e

SHA1
c7e19bb62a10d6c816dfe41454e202f1fc54d603

SHA256
5fe9f801a80fde7c1e534f737ee5399c8cdf53390025999b4f84d720144089af

SHA512
71e58e083daa04b75efee8ff95e1deee3a9cf7475ac0d0772b41470a91ba295884b5853c728f679fca30c7f41da7836bbb8c0837c9a1192022d80d42b5ecf794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
76046e587118ac6f7d70a756971fae0e

SHA1
a1124cacc9447fad8465f6be1a3fb7c50f3a5fda

SHA256
6cfe5b6c7d20388c3f2ecab418b8eb29a186293c2a579f0ee0d2269844b133ef

SHA512
533ee5223d7b074907d15be56af4ba0616332bf5b2a4ea8b0496b9d081a6203b8dd8410232cdf0094a530748a25879b6049cf737194a9f9a70f06dd496f8ab89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e77f63ff-9548-4ae3-9c55-3033aaa4411a.tmp

Filesize
14KB

MD5
26eadeec409dc7d9fc97575cb8be6834

SHA1
0c45337ba40d53d6537aca6ecffce1e5ea0cee51

SHA256
7eca65732aa89fdc777f2eac430746deaafaf634f7a2d36352a759b85003362f

SHA512
f06ed0389edebc41360b3ab5fe4cee0e7e753e0b405d5865fb432a6889d68532e44a065896f1e97db94aaf1461d38e399a2f7991e96754497d7d7008cf00c5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f934443b-cb35-436f-a2d6-f125827b05fd.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
19b20382fcaba2a6e7ee9db769af8b1a

SHA1
5f041e4efb64e5d7032cac5f6c1d5afdbff3e497

SHA256
bf1d4d6f8551440a0a377c3e6b980ea127c51c9bcd700d789b9d34433037e668

SHA512
6823b0eb4abd46b056787810cc5b437becde04b57f8b24cf933ae8e090663ed35b81bc438b906d53bc767d6d4ade123b585a792e4393b9b2682feffdf0d43729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
449KB

MD5
dd6f0e527ffe6bd701f446692c58883e

SHA1
b6f37230e7f309f739f8569aa69d31d97651854f

SHA256
b06eb39e7429e69408a047b482575c988aa7a641b9b6eba535dff62c1faecb65

SHA512
d48f36ddabdbdd3004bd37ced17c21f29198a50edd4885c004f348532a3af38918202fd0fd1e8046e075c53d0c6c996e12241ad356757879419c446c52f926c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
edfdbf68321f172ec21340e0da378f53

SHA1
f23147c2611d56ac543935195d6530e2a0e2005f

SHA256
01791dc496055aef62295c405d47b722942f99e0a3447b99cae8707a4580010e

SHA512
69a516c37a3ac4bce0933daae5cad1778220832e2b706c34a631bd711b82ac6e9fa5084ba6b41188bfc40c7873e39526c162f415553000174875e48c883ab284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
3399c8adc9dd240f2702d8c7ec7c2676

SHA1
7b642b72d8720c32ef8e9ceaf7707fcd83508abe

SHA256
f391d7217ad9c0eed32f1fc366b8b4bae232c9a14184e976b2d8cc4956acb67e

SHA512
1101665ae874cf098609a1c50ea814d240adedeb477256d054e115e248ed3f69647fcdf16221fff6e28451c37fd2246c9d6f236f6465645cbf035c2fb873e257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
5642f9a6f58e2cca28285df04831180b

SHA1
5450f96fa67e41bdf203a3ea090f8c185b8f7765

SHA256
287df8d35bc7d240511cbffcdadd9f9c9eb6312a8b61b114b36cdb3e472bffeb

SHA512
670e4dc58ee81a8c5caffe67f86286047c82355008e6f0b1dc34b39de7dec2d24ece2f055f83fbfc803d5da94d565212990b2175bb6c70c46f9c05878e7a9845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bcd2f9bc6796460f712931dc349f066e

SHA1
e6859c5949c14b4ec56215f72f21873495aa6e8c

SHA256
fd30d828cab2b8a499d28dd04782c8f95ba38cc12461eb0e21696cb3dc19fbde

SHA512
06daced0ec3f87dd02730918094c024154bdacb3fe18f7e07e8469da20f618475bd5131fe58d13ef9e7b7a1604c91c4a94aa727bbb3feefa0ebae495355d3e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
27f6f0efdd01772778d6ea50d62ecd97

