hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

07/03/2024, 13:12

240307-qfr1aabh25 8

07/03/2024, 13:10

240307-qesv7abg85 6

Analysis

max time kernel
73s
max time network
78s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2024, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
34	raw.githubusercontent.com
21	raw.githubusercontent.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
784	WINWORD.EXE
784	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1828	msedge.exe
1828	msedge.exe
3580	msedge.exe
3580	msedge.exe
1908	identity_helper.exe
1908	identity_helper.exe
4444	msedge.exe
4444	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
784	WINWORD.EXE
784	WINWORD.EXE
784	WINWORD.EXE
784	WINWORD.EXE
784	WINWORD.EXE
784	WINWORD.EXE
784	WINWORD.EXE
784	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 3884	3580	msedge.exe	78
PID 3580 wrote to memory of 3884	3580	msedge.exe	78
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 776	3580	msedge.exe	79
PID 3580 wrote to memory of 1828	3580	msedge.exe	80
PID 3580 wrote to memory of 1828	3580	msedge.exe	80
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81
PID 3580 wrote to memory of 3024	3580	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa13953cb8,0x7ffa13953cc8,0x7ffa13953cd8
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,2537410882333108537,4973341636222291048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\734bb4cf-659a-4d62-8a15-8e1d5339218c.tmp

Filesize
11KB

MD5
5f7b7a05f23f342d2ad612c7c43eaa67

SHA1
a1525625abe0428b5d83eb82d9dd9d271fc9c7fa

SHA256
7745080d2730b24b04f0e5cac43f2d4322b1db9231e8f0b6fbab1ca96dfee780

SHA512
542a1677f5751a9fa660d43084e14b9cf9d3da6ac1091748802dc815597f9055cbd2eff8c470f600e8b651588d10d27e1f110b34f06dacd829faccafc6a4db6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
96899614360333c9904499393c6e3d75

SHA1
bbfa17cf8df01c266323965735f00f0e9e04cd34

SHA256
486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c

SHA512
974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
19a8bcb40a17253313345edd2a0da1e7

SHA1
86fac74b5bbc59e910248caebd1176a48a46d72e

SHA256
b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e

SHA512
9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b50c490ba53e8d1c54820d8fe79d15f2

SHA1
a1c11e4c657f98abc84aa24b6fa0456e5cfe5f69

SHA256
84a3971d9ed99e9600e90233454e0c6acb3d328fedaa87521898a17754c5d991

SHA512
1520b2b557461c9a3baaf8e412d8eff082aa66c585683f4f169fdbba32fa64b7c15558c9fab3ddef8555280aa0e7863a90b06158abb3248ecdf4e658c538885f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
1ab00e0db87f65130819c6514ed5c418

SHA1
a11783c0200cf9c98f3b0c8353802a9cd556d3c2

SHA256
12ec19dc6994ba9c68288ab16937da4384354e2a1a0b327a30d90fc579bbb869

SHA512
896f71a97586d05f7c7d72f2c592e5e9717da10c063db9540c0ada0da01fae45729363f1338ae9e8d6365b1c0b01542093d3986d311edfa4c685ffc12848f81d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
2d71d855b15ef6b930bb1e2939f5d328

SHA1
fdb1d6e9639fe460b7edeca3ef818faac73bb52e

SHA256
472b16afcd9ec77b81035db7d11cf7ce4a250e3ffec444452f7e3081e1a8b342

SHA512
a5ffe6f254baba16e4732e1d2746f911eac587424eedf4662f7fe1a553c3ba98005834c1abb3066b9fc435f277d24a4d1f21079cd0fb0baf3f88444979439234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc2acaeb1cf19f786824bf40dd7501e2

SHA1
419ae27bdcab48cfaea678bc15d812478ed82834

SHA256
cd182dc11381cf6f148997c1693a61591c56135c8cc44cc9257fa99a19b9361b

SHA512
fc73591d375d56e95a23baa4d0318d53a2f0a0f4908afe8a9f487042672932560c63625e474fac9dd438d1a7c009dfe50259f60595fef910ff24eb75f926ba67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2478ea32be22397d77ebfe96a35d8c5a

SHA1
112b1aec1658c0146d361a97663f112e3b2aa563

SHA256
b1afee4dfdcd4be2f431f1f02de6c42611caa66023dd94d349c28c52968867dc

SHA512
11818f7662a71e31062e9171a36afeec2fa9a71a5687090750b160f29032596a68698c9d25187f0ec2f27c2bf68b5214930bf9e61dd1c8e57daeae33c37b0140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9fd7ea3bc2e82c86190ac99b121e2fdb

