hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

12/03/2024, 13:56

240312-q87ansac8v 6

12/03/2024, 13:54

240312-q7hwpacd34 6

Analysis

max time kernel
958s
max time network
1055s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
95	raw.githubusercontent.com
96	raw.githubusercontent.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
6124	WINWORD.EXE
6124	WINWORD.EXE
5028	WINWORD.EXE
5028	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4844	msedge.exe
4844	msedge.exe
4572	msedge.exe
4572	msedge.exe
4148	identity_helper.exe
4148	identity_helper.exe
5676	msedge.exe
5676	msedge.exe
5932	msedge.exe
5932	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
6124	WINWORD.EXE
6124	WINWORD.EXE
6124	WINWORD.EXE
6124	WINWORD.EXE
5028	WINWORD.EXE
5028	WINWORD.EXE
5028	WINWORD.EXE
5028	WINWORD.EXE
5028	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 748	4572	msedge.exe	87
PID 4572 wrote to memory of 748	4572	msedge.exe	87
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 1900	4572	msedge.exe	88
PID 4572 wrote to memory of 4844	4572	msedge.exe	89
PID 4572 wrote to memory of 4844	4572	msedge.exe	89
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90
PID 4572 wrote to memory of 2608	4572	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7ffb33fd46f8,0x7ffb33fd4708,0x7ffb33fd4718
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,8610723010702309035,16370117783683596072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5932
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa (1).doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:6124
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9a1884ef-2171-4681-9da1-d350d7f58a8d.tmp

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
40KB

MD5
4b68fdec8e89b3983ceb5190a2924003

SHA1
45588547dc335d87ea5768512b9f3fc72ffd84a3

SHA256
554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca

SHA512
b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6a7827b1b7f1e991b9bff54d362f5e4f

SHA1
8a9f747ee4afbf798e45e3167b78373da0abce01

SHA256
9d9377962d6cb4b494491f62dbdf8d7ead3165a53523cbcfd1afba5d77741603

SHA512
0aa04f9151d5b342ab20aed9aaa5f835916b82f2482441e47dca994a11fa846cab9df8a71f14459692ad05684b06cc642ffda02ba5260e489184a23d16daadad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
b8fdc8d04b83beb089126efbce00f896

SHA1
971ff6e70884b2cdf229be5a0cad066e3bdb085b

SHA256
c3084bc354488bb98cea934da0e3d6a462b574774df7f3b4fe289688acf3ebfe

SHA512
f5f0033e6bc47a723773fb221dbb2d5b684209ffc7a8046e708df1f5cade52b05158d2fc09fdb3867ca1922734f64fc5cb3bb7224da24df348085092385a45fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00c9a3448fcc62ed774d3f465631414d

SHA1
213a21d41388e0f5d72904199bd231703c9c9a07

SHA256
c1303b91c9e1d7fc301bc6d8d1f155937862a699e061fd55a8542c4df2a91700

SHA512
adc2973c6d561f3df01e3439d4348acc3da103202d316330e7320f5e31329efacbb6627886e830d23a72f94f74800814a3ddaf7d15273de965802a0fac54718e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29b7c4978398bab1438b602516048a33

SHA1
6c42e3b82511dcc8cca51c94ee10188e149aff6f

SHA256
5c94848c35188c7ca7bd6e638729162789f25953dc77c78cd9471249bb2ab20e

SHA512
67074fcffd65402735106c05f10aa5177f414f12dfa88a6a1149240b98e493bca9b4a7fbaef9f4abc82309399e2f8df1da69d0c415e6651058a7c9594334eb63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
033bf6443a03ee08ab2cc7dac828a645

SHA1
21465d11c3c43ecddaedf7f218cc3234ce5a0d18

SHA256
c2f55006612fbdf235c4b5c78bf8285463c2b91f5ecd19b6b91aa9ba5e7cc1d3

SHA512
8131099dc7f596db5b7dbeedd5d30b23da01107a4776a79fa990f8818fa3475c815201c6d3c63c8e370ae57ee38723545c1a50dc73059645cc0f6780274486b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
53e986f68e86e08dff6ec72cd312e8e8