SHA1
d298c6f26db48151513004f80b27b7de1f318fb5

SHA256
ce063f402faa4f17c1876079871592076b1945a00990d310d6c92ddc7414bfef

SHA512
dc13075098a88ce947862ab75bbc96e4f9afdf52853b41bc3affda2fcdf5d70d2113f9976ef9cbae66de40e6bff499e712676425f2f25e75c01d16531cb539d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
33b8fe46bc52c5b22f6a22dc59ee30ab

SHA1
3dbff9291851cdfdc71e4cb0af4c7a5ed860d612

SHA256
54fe01f4659640ee79f9eb243788e5843e70f3d8138d359f49e32f4da1fa6f1b

SHA512
712aa4f0229db2cf2c4243586661408ba7922dd3907bf2de3349c42e8f4b53685b81918ab175fa2e96afd6112d8ae3a87cb990f4d29033799989e27afd030796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d90cddfb052ec20ad782c3ae03d82455

SHA1
c8188a6354285a30a7851816a49e7df5e6c098e5

SHA256
35e5515391471cedec70202ad2e522791a59872bebadc217fd7325725b93cac0

SHA512
49590cd3f81f224434183442c49b0b3fa93d4e22a4d582ba5acb81560985dea4d8e1e7474f220b660d19e47082b2ac7b2c21801490f63db4087a17b3c48b923a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
79e0af80d83aafdbba56e37748d0799a

SHA1
ef59075182971708b85f7f36f7a857000c9b4938

SHA256
45ee6764648bb943e0978ea63f45fc45dff40acfe94631205b5f7d14d7a2d8c4

SHA512
96e7647cdfe3dd2661948d85719d5b220191c6224b53575a14be90b0bf9d6f365ac669a2b8c50059d44c63f2271350ab8471007efa71e5b027113aa9911d3572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3a9d22f98ba31f767194812505cf0fdf

SHA1
d620b5e12892dc6ce8e40492cf28e8b93198b2e2

SHA256
8b0bcf9f6c95bfc639f13641b89d614c8e1be42578b60d8e86b94a6065a6d911

SHA512
33fe1ef3976642ab0a360d7ab1c4eec34066a555d365d76940be2c1f4a3d9a42f0f9fa341119552906e5e6f37095406e82358e731d57156376da78845f026b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
414b643929feb269dbf60638ffe36271

SHA1
74aa687dca7319f2aa2d1755957ade510b66d0a5

SHA256
7c9403207b34b23b3ad55da33c4daafa6b2f63db4cd3d996df76950dd4d0e24f

SHA512
a050b699bcb4e4f71bf845083348247f521af03e65b70dad62f1633b135c6a51c4ec6250aff98bbca94b5f74dc2423ce3251b2f10f253b06191580fff3f6f1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
58c2913e159ddda4c1631707a548ed7c

SHA1
1f8576a18084972dc67d221739af112917aec9c0

SHA256
d9107cffd2ea1483dc326762de267c830c277d67d944118506e48920d5086384

SHA512
b22cbf82a9c9b71165b337fd5b067f877b477031ed93e803a0f60c57c3a43d90bb70e37fc74a1cb20c043941d83813072d34293dc81807bad3a8780f7782a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fb93f07b6b488842bce695dc72ec487d

SHA1
1d6dd86b98963c41c8a96de94eb67fd7dbca3b3e

SHA256
a5f329ae12fd4d99bef7b049d406cbe86a5807423e950b7a089e469197a7c8e5

SHA512
1327afb94bce3a3bf9d5cb353b68390ce112ec759caaa687dc163894b7d27573d25c52b8bbfdc4e15d54125d5b6f3f6bd9bba4ba7d093d969d43a3036f696af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aab5defd7b77a93e1a5efc1964e43895

SHA1
13e120ad7a9a8dbfe6918d293c21516800953883

SHA256
47602ab5e24ca8079f762074e8eb35f5bf5c44132b9367413ef1ac31a9acf648

SHA512
593d650a9a45091ede412d383c83229504ad966ea2ddd80f5ba46dac4cac70c7f68331d8cf445a749207a965d0ec68bb36cf9da1e38a9268a1b3f3f6a23089f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
6dd10bcaa629032f0e39b0a383f3a440

