meduza | hxxps://getsft[.]top/

Analysis

max time kernel
81s
max time network
141s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18-11-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://getsft.top/

Score

10^/10

meduza discovery stealer

Malware Config

Extracted

Family

meduza

193.3.19.151

Attributes

anti_dbg
true
anti_vm
true
build_name
kanew
extensions
.txt
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4748-1200-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral1/memory/4748-1202-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral1/memory/5188-1225-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza

Meduza family
meduza

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
270	api.ipify.org
271	api.ipify.org

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2c2cc795-6e4f-4ca4-934e-00f5ab8f3d91.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241118181136.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	Process
3668	msedge.exe
3668	msedge.exe
1012	msedge.exe
1012	msedge.exe
4292	identity_helper.exe
4292	identity_helper.exe
6084	msedge.exe
6084	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exe

pid	Process
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe

Suspicious use of FindShellTrayWindow 56 IoCs

Processes:

msedge.exe

pid	Process
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exe

pid	Process
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1012 wrote to memory of 3388	1012	msedge.exe	81
PID 1012 wrote to memory of 3388	1012	msedge.exe	81
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 4708	1012	msedge.exe	82
PID 1012 wrote to memory of 3668	1012	msedge.exe	83
PID 1012 wrote to memory of 3668	1012	msedge.exe	83
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84
PID 1012 wrote to memory of 3720	1012	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://getsft.top/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff89f7146f8,0x7ff89f714708,0x7ff89f714718
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2656
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff77e6e5460,0x7ff77e6e5470,0x7ff77e6e5480
    3⤵
    PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,656767087236784273,15647182972828644451,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6564 /prefetch:2
  2⤵
  PID:5560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2172

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6325:94:7zEvent24413
1⤵
PID:1300

C:\Users\Admin\Downloads\Galaxy Swapperv2.exe
"C:\Users\Admin\Downloads\Galaxy Swapperv2.exe"
1⤵
PID:1240
- C:\Users\Admin\Downloads\Galaxy Swapperv2.exe
  "C:\Users\Admin\Downloads\Galaxy Swapperv2.exe"
  2⤵
  PID:4748

C:\Users\Admin\Downloads\Galaxy Swapperv2.exe
"C:\Users\Admin\Downloads\Galaxy Swapperv2.exe"
1⤵
PID:1096
- C:\Users\Admin\Downloads\Galaxy Swapperv2.exe
  "C:\Users\Admin\Downloads\Galaxy Swapperv2.exe"
  2⤵
  PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5d9c9a841c4d3c390d06a3cc8d508ae6

SHA1
052145bf6c75ab8d907fc83b33ef0af2173a313f

SHA256
915ea0e3e872d2b2e7d0e0ca30f282675139c787fec8043a6e92b9ef68b4f67d

SHA512
8243684857e1c359872b8e795a0e5f2ee56b0c0c1e1c7e5d264c2c28476e9830981bb95244f44c3b2ed334c3e1228f3d6245cce2f3d1f34cdbce8e2af55b4c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e87625b4a77de67df5a963bf1f1b9f24

SHA1
727c79941debbd77b12d0a016164bae1dd3f127c

SHA256
07ecc7bd328990f44b189112a1a738861b0f4528097d4371e1ab0c46d8819f4e

SHA512
000d74220ba78628b727441c1b3f8813eec7fc97ff9aa6963eb2ab08d09525fa03935b32e86458c42e573b828a22b0b229af02b47eee511dc83de4ed3b5e726b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
67KB

MD5
476ce314c28f9d977ff73f4b2c50b1f3

SHA1
878eb1f83a5c332f6718df99c76165b556c68b0c

SHA256
c145190c53c391fb3c218b23b38d34ff8642bb655a5e60e6ad95c99198affc51

SHA512
a7ccf454c373d7831b49169f4f450674151c07f514147d5705b72af1f19dfb4b46c8c229eb0b7580efe3588826de05d5244772368fefdbe85fc6f7a01631e7ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000040

Filesize
29KB

MD5
bf449470f06ca2bf951ed1934740e8ed

SHA1
6e28901408f63c59f7c6103f70ea6cf8b52ecb5a

SHA256
1a2334b6e9885bba5223e21cae308d701c5d87b9b789972e180533583add89e2

SHA512
217a6f35ffe5a2dc701d0e3b01076a7c799c89e97da0ce1bc60b7c59f2f91a979e98e1d59bbe8ee92585481fcbae534e34f98388614f5676d07db50676d99ea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
21KB