SHA1
c9255ed979ee89deccdcb07e1e64c132c5f614a8

SHA256
c59b82efaf9b911da719dcfe7a3dffe216db97a979ce2ea4400e821ff0e189f9

SHA512
a48c52648ec02bcd165b31a820e00569c2321b80b79ecde72c2282e031959a248739c2a42fc1f8c2d0ad4ae12a952c8a323694cddc98473e5fe063ed8b0c948d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
83055b2a7749c484678c1a3f8390b8f1

SHA1
cbfd06ecaeca7a9b3e076c1dc013fb32da73368f

SHA256
9a200576ecb1d8905e81a34db4d92a8cebbec5992272e6148692b6713830d363

SHA512
f6ffddc95d070de8406a095eb10f12fc71620525ad8b0f8fa11d4e673f9ba9d3a0971cdecef06beee40ef160bfe30c4b5bdf5a49d94b35f0ebb8f5ac91f48a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
04ecd981db9773df9770b32a3ed03ddf

SHA1
4c636aaaa7e26442f5831bdd226d5fa18f5a45a4

SHA256
a7dcf22b573ba73cb0f3fb1a374dbd8b09f6a133d96afd6521be7289fcccc5d2

SHA512
31227a9e8a48ac2ae854c9e897dbd2df398121bdee9bc261865d01964d5267a4025da81cc75021f850b48efb63cbfd0df5a6edd3b7be3fe37df3f3c6943a2f1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
587c82fc391a6ede2c1f61765c7e6a8c

SHA1
4e50d9e95f2a5294b6307797150f34e592ee5ab0

SHA256
c69d168e4e5f33019124066f4aab07dd0bf4b254e2052343fd49b078a8e1df9c

SHA512
bd60d7b1a600dfdcce94e0d17ac257971961ca710e11616432d4f898e21eaa8ed52748470b4ac897a6582f43600964b0f601e1e1a848f4347bb6d8da57450b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
141b9ac2f3e6fd5532722307da063165

SHA1
a705bc3618601a58088c6e64240e78c02d2ab7be

SHA256
eb83c886db631f26aa784cd9eed220cdd88aae09380b622a2eb120cf4a2b418e

SHA512
4f88259f25bad9e8876db120b62ac3d5de29b01da4d93a1d1455da13feff6d09eda1b13c328f9266e168038dcb0fdb7a53008175b89db46a51ceee74066be543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579422.TMP

Filesize
874B

MD5
a586b45e2a7c560b533942d5af4a005c

SHA1
12b65a8a243ad1a7a9a734b2f4125b9901ed2893

SHA256
6285ffb2f00dac637039ef00303351767d735e0d67737b0da3b35306e23519e7

SHA512
f3234d478007ea46ae62a6ad3d49f90fc26bdcecb858cdeeaac8239aecfa7e2e44247a3338f3e01c75d65d7cf72cddf0591d0a64267c93c9ef87991543d1e98d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4c763ceba78364f38a160eb572ece29e

SHA1
69a75dd44abdfb154ffd2ebc84a32eccc84352cd

SHA256
0290614b411dbbd645b78ebddcc7e8047639a288635204924d3344fbc3d40df0

SHA512
c83e53f1f1e4c2e4e5cceab1cc783817c822fe65fd3e484d5a4f71e9348d34bb2aaeab40b735770ef07e5ab335ce78eabb2fbf42dc8c906d9e7e41e4ecb31d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
caf17b157e2268969c2d213b6ac20fd5

SHA1
d4769a44df547cba60e2f4c5a8d471791ceb8072

SHA256
006c65272313b2e75a120a0bd3f675ce7c72627e938e67685ee484dbd0a9baca

SHA512
dfd869732bb4ac24fe44182f0e24d5f5f63e0fbd9839c62a789d944432af1fc245177da3c45531bde4a031ccc1763e3b2fefbbfe658bd092db8bb2c39586cc90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
247B

MD5
d2d393b7b5d35d025ed98a03fa939638

SHA1
483c2ebfdd96bc4d86c49f9b0c1c08b7416a056e

SHA256
8df4ef0fae9e88abf12ba2689a6d053fa685073c0233412cc9c6061700922f6e

SHA512
f85e0759accc31ac0a004ff42f97ce44992f59d608eedb618d052bdab1d4d4200de2948d483324a8150d70b8acb5eb73830027ef23541a82461b48949ed850ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
31KB