SHA1
54b901b1625ee1e61a49f832a5d8ae7af138e86f

SHA256
1b681d5e3c39c1d415c95be836167a390be40989826d5bb114c3548e4b56b399

SHA512
d1728616fd60ef5249c1ffa1c117ac0404213b47a23b050aaec6fc18d93cd369cf0c0683ff81f6bdb80c7a0bcf749a6725e0beda862458b280304a19ac5f4548

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
0f137da24a7f95c1f5efc595b7dea47c

SHA1
a92df2e2f6e5a988251ecba9753f8261991c543a

SHA256
d7780e4b261a6039a80cceb18531df7678e321593e5bd5ac0486edc9fae5d5cb

SHA512
e50f48c6cd15d381370356ba1e7425da8d5a57cad875aa9fca73a2c13242f9c64249c2ec1959b46129aee4da2802f357f60526f924b99d433eeceed3c701cd9c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
99054564d65459fba74d35db62b4c5a2

SHA1
8d223d5f2f521cf641f1ac887d53d9faaf42ec14

SHA256
e9cd52d6530d9f8953eb3d4699f1af0d52ddc0dfaa312f5e448fe71362f4e8ab

SHA512
e7b26d4d3bc48265507611f75211700943545273134c458d30355b903359d7e58c24a9dcfeab70ec54964b7eebe50a27a6ba1049d457a8593f5e2d2a84150f9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
e1faaa0ffcbebb93831a277f501bfe80

SHA1
a2baed66c124f86b6c849566f6121556be92284e

SHA256
ad2baca1473bb6989e40f05a57abacdf7a49b8a7ba047ebf7eb57a66f21060c9

SHA512
9e9de17309878b58b7e3ae3a5ea82c3b411a4f8a8db450fb5c686940d63826e24b38434c71d576928206cfd8e0409489735550b901c7f9e9d300cfc1b53f2dc5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 115222.crdownload

Filesize
4.7MB

MD5
1d0c228d384719d8348c7ca2213055dd

SHA1
a994f33dcd502f50c5849075e06f4d0e9867aebd

SHA256
88f12c6fc3de84fd90dbdbbcc877f883d462b6ec5882631412328e89493e759e

SHA512
9d5b16bf855b4971f65f62f54934648ae739171c19b55e14dff665377c70ebf76cb8fdb02b2d02e8cea5c1374667774f670d4c3373cf9cd89532726860e61b6c

Download Submit
C:\Users\Admin\Downloads\memz-master.zip

Filesize
17KB

MD5
4790677e05d72ef7429dddf35562bf4a

SHA1
4243d6ea53db7e8cc0c355e70d6cffb54787b90b

SHA256
319bf6087040d17b87f46cd05f5ee064c291ba9ca46e1910f28d1f4c57cb3d96

SHA512
a93c5f691938bc1bdd9ef20b975f0b22cf494543e7df82ec31838bf811552ead5cd855959be4e47186ee7de944be005030f52f58b9dc85e7cde719cb97b794e3

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.16-win-x64.exe

Filesize
14.5MB

MD5
c660d43b5e0b2ff09e493ddda17da8a4

SHA1
153538de767d4560acbecabf384d7603c5d569b5

SHA256
846689d356bc79f072fed305191a7937e80cf4f14f6ed073b85c785f8033b690

SHA512
779112a7b21d0f956f83a98ffd6e5a248c60004537c22f6970218caf574afe3edb29be55177d5eef9a16a011dfa034a7d78eb5352696c106fb0d47714f47861f

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.16-win-x64.exe

Filesize
384KB

MD5
756150de95a13fe03025aa23c7588612

SHA1
145fda1132273724139f18cbf5c66423e441b180

SHA256
4390227ed5fb565cb54ba52be92600ff78ab474a309445d956dcafc68949c17a

SHA512
1bb858b307527095b35913f3e7493a41ac2bbb86f35ab11ea186687b881c62e844fd16c823d0eb58c6fbc199a6d8fbe4d1ea1188bf500a817f476465fdd58491