MD5
4887275b4f2ce31fc2b2236771c171e8

SHA1
90043873ae238c41f082a90c0e892c6d210452ea

SHA256
2c016e32414be1b907514b08c735c54e4f7a5cd98f3391e3229070d31c4353fe

SHA512
5b276fdbd4fa2636cc8eb588f2ba30d5950dcc1830c8c408439d271a13ba1351ca8e6aaedd0d75c6a8ca4828a40bce80fdce11ff342e910d2879079f7e32102d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044

Filesize
16KB

MD5
f1eaf516993292ee07297ffabd5a1845

SHA1
8bd64dd235d60b753bba33587ad99ff11c8f33bb

SHA256
3d47fc68edc76004a3a4fc7c38aab191c4dd301e107cda954d65af3ec8f1eba0

SHA512
a91d65a24117c375c145e1286724052bae514ce17db5922fdf3b942e5646fe4724466adf733b9246ca8e82d3b93e6a63ba5aeeddb0db9a8e1bf67f8e1e978b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
27KB

MD5
f64d7d5a4bd398d63101afc17f5e9175

SHA1
3a69501e20d295d48a2ac86c3b7fb4ea9edc5f33

SHA256
4133f505fa9f390a9397d92ef63f33c03160819b245baa50923eb8e082176206

SHA512
684aafecd9545487f9fb2aafdccc01ce3eb81f690d2059e6ef99ba7b902e6e4d29dc0f80ade7da1271cbf75fa6ae88b71becd0aa31f01dec0bd769de22f63d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000046

Filesize
19KB

MD5
2365cf0d2414c061c29d737b07198077

SHA1
55e4b73b57a77d0e20b892bae75902e6607d676b

SHA256
bc77e41270598378662b9f6d9b746af73cc236c8bc4e6eb7bf9ac748752363da

SHA512
678df0100cbbc041a999f8ab56c508230b2c26d2d684b3cf24bc2c8fe77254ca870f502e17165175c77bad37b99269885912e6a9ccf5d5f06bb76400c8c0f155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

Filesize
23KB

MD5
971f6559548a912d8e2151f1296661c7

SHA1
b93145b3d535cf1eee2f2329366bcd9d706d8924

SHA256
38203d46cdf193780df9f60534b14152e21a3a4e1c891f3f31dbe16cd166485c

SHA512
27a8f938742b6215d0a5357d7c151bc8ad4880165d2cf582641bcf4b6081634759d913b6173f051d721e7c609c6f5f0bf2aad63873c8a79825888ff861fc7180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
36KB

MD5
489170f565e5d8cf56e8ac02dddef34b

SHA1
e11b556951fb2f7f066860b91647986c152f4e3a

SHA256
3da823babbf3a2f22892ac282aaf6a070ccf5bc8f415053e698636f9a2e17e87

SHA512
7e615f726d767c55ff8e7cc20b6d35b2557a0e01b4bda5ac910ca1d9a12518a69aea5c535d5ab23d37fcddb039897f159cef22d59ba5ce0949fc5ed53f49c9d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

Filesize
27KB

MD5
ea0d829233ddf1a13f638f1bd2a4ddca

SHA1
2103d9b2f4c10ad663d6c45ac468afe23bd90798

SHA256
dd214f4e06912ec56d5765650d80dd0f87fbd3d4301054985b62252e3dcafedb

SHA512
0d22b8361fa4b8a8b280df86844a0ffeba49c3531f910b9dc066de00c0abb77a43c86d33f913c06ee58d2fc6c391a2226956203e73cccff1ed51ef790770f0be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

Filesize
65KB

MD5
1d189a9f002aab572717f88ae5a108d5

SHA1
8e547907bf5fd8b2d0e6a0afab3286cafa4e6b26

SHA256
2a3813d14bf5cd4f12da93b2d3e650b27221b245d1c8887404ebaa185512b704

SHA512
25e2afaabe75f43584d1c1f2cd523fe5701cb8469421e6c23a5c78ad6c636fda16dc611403c8b3807710db68193bd7aab3a2dac731da4d0f03e44b8000346f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
442b2beb11bcae8a925a6e456b495727

