hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

max time kernel
29s
max time network
34s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-07-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

8^/10

discovery macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\metrofax.doc	office_macro_on_action

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

37 raw.githubusercontent.com
38 raw.githubusercontent.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

flow	ioc
37	raw.githubusercontent.com
38	raw.githubusercontent.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEchrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662300616482223"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings chrome.exe
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

5096 WINWORD.EXE
5096 WINWORD.EXE
1876 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2092 chrome.exe
2092 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2092 chrome.exe
2092 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeCreatePagefilePrivilege	2092	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
1876	WINWORD.EXE
1876	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2092 wrote to memory of 2140	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 2140	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 4324	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 2108	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 2108	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe
PID 2092 wrote to memory of 3376	2092	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa8b599758,0x7ffa8b599768,0x7ffa8b599778
2⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1796,i,5782324941199248268,1955124049976467136,131072 /prefetch:2
2⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1796,i,5782324941199248268,1955124049976467136,131072 /prefetch:8
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1796,i,5782324941199248268,1955124049976467136,131072 /prefetch:8
2⤵
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2884 --field-trial-handle=1796,i,5782324941199248268,1955124049976467136,131072 /prefetch:1
2⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1796,i,5782324941199248268,1955124049976467136,131072 /prefetch:1
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1796,i,5782324941199248268,1955124049976467136,131072 /prefetch:8
2⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3776 --field-trial-handle=1796,i,5782324941199248268,1955124049976467136,131072 /prefetch:8
2⤵
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1796,i,5782324941199248268,1955124049976467136,131072 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1796,i,5782324941199248268,1955124049976467136,131072 /prefetch:8
2⤵
PID:60

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:4496

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4552

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\2b0b4615-eac2-4b5c-a181-3df6ec5084d0.tmp

Filesize
136KB

MD5
77782bc1acd76147ba777ff0f4a395a5

SHA1
dcf18f6f73e4b6768b3b1a8ba701744b90774146

SHA256
dba706a1da05cd9ea98c29463b5edde5373e97ab443cc7f28246b4389a47d7f7

SHA512
7f90eeadece0632893b7514871fb54c72c22de9ae08fd0f59427760e331559ad4e83010b630260663de2536682da042932ac0dcfc23d9a490a7da5290c6f6822

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
e16f60f6728ba17d85ab03117a8e6dc7

SHA1
60d731bfcf3131b6335dcb969512057ada8c9c9b

SHA256
5cdd10673e4ea4be1bd912cdd30fcf303c2a4d2027ccdd6e8da9fbcc69bfa40f

SHA512
0f372c34c6a2abaf54dade891d96879883ff0e8d45df6875108468440f523008688ae88ceb794bcccb5170cd7fbc5cfbc49119a22d5a76c6390bf3b18c731cf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4191c59b347c00280c55fd57047d9e8e

SHA1
e8bf46cf91afdec0c58864dd58d5ffb4555dc9df

SHA256
b799ca1110c064a2e7a7b65c84d4baacb5b53d88a9ca04abc7790c1f54693f84

SHA512
9598e2713b985ad0aec082b8fb94f071e1aba0d4f2910ab69202c03c44d7d88ae17c05b6c618f1b4162f26a611f52f5f9ddbb16a4e28756aa89db0fbf0c7e7a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
760f8b1f27bf2b7dc7904e82ceb81ec1

SHA1
3cdf95f5ca7c237660832b26a97a77b48d0ea437

SHA256
645fbfb560d90a046faa523221db58254f6a593569778bee4d3513726732d6c7

SHA512
806e06776586335ea11b355135271495cc3199fdef093f2595610b636b170c053825c8cab7a0b7233c88c421707f7955c10930d7f4e2e524d600635ed876be17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f1a0ba6af048c27d36ca054f8d7923d2

SHA1
6c64b748d9dc06eda78e6b4afe2de2c00cd5f78f

SHA256
1d24986fbca1a9e1b44282d3b4eb1c5f18d49c7a909ab2752695788f07308c7f

SHA512
cdfcbb474a9fe119c5f9b8d302635a9d7e6a71d72fc2464aaba3cd4f1e43ab5ddd93b698e10afc781ef9b581443f3549f29624d2e9c5783756fd486498f9657f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
92eba38e7ef08c55f65c543e02ab7738

SHA1
afd04f13846ecad16c03685a7b2a9c25de9bab80

SHA256
96cfd406428a15be99a8ed3d6a306e45cbd62813cbe91dc96596225510e87b00

SHA512
8c0373271b860392857ecf463625e648862c781123a28b6ea80480f660ede246fa2d74f5c1ffe298c88179af02fc52876a56243da3ed03e9b89e18dad0587ede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8F6DF798-2110-44A3-BC71-8DA8A5D66A82

Filesize
169KB

MD5
6ce7edb2bc23e7667cc591afd1039c8b

SHA1
f848980d06d0912ac8c8d6f61ecabfc7160d6554

SHA256
6ccb2a7a6e12e023b0d8a033b321285fc5725181d4447335bdd91a4ea7bb771e

SHA512
172b21ac9bc8abe07fb1d834bd8fae604d7b01c97297ad2f4f746ebc293a430ccd26e55d179f71134f0d50809ed919f55e5d67880b0fefc4b38ebf7a94f32951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
20KB

MD5
15db10e4d00eaa724b5f8492ce2dfdbb

SHA1
bfbad10d28907010322f894fd0f4b04020a40cbb

SHA256
3ec59651406c7182d264cbd4ab02d8224065f803127c493207e233bf0775d45a

SHA512
d31f69c0b0aa1a8afb6b46c07db76835745dd5c02b79557ac2f8f85b6345b6832573b00f9b19298df457555e87187d1a7335be3d244f358dd9938f7dcedcb677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
8aac36fef4587bc331778b13e7f869c3

SHA1
c5fa2da237d31027cd8227bfdf6493bed57e0a90

SHA256
13a717f515d017fe433a9ef6184190d0bd86cf3d842888d7b7085b194fa86c3a

SHA512
dac738953327c24ff3b0159d3563995c958fa27f9b4b3080986949ec96a5488934ba17c7f605e2db72b8609e1aa2d5dce0a25ccfe7ec791c43e5d0050a1a9e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\25ECCED5.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
fc71330881a7f09900b94438d666a884

SHA1
9161b0d01ae496ef8bc81cf000d713a5c9f77efa

SHA256
e8ec87f29096e03ecce9044cf5de528ec34e03d035ec0681d22ee97a432ffd77

SHA512
b8e7a2873ba199152f2350aa3a0f95f49cba4a2553871f997b29a897933dbc0027c8a55319ef6c13340e2e5eb4feec842a02af514acca8365f510f38e4e3650a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
253B

MD5
6a98a01036a5fbbb24efc7ca65e6046f

SHA1
1a893e96e5ec904ddc35920decf0302dfb820705

SHA256
46