phemedrone | hxxps://mega[.]nz/file/HYcWnBaC#vN0cUJcILuzE6ziZSDbruaGqr8fEbvJSNnbg_5N_3g4

Analysis

max time kernel
32s
max time network
34s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-01-2025 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/HYcWnBaC#vN0cUJcILuzE6ziZSDbruaGqr8fEbvJSNnbg_5N_3g4

Score

10^/10

phemedrone credential_access defense_evasion discovery spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7250665686:AAHW0YznZP8w-6An0q8-OF3zVVfXyjQuxLM/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Executes dropped EXE 1 IoCs

pid	Process
3748	vape.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\vape.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 117861.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\vape.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1068	msedge.exe
1068	msedge.exe
2388	msedge.exe
2388	msedge.exe
1196	identity_helper.exe
1196	identity_helper.exe
3352	msedge.exe
3352	msedge.exe
3412	msedge.exe
3412	msedge.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe
3748	vape.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1768	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1768	AUDIODG.EXE
Token: SeDebugPrivilege	3748	vape.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 4064	2388	msedge.exe	77
PID 2388 wrote to memory of 4064	2388	msedge.exe	77
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 4556	2388	msedge.exe	78
PID 2388 wrote to memory of 1068	2388	msedge.exe	79
PID 2388 wrote to memory of 1068	2388	msedge.exe	79
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80
PID 2388 wrote to memory of 1908	2388	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/HYcWnBaC#vN0cUJcILuzE6ziZSDbruaGqr8fEbvJSNnbg_5N_3g4
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb9773cb8,0x7ffcb9773cc8,0x7ffcb9773cd8
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,17766391338047100817,302107726132415918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3412
- C:\Users\Admin\Downloads\vape.exe
  "C:\Users\Admin\Downloads\vape.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x0000000000000484
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
c96cacd186e61a4c1e1c9462a5e7d4d3

SHA1
fc59a15125d3627f4609e40a3de3e9d2fcf73336

SHA256
d22607ee9906b331fbab5f4c5b4544386f1ac14152514b41a0a41464150c2e3d

SHA512
187855add692603ff0c95cc7e2a642ff6c74d4d58c39ef5d2a9338f2ac6dbc263d2d154037b7cf2d9492fbdf54c59fef7e3c7ed15e0338592965d4fcb99e3a7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
592b4f07da4ff51ae3d8ac1b7e6082d9

SHA1
02679b96fca13f34789897dcbe5fa2f3c6ab2828

SHA256
41a241819e565b1e3da7cec0682b4eb582300e8bc46d408fe2b3b90ee45614ec

SHA512
66055ddd2d9c55be808d1981bc3511d4f15b6ce44a7aa8a05276c354678efc44b7077d17c6a61c7a860ef78b94b00fbb27fa7f291cf6635cafbd0dc029135611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f9954fd76e2523f1220f8892e90b21be

SHA1
d1326a3f8bbf7a24a1a7f6d2c765c5ab123288b9

SHA256
4121ba5664e9b48da738122bb3304189ccc793947e8f60fe8a1ec5a145f78838

SHA512
8d3f609a59a767bb3d37be4de4795f73c797a1b4a72d809345345b1a4a2d7a64493c6b1856b96e6e1c1927b6055a3e1888366be0f676ce99996df86e8fccbd84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
303d9ff9ca4f5e506fd89b3a1628b365

SHA1
4cea32b9ae96e46115f4b716597e98662356c760

SHA256
af6139c9a7e47372ede9020aefdbda82ff74345bdbe51e4bd59b2f4f8c59ef14

SHA512
7c4ca60e6e4238d0172c2008ae4edb58bd801083c2ad1ce142e422730b795fb582133ce0a6e9e3111456e46e406ce5c96cdb1d1772afe0da480e9d257fe0fc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4e7cb85d4212e31647dc789bbc65035d