SHA1
3d7582c10f0469a7bcc0844ffda4187e60093f5a

SHA256
bd637f0964f643452be150d296879960d0430d74c1fe7636b06f8bebdb019cdf

SHA512
69d99e2d4b41de5ee6f342408e490fdfd03edcb56d92b9e376fbebbfe5527a08d8cbaea5c57ca93476979e922fd5a00c62315752b4c390d2aa18a7827fe905b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f6cc60b55fb14f432bd4fe21ac760d6e

SHA1
d37ba5cae021f49c892136b3a73abbb88cbad42c

SHA256
7648d844d2f450f54fdde9ace76e579ae746e8e3ced0fddfceb57f3147416755

SHA512
ac82b9e6915cb7578a2d00a1a3780761c8258e7e266a92afe6fa04b8d504afee15963ea5eb08a6794faa860b87d237f3a026517a71c73a38136be7f4010a7934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
36KB

MD5
0a33b60c4ac608e065bda575ffdadf72

SHA1
be849cf05e5e8c57264015172382d5e67c868837

SHA256
df83e9e8e2f8b77d6fa1bf2353e217c4f52dd510ee0d5ef17afa23578f4b72de

SHA512
d19b712bf1241c195048e0d3a0e1260ae5d85c1d86b0d301f1be05c56645d9bdcc73fcf106d49b799b1e5dc1cd32f3a4f3e89b5708afaec8f6cc43ce1a20c7d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
d1be4282ca6f020dfba692798e507ee7

SHA1
3d5fc05df5a17c1ccca6ea53e4e4f514a1d863d8

SHA256
16bf0c8c14732aba8bd6d2fb4ccbf9882cf8f9582517b5dedffe3c5720c3c3fc

SHA512
0136c677c5dfa5bd3130aef38d7f364a1fe64fba4674b13781c2529909c5715cdd98e8b10a8acacdcb63007c94182294a2ae31e3091c389ea08c58b480847c4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
1005B

MD5
614aca0f5c1f660a2b7ee2420cf5fd1f

SHA1
afbe1bff1a5fb0ac18f1636697aa15e78f827e0a

SHA256
f8cc793bb008441daa3712e20a22a375316a8e0d1ce93eb25f93795dd7d8cce7

SHA512
80be1c10f24a0ddb337ca3d6efd4962a95ec38476f8a3e189eb6b04dd209f0613f398436f175c593fb57274ebff1695658faefbd645da21990e4f10243b89431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
291B

MD5
4081422abea4a316e46c699f2547c76d

SHA1
005c87466aebf5a79d8b5dcb48d5d2ece9395a89

SHA256
214d72e7ba32dd901f406072ed488779bc9b1ad36dbb0de5e3dac38cba80d351

SHA512
17d5d1ce4a0b7cbd69698a159d1f6a6b7775fe2ce668c4c7730db95a34818b4020b6beb39296cdab84a21426b7b80b5446da8b2ed823d4939247a71e5d8ff713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
1136ab6592cf7205fb7d31d8107c6897

SHA1
d652d23dbf860a487aa8989bb6f3cbda6b280e3a

SHA256
5ffc4aec0ba507e30f52a187815f9e8df1ec3e368c18419353f1543200a9fda0

SHA512
2243bd007547d16ed5c248b748dcd8c98cfe3d4b935f32353ccd00c7ce132c11c96f322bb39151d942b0cb1d344b8c1c9da6815222c95dac4efd1921408c6877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8715b55b16ed572b21204342401ddee7

SHA1
4944e7e19fe8063ab81aa0a00e0ef49369a07cdf

SHA256
f06427eb739c5372973cd92ad30cceb2f15fb32cd021c2b29a205a98e4046c50

SHA512
85ca668942d9fe76cbe76784647b52038b4a3a39e33ef024dfe3d28c2af1a8618cb3e8c758223769ef31ab6303ba1c72c6a174979c3c4ad145c47caec5d2a32d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
093c35ef51caab6327365c08b37e6a81

SHA1
73b7230f25756f7bc4058b5ee0bceca11d481cac

SHA256
44c4240e18f0fbc98126c8907e6401a260a48aa7e009ce4d9e5fb61f010be85d

SHA512
9fb9a272abf88e1ef5f26742cd3242977ad3efa916c3bd57ecc673ba4be917020ae8c1eeae01d19641e621240bfe95f9488ae67bbd15ab1d90eff630e2704696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2fef5b11a24c39ef53a4e46abd0a75e0