SHA1
f9cee9da77f865a70bd5e1091d2352e5259d3187

SHA256
4e82eb608f3d852f746ce5e8914d078ab07538cd2e40aae99a08160c2c20581a

SHA512
cd3d36f8d2fbbd6cb01a19b235497d4091b15bf8ca330585feb08baf24e71e977c706bb9997156bf7709dedc123975e70ff0844ac58bc45330a7d9df6a01e952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
99e9d485e616e16ddc87d0e6ca5aeea8

SHA1
22257e09e766fc576f97abac69f1fb48f1e1ef07

SHA256
0546571f401bdb11d00af07a64faab2827fc2891e9cdf6ce0b3ebc640bb7343c

SHA512
491d7873dbfaf56415301a9926eb7309f177618e16b40b500ee11027c15e62735f5cfce3e4c0dc43561d8b398ea03a4f3a946a2ca6305c1811ed7fce9837f5d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a36c53119dfe3c083fc6840d7afdf56e

SHA1
875deaca059d83ce9ab070b7504e1df2b298cfc2

SHA256
d102c3b6c4971091fcb804bb1a1210cd96171629cf2094409607fe49825f6881

SHA512
700ae1a13e16cbe99906d0e8ff6de742fc16e856d226c63c572e0e99fa2ee0dfa3f9699f8c4f15ecbeef89ef8e96d0351ae557f130cab6ca64dbe49153fb748b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
c2844725cb4854acbfa3c026c9b58acb

SHA1
eff3bc4c307219d1887b6b6192fe00ec4b399d44

SHA256
d8c38d87202adb1afa038a83996ecb5ef1a5cfde21f666184db4d776b2e8e3f2

SHA512
20f51b1bddf4612151841f6208c827071c17d320a83d46df222d55a6edc63c1ef53c11df331f9b2c9823ad92239eff1973dc408edd60899878b805e1aaf2ba8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ddbd.TMP

Filesize
874B

MD5
3084a60a2ad51736e65bc8438e1a2625

SHA1
2498fa3143d96020310bb6a0e4d358450d4c53ae

SHA256
d354a5b11735e55c87a011f0812912f401fab37d04c8243be312f9ee166ec6ea

SHA512
81fcfe00b62446512d9e8e371658207f13a564030427d22c4b92ac5af42414aa0e6b6893d2856a641dc19b53b6aee754890575efcac144e0a6f058543febb221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
516abbc52a528b075dec943752cfbd8e

SHA1
2478b4ce09b4c7685bc26a6f1a539356582e50bd

SHA256
44292e2e56305f2b0b7cc6f82762322ff20d8b5a953a18501f3e3180ad10d781

SHA512
934e033c705f7597dc918952cccac09f265c3881d84977f48fe7a3b5f130e9f69afdfe508ca239cd98bb03b36d49cccf7d01481249c16418cf57623c85892e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b6a602aaac3107922030ab12d1a8dd91

SHA1
18beec34f2a9f2374dd4e4a40b02db865cb0f2ff

SHA256
2c043bcab423c1c3512eb835e5bcef647d0615c4814aaf0fdc61acff1b64c379

SHA512
c9525833607e1b00ab5b6da058d462f9817fb4bbf7b175d152217ba5e9be84dd6095457277b9c02171db12c046e21743cc0c6b57876aeb2d25465557f098c13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
41324a46299c5356dbb850709892bc63

SHA1
f33bf6ae5eb5d13675be14485d9688547d940d4b

SHA256
9aee50878376619153f42078340f408c33d2d3f9c10e5e039d04abe34d92f36a

SHA512
ffb59afcf2dfb1f1be8a0076b7ba9bd4bbab2f20509f8522862cba5d69853507b034f6b262da31dd080471e9a4687551d28e9d971258c5741bdcbfb5b3bc1df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
f6b7e5b3c057f3c2c28fa7815781e7a9