SHA1
ea0b5e1b5ca27ac7640ac323cbd9ecd8dcafaab5

SHA256
17f39c2406c62c7444145739d595ffb4b0b54732e89ce56bc818f285ef50f2cf

SHA512
4c95d5c0b16b717465cc5f9831bf7927387a92f88b2dcbc25f6611a5130d6466d5d1802129230faadf41d0d8c96dd4feed501d9ffd63d95174c4dfa1f28e624c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cd72.TMP

Filesize
48B

MD5
d3f4acb1d95c184444fd2bcf0a383bd2

SHA1
2bfe3855bc3c308066dc786a4483763475115b3e

SHA256
0bd2094b9a33de8dfe0798426973437acf1039a981e3f5fe00f0855f97199be0

SHA512
963b41241295c68754a63f5e6d2c86ca99c13ce6a1287c2f440b339778299b4b027293d855681aeeed0e2a101a5ad50027cad33eb9ca3eebb761702c19cfeea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
31d1aeec7df9271e761c21b471101d7e

SHA1
361565fab2f3264c3872906c0504121c2c568892

SHA256
e3b2340a3cfe9993481ca0a8212e920269c04d677a08edcef012b247b57c0184

SHA512
6fa3b3e4a3668747ebbf486ebfec2962a2529d00ac24769715183e603a80d9fa884c35958e3d7c90cba015ef36fe9da5154aa999a83254fcfa982c2dce05551b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
080559dbc6f387e41a3195148e1a5a6f

SHA1
23f49e80918ccc69ce161204d0d871ff6efad17c

SHA256
b81d083becdf5360f8249868ee703571934f9aa60f1c70346d8a7583ebbccaf4

SHA512
4aed1ba33c05cc5bf9d8d80e18cb42f6e058aa5aa579992e824eb8a54207fa6219f45e2fc83df86cf706cc69dc15af7e792508a81c24095d32d46bc509fbbded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
94f4fef5cb735f8349fa2afed09e3e57

SHA1
b97dfdf1f9b77dda4cff1c4fcec6516b61668061

SHA256
49f11339c3b2d9c8200676a788d28c6f2fafecd7e3a329e8a996ed38f687e6b2

SHA512
4170d49a12245cd12f975184f1740387c48a50725bec627a09f792fccf3d568bfa67a7cca465055349b8b29de6b9c74062918de63e275fef3e4b91d68f23e3d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5a71fa5d613cf41b6a25494c5e9fbe6c

SHA1
188501087529c4b0068abc66fc107ae615423907

SHA256
1f43bf1d3a9b93efdf2a8ca73f485055c269b6e438c02d530f0ea6500bb2d546

SHA512
1eac7db1dbb368cd9bacbad8e24ef96ab2747b8b6a44dcd96145b2cf7fc8eb3ae2a54020dd5a41144719ff41a8542683fd18ec318489cb11a71eefc076299cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
44f431547f008bee347f8d8aae5f9199

SHA1
733155dedcd9a046839488dadc6ab4963d78a50f

SHA256
873118becdf7535b6994403c4dd5bca58938fb05e0d1053a6ad76a41e6a8c992

SHA512
963adfc715609228b35ae6c24ba895e6f9d61a879e8d50c4ab1b9a93839c058fe1fc544b62f116b150d119248169e60a82f9552fe9df5839018ea39141e3a121

Download Submit
C:\Users\Admin\Downloads\vape.exe

Filesize
116KB

MD5
9957ff72b98d2fd3819a1c3a5bb7c266

SHA1
27ee49406e1eaaf4ca84e9119baf83d79e199df3

SHA256
103b15ed69b33225af3886c39dca69d542aba6907567bea4f4854a80fe9ca34e

SHA512
52e8cb098534a39b7ad5c251db05fed8b414012f824ced61ba6dd53e29cb8f08e870c19a74906112f2fa3ba60abfcd1d7f3170ac27481a918b1b818bebcb251c

Download Submit
C:\Users\Admin\Downloads\vape.exe:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
memory/3748-218-0x0000000000D00000-0x0000000000D24000-memory.dmp

Filesize
144KB

Download