SHA1
e3f5ffdcaf622b70e4293800ff455ac5902929c0

SHA256
aff5e2edcbfe310a58907073085c592639b20acbff6b905a267522681da90bcd

SHA512
b4aba0cf8d66937da562926e699637ff34df8dbff3cbae27a6a840072bed238fb6549fe1e15439ba474c3233906315f0ceb972451797239861f72b4734c9aa99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2768457f9d08a1acd4c166300cb2132a

SHA1
13e40f3e257a29f7a14288275158d4a720f7549f

SHA256
355a16d1c4620118877fbb90531c3fc93c2668a948079db9b844f72e4e08863d

SHA512
8103815fdefe1bb855bda5c2127d35cc58c78fb90649dddcaaebd568cc3d4b5c85459d4006e40b28c82e4f60f542bc9442eaefc4d2a8d3ed519e44c5dd66d1fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fc400d498896d065b182226f7499abb8

SHA1
83c652c1a8dd8e4ac7840f12fa2f2f2d342a923d

SHA256
e0b2719d5052d5f0f41bd6477d598c1833f896d19d0d3520a61ae466bc35458e

SHA512
740f49a53061c2fdf7333ea2996ae4fee3a361a39d6faf8838e5cc73a82475f3fcd97d8cd089f842e260a3d15559b82d2c2d62e14f4a767fe9397285d9d52367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f52bd759f0b4c38bbc47ffe5f58bcbf5

SHA1
2f5568e741381cea6a8c892bf459a7b8e21bb730

SHA256
b9d25c697d5f03d01f13dc23c7ee7c86812bbbe784d1298e4384ff724e4063d1

SHA512
988f746b70898214878b84f70740e5a2acfd2f001623a9f48ab70b1b0f5cddf74a99c1f6e949f8f29d25d81205cfbb0b8c27804109f819dae8306f0b10ef774b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
243572c4adae35b0e8b4d0e37f055768

SHA1
85b3ac3c4e620720d054e26a6edb9d0d0703fd86

SHA256
7672f71daa5e1687c6b5561d9a5747ef6b4461e384843a51d45abb19514e33f6

SHA512
dcf44dcceb470b133a3d63aee08a804b496a3b8b9046179321cb53f1e8b70e28e54455d92028159c453808ddab17a987b915110edc55c0c78b7cc705af243efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
364592d2cc18adf665987584bf528cba

SHA1
d1225b2b8ee4038b0c42229833acc543deeab0f6

SHA256
bd97dd6797bb763681cfb1fc3cc21a44a273aab1d9a4f4f9332675c662d2136c

SHA512
0e852db825e451464cbcfda95eae2dfe780874bd20e7b467604962428007d1735ece752aa5901d468708a68d66d029271d5567b39c530d2d44b875abbff9aa40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
137094a3453899bc0bc86df52edd9186

SHA1
66bc2c2b45b63826bb233156bab8ce31c593ba99

SHA256
72d823cac2d49660cdd20ebf4d3ac222c4dd15aae6e5ac4a64f993ef5c4fdd44

SHA512
f8f149c9eab06e8d7e1aa62145f0fc588dc36fc521ef4dceceb80a191b72d79586d920feb5f3b1d19595109cc6d608c143e32f521a4da1068c708a2538899ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
80db6c83f1833d72dd53569f59d60a3e

SHA1
2de2a7532519cf72f0680d886afbdd65a7e516aa

SHA256
33fd844b0e209dbc136c7cad0399a1309bd4527cad23e427d8c53045a0d3a11c

SHA512
14cfe74c00f31eea5541ec25055a3a3d2a90b5c7a556bab7c5e1cb9e9aad95fb0401d92c05886793392c056297aa3177f44524a707e572ed8e74bc0c1c54a6e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4683b5512e7b8e33abf758b53e7a715b

SHA1
3910c986eb6039c5a8f882cd47994727eac071b9

SHA256
99b67d04bef987444abf9fc4460e67227d45398329a2d1c862518fe9e485ca17

SHA512
aa40095f409ed71d144aa748298e804566cfda0598a2e3d8a9af7d1989a3c4bff002d27075e70c3fbf92a33307285b97d1a2e1239450db8125cf242dacf68183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b7c45b2e73cdcde0b1572fc79c3f380e