MD5
e13c71a8a39534adea4a20df1a23d763

SHA1
3b0a02c019f90baa705b9ed96244b7e4cb1214c5

SHA256
6d7c25fd2182fd3f6be984185fcb0b839b18d10eb4cdeea3060405b5fabd3daa

SHA512
21eed58d229af92f3b2eaa870dbe740ee6825506e8b6079e3b195ef49f5a5c6c90c2c071693dec5611b476a0322416b9312884347a818c740575b03570b78695

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
178eecaa6ccc67253960a3b7009a017a

SHA1
c29d0c15fb5e01dc7b5c09a3c240f532e17ccc91

SHA256
84a21dd0f4e7573628c23b28cbe9f4c831db53c3789a365880bff831a5bdcc01

SHA512
c0a7e57c65a332dcaf591b709c1fc4edc3aa0250a2bbc54936f7e136661904f6a73fdd1d61a89c8d58c111566f33c8d4814add490d7b5ba72504f8bf7723ee8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
905a550585583943a1e7795d363f23f3

SHA1
d2bb121aac3edf2215915fca762d0af145abb0f9

SHA256
35c99ce414e325d4b00c879d166b5f7a5d585aa0a76fed21b4be6bd55c34fc61

SHA512
65c11e66a14339ed471e22881fbfc7634f95fafebf254e06a88f2d36f3e2f3c1bba771f289618b1edcba7ff784913e85ef489feee4438041ded85b1fb52af303

Download Submit
C:\Users\Admin\Downloads\Melissa.doc

Filesize
40KB

MD5
4b68fdec8e89b3983ceb5190a2924003

SHA1
45588547dc335d87ea5768512b9f3fc72ffd84a3

SHA256
554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca

SHA512
b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f

Download Submit
C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier

Filesize
208B

MD5
f27c5acf452b6a8123583c079af7373a

SHA1
f2dc1fbb364415482f26678fd20ffc078af7c323

SHA256
92e8925c5af069c183a6258367afb036bfd186852985a9fca8af4098a144e6ab

SHA512
2c9cc3ebe5e19070c11ee72d586cc1170ae804482cbdc69a33c4931cfe0b0aa6dc42b5ac94701c8da62144d87bb3c45e10362c75fb3a8a4252b909cc516549c5

Download Submit
memory/784-285-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-423-0x00007FF9E2610000-0x00007FF9E2620000-memory.dmp

Filesize
64KB

Download
memory/784-288-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-289-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-291-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-292-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-290-0x00007FF9DFB90000-0x00007FF9DFBA0000-memory.dmp

Filesize
64KB

Download
memory/784-293-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-294-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-295-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-296-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-298-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-299-0x00007FFA20D30000-0x00007FFA20DED000-memory.dmp

Filesize
756KB

Download
memory/784-286-0x00007FF9DFB90000-0x00007FF9DFBA0000-memory.dmp

Filesize
64KB

Download
memory/784-284-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-283-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-426-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-281-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-424-0x00007FF9E2610000-0x00007FF9E2620000-memory.dmp

Filesize
64KB

Download
memory/784-425-0x00007FF9E2610000-0x00007FF9E2620000-memory.dmp

Filesize
64KB

Download
memory/784-282-0x00007FF9E2610000-0x00007FF9E2620000-memory.dmp

Filesize
64KB

Download
memory/784-422-0x00007FF9E2610000-0x00007FF9E2620000-memory.dmp

Filesize
64KB

Download
memory/784-280-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-427-0x00007FFA20D30000-0x00007FFA20DED000-memory.dmp

Filesize
756KB

Download
memory/784-279-0x00007FF9E2610000-0x00007FF9E2620000-memory.dmp

Filesize
64KB

Download
memory/784-276-0x00007FF9E2610000-0x00007FF9E2620000-memory.dmp

Filesize
64KB

Download
memory/784-278-0x00007FF9E2610000-0x00007FF9E2620000-memory.dmp

Filesize
64KB

Download
memory/784-277-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download
memory/784-275-0x00007FF9E2610000-0x00007FF9E2620000-memory.dmp

Filesize
64KB

Download
memory/784-287-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

Filesize
2.0MB

Download