SHA1
275c4994f9d80733937b5e788f7c551470277eee

SHA256
5e258377fa462b4758bd7f7d9090669d084eb31e0b1960c5a3138132ee519907

SHA512
cbe77ccbd4c80fd9da1eb0da13e03f7b5b7c9964655e234ac545749637e3d8f7e47b69b7b06fd1a43b2dcf5a86df6cf06240633a3a2426e6a490b952b84e77a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
3a567aebb56042abad61ff823352fb73

SHA1
ab8e0b7c637e9a9a47ba056ac5e262eda27db282

SHA256
9ebbc9ed34e20baf8152434d277d500fc3e990af19e9e8920d491bf40b42c624

SHA512
fba1b30afd8574c943251bc91e7c9083ff06b08e080e632c26b7c40e6d7bb3db28e059147169624fde4a0756dae1c404ea4a18327c68a729b055c4209a55ea6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
ad6b1530eeaac3fc781eca903fba6f48

SHA1
8e7ed974607ee934ba7b8d6047d29d59551f5ab3

SHA256
d67debf4f4551464e7e570f1848e76ebe4efa2d231a89e1bdb78c3e14e5983b0

SHA512
a8dd401bf70f4ef642b58045f99481f4ff8d1bf6d0f653d21347389dbe0866931b1e9cb33f81906537c4adfd0d9099875a852e5f146614372b8ea835ce4bff9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
e128719425746d7ff74a3e3440084a4c

SHA1
c24a5cc2159f660e1d57e38a7d01b9b0e504f8ba

SHA256
faac02d459eb25235f61a1dd69cf00cb83a664639f99be0b623e61fcbba2c0db

SHA512
cd66f940fe275aef523916fda9ff07529b1c9ec289ab62c2df024e1482c0c3441c8ac4483ffbecaf3c70242da0442ed7212d174189b73b3e41220334f171986a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
255B

MD5
c468ac2ea54e1aa7d9c427f41898aabe

SHA1
ec8b1503edb3f0f14168dadfb5899e948c73ff95

SHA256
3df63fca5a83d7cdd339bf1ea03b60a1db0795081cd669c17bdc399393554e28

SHA512
78b8d23deea8ef440a8c876eb471cbeffb546f37e2efa3cd53aeff18a6c1a612ca1cc1a5a59279e91e5dc78720b94a85adadbef7542c9d34559e9e544a976241

Download Submit
memory/5028-522-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-377-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-384-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-383-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-382-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-381-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-517-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/5028-518-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/5028-519-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/5028-520-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/5028-379-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-521-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-378-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-385-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-376-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-375-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-365-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/5028-366-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-368-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/5028-369-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-370-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-367-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/5028-371-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/5028-372-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/5028-373-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/5028-374-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-265-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-347-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-343-0x0000022D24D90000-0x0000022D25D60000-memory.dmp

Filesize
15.8MB

Download
memory/6124-333-0x0000022D24D90000-0x0000022D25D60000-memory.dmp

Filesize
15.8MB

Download
memory/6124-313-0x0000022D24D90000-0x0000022D25D60000-memory.dmp

Filesize
15.8MB

Download
memory/6124-276-0x00007FFB000F0000-0x00007FFB00100000-memory.dmp

Filesize
64KB

Download
memory/6124-275-0x00007FFB000F0000-0x00007FFB00100000-memory.dmp

Filesize
64KB

Download
memory/6124-274-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-273-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-272-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-271-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-270-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-269-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-267-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-268-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-266-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/6124-260-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-264-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/6124-263-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

Filesize
2.0MB

Download
memory/6124-262-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/6124-261-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download
memory/6124-259-0x00007FFB028B0000-0x00007FFB028C0000-memory.dmp

Filesize
64KB

Download