SHA1
ef6758e29a8eaac355d91bb1d7902b0a5d7d9bcd

SHA256
b548adffc8efac7e492aaca2d46543eeb6445fe4a3206571651b60ae6af37ccd

SHA512
024c7feeab7ea3f878b3659adc52cf568364bf553a4de74d4862d1fadd8e45b408cf887c7107cd24d8717ef310a7d2613b78ba17eca7ca54354c387c4a63333e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b2c5533bfaf842af083018785c9fbff6

SHA1
5eb0d616fb61a956cb2c2c6a8637fd66e63ff25f

SHA256
826bf52ae6404c5ca02fd946293f8d36347da7f0dd1f05bdd9a11679195d77f5

SHA512
ccc9b085e19426e2c5eec41bb51da2b8912e55dfcca40155dc8a79f61de5037094191be66cec7f052d36497a3addba3238063987cfa3a3bcc011a5dd8d3d2a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57de98.TMP

Filesize
539B

MD5
7b62ed95b18a935f08a06301d09dec19

SHA1
d60fc28dc10c85e4b17d0f323db5f7f79521a401

SHA256
0dc84b07cf4ff7ec38d6433e57ec7d93d8877bd1105337644b0d82ca6a32d101

SHA512
1e7ec533efe1fa3f20705d7faecf05a7c142a3927b2102cea72e63144d75a552872b28bdaabbf98319f2040da8322d98d9bf7732be3fc27ac1ecea82c59935e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
969ff34e20fe4abd72a5a3044ea2e2f2

SHA1
f692ae59b6df9c90dd13ce8738ad5e4b08f81b55

SHA256
c1314586d776e1608ca6f6e569cf1857627c7e757244888730c8c0c66fae8db4

SHA512
efdc8408f1d32ffca83baecdb79726d2b54350f3e7d316ea45fb28b49163bdce1a74c3d71309c774cd415eb0e6f14f246b3923a4f5cb09063fb979b02ad7003a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bba01c2e-1835-4bd6-892c-9559c807e012.tmp

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dd14cc9e-f30a-4323-8ed7-54eceac2d430.tmp

Filesize
1KB

MD5
d22aa0c9338a437b90f8481ea79086c8

SHA1
b2c21afca4f6481b1fdd52bccc9d00b0e7c14e15

SHA256
88e7e7370231527dcc4edaa4ba6f95c5504d66bec760bdc079484adbf3a3e66a

SHA512
c5e03f4e1c00e459358af4ffdd383e12139107da8e22258c6ca097dba10a1c46710ba200f98c84a0e3c01267aa0000e7be75c22aa80eb749afa4899e41565dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0cf5f69624e7192e94634f1ff271e9e5

SHA1
2dc4a66d2ab3ba8b11bfaf80223ef84efb2b9b01

SHA256
4dd61da094cece322843f6b1f2f7cc9d80b7e9aea729fe351a35a168f82598b6

SHA512
8a2703e4454e2d992216e593df8f7d9272e8e8c99e2a96e26627d8f26706a60bb7e4034217e6c211c46e6b372014dc6770c98f746c6adeabacee594a20c0c351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
435001b44b23e82311bc98028d9b8499

SHA1
b226499800daec9fa97c311da465cbf8a1e8ac00

SHA256
c8996f9f70146e6a9641eaef8743c88e535446857319fef50d30d9e0e4f49539

SHA512
2b5df6d2653e556e82655edd2ff689b93b70ed68e0dffae452b1c23857bca0a3fb8ed41805ef6df7d0a6e4be36710d987199c2157402d48f20d8ea3195e822a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d145ee7e4ba896adb606ee878791331d

SHA1
72ae3d6988e07bee2ce98578c666250dcff5d163

SHA256
22b9b0d99342450c25afe667498555fe44f8c96c2cd3ea9b0c607e2def46476a

SHA512
1c56d874060e1c6322d8e0523596bb6cebe15eb54eedc2576a1e6364a219a085df50d5f7b95c2c7519ce1680a753b9fadd4c3e1f8b05edfcc1b6ce616d20c04e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
1ca7cb2fb14da0cd3ea78a322492d458