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.16-win-x64.exe

Filesize
10.7MB

MD5
a4372ca679b0a4e8107a5d3155a0baff

SHA1
dd8403b2bc0bae24e4543be08c6204e265920764

SHA256
46acf6e9ef69ce0b4b1047761d8cfa51a702d21c669e5c5aca5b1dbada52e1cf

SHA512
8c230f4243ed1ebb1f35d697016f417fac5af6afcbc9e7607c015837c1a48674d6936444c2e6e245b6747fa9f9455be9b2f35caa39422204eebf61fe921180bb

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.16-win-x64.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Temp\{AF58B3D0-94BC-437F-B9BE-1AF5325C7A1F}\.cr\windowsdesktop-runtime-7.0.16-win-x64.exe

Filesize
610KB

MD5
9656c3086081a41540338b94df6ae084

SHA1
dc87b2d0dde3604437d13d2f89fe9ecb7c7b0373

SHA256
6a7a85e1b9e899ce83ca29eca2e0b34126acf97675991b431b279278a03c41f2

SHA512
7bdfc5943968403b787700f5c4e12d88f34bdca4569fbff21e178c17eba40f8db68135aaf426b990617316c10b86687a08375c611c4a9e5a8db8eb2c2be3e9cc

Download Submit
C:\Windows\Temp\{DFC9AE2B-5BE7-4B8C-B9EF-2F9229C2B348}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{DFC9AE2B-5BE7-4B8C-B9EF-2F9229C2B348}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
C:\Windows\Temp\{DFC9AE2B-5BE7-4B8C-B9EF-2F9229C2B348}\dotnet_host_7.0.16_win_x64.msi

Filesize
744KB

MD5
a1f68b5ec6da37ffc65f12f106d70f3d

SHA1
1bef05fa3f179a9ad079326a5a38b7728a81967c

SHA256
7c01b2af6cd178d88dc11b2c12840beb0b08f8dc4e8958ba8d7166759e0c64b8

SHA512
0dc65ee5f8a4720012e678dbeaaa44df10e12ad7941f4835c37a0d178abb7f282d0ee13e7b45fc56141489826c3c980020179ffb5973989a463f4aeacd188a93

Download Submit
C:\Windows\Temp\{DFC9AE2B-5BE7-4B8C-B9EF-2F9229C2B348}\dotnet_hostfxr_7.0.16_win_x64.msi

Filesize
804KB

MD5
3db1b0ad874499a5bd80b9ad2ed2103f

SHA1
77f02d58918daa3cb25364960a1196ce2f711d0f

SHA256
7b32cfc57dae7fe08f7ed00d54771107aeb4b80305a7269f6b9ac2cb19710c35

SHA512
e2214799e8febb31e2dadeef8904e5692fb94f916500960642b780a4b68f9bd2d8d7e62d579418bcced9a7b0f7ff958e672783fc019617d17499e8c5e1b777e1

Download Submit
C:\Windows\Temp\{DFC9AE2B-5BE7-4B8C-B9EF-2F9229C2B348}\dotnet_runtime_7.0.16_win_x64.msi

Filesize
1024KB

MD5
58f75f0b6261762fcb57604d0aecaac8

SHA1
5307edb7ac9d9513a0ae10369170b9c7a2c533a3

SHA256
40d71992b3cb08b27ff96af388f08883afe775e96aeaba84b44a2b5fb3c1c2c6

SHA512
a4e8234df0b7059176ca6bf7531fe3489c7f14386d20228d926685168fc6929e059cfec534cf4899eb997075ae48f3fd3ed798e6eae547be771838daa9c5c7ba

Download Submit
C:\Windows\Temp\{DFC9AE2B-5BE7-4B8C-B9EF-2F9229C2B348}\windowsdesktop_runtime_7.0.16_win_x64.msi

Filesize
903KB

MD5
b80d0db328e9dbae8213030a2fced41b

SHA1
27ad69b205f9444c01512f1e6f1c2a5fe5d6a10c

SHA256
b944e6b8959953eaf0095f561cf9e92635e23e65cabdda5d9110ba1a35456a81

SHA512
4f2f9118dc0e65aad18071efad5c0a057897e6a4ead120bac56beb2b5aa611902eea6a361ae9d99f34a1fa91c29a5e15fcdf1365be78531fc43b7b548b156018

Download Submit
memory/3956-499-0x00000217620D0000-0x000002176218D000-memory.dmp

Filesize
756KB

Download