SHA1
965f85192786e7fdd38772ed820b4d38bb3f1729

SHA256
7bb610d0eb6047b6dcd9eaa8de69ad68417b49162acdf27c5cf8cd2480c43bde

SHA512
68b94445eb98e21b50d755d8b13e2087ebc1518ca6378f45c17aa436588d2a9a74c95fcf79fb6489c208042ce212a759fbeb5644af009f620a558a338042efc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
f59b30b1876c4c7ba24d179f8cc0484f

SHA1
afe64a072b8708e8f4f3ac80c8b6f8393208b9d5

SHA256
2b3bb3da77e39f0b3f16c2410c03d375ff0ba6ef1635c5f49badfdd4187e8929

SHA512
1288fe88c5bec8989de5f28b9802228462ded6906c7e9e394668b9a7be1222bc940c4186d56e683486a410aaba4a70a91eae6d2eab66bc419cbb405868ba6ab8

Download Submit
C:\Users\Admin\Downloads\Fix\etc\mono\4.5\Browsers\Compat.browser

Filesize
1KB

MD5
0d831c1264b5b32a39fa347de368fe48

SHA1
187dff516f9448e63ea5078190b3347922c4b3eb

SHA256
8a1082057ac5681dcd4e9c227ed7fb8eb42ac1618963b5de3b65739dd77e2741

SHA512
4b7549eda1f8ed2c4533d056b62ca5030445393f9c6003e5ee47301ff7f44b4bd5022b74d54f571aa890b6e4593c6eded1a881500ac5ba2a720dc0ff280300af

Download Submit
C:\Users\Admin\Downloads\Fix\etc\mono\4.5\DefaultWsdlHelpGenerator.aspx

Filesize
59KB

MD5
f7be9f1841ff92f9d4040aed832e0c79

SHA1
b3e4b508aab3cf201c06892713b43ddb0c43b7ae

SHA256
751861040b69ea63a3827507b7c8da9c7f549dc181c1c8af4b7ca78cc97d710a

SHA512
380e97f7c17ee0fdf6177ed65f6e30de662a33a8a727d9f1874e9f26bd573434c3dedd655b47a21b998d32aaa72a0566df37e901fd6c618854039d5e0cbef3f5

Download Submit
C:\Users\Admin\Downloads\Galaxy Swapperv2.exe

Filesize
4.1MB

MD5
c50f8f31c903a9f88b6bdec9b9f8962b

SHA1
39e30a482d13a431797c02a0d0c90fa9829981e2

SHA256
5c6985e002a60d821fd7b029b2c5d04c3ee16bb619999202f6dbdf432d229989

SHA512
6a2361e6bc5706b5ad0e8264b7767b620111d879dae1bdb463771a39422e20aac204eb25dc06c0820ec69260ffb2ae8e0d939982c865029e2252daeb9cc1f87d

Download Submit
C:\Users\Admin\Downloads\Galaxy Swapperv2.rar

Filesize
19.9MB

MD5
11ef03e15082235273b654a1ddeea7a5

SHA1
33f54be53bc8d3b89e7aed2a9503e093e0aae292

SHA256
ef03b39e700285fb9d5dd5b3f324a35693fa94e5d1db69e63a57469951d3bafd

SHA512
8ba53819a6d8f1630256d65ab983c518f303e0031b6bf5a30843e853c72414a03bc8c2edd6229833c02c0d5e6e3bc218b516dcba5de1c68dd21182590acd1d14

Download Submit
C:\Users\Admin\Downloads\PASS-2222.txt

Filesize
21B

MD5
e1ca5dca9bae3b73a530850ffabe75a1

SHA1
4a2a3ead4114a3df1d1115fe10d8ede70fe99076

SHA256
3d5202d006181f27678a5dec8c9b8b4ebef0d75749b4444c034252c99e59a56c

SHA512
103eddd6a647ad3a3221f4276fe711c069609738e85621f33e0cba8f94992e8ab0c4a7605a0fab15ee05681c1f8343466bb838aa39fe29a781f812f344a3058f

Download Submit
\??\pipe\LOCAL\crashpad_1012_OUGXVALSMJTGKKYL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1240-1196-0x00007FF6F0A50000-0x00007FF6F0A51000-memory.dmp

Filesize
4KB

Download
memory/4748-1202-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4748-1200-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5188-1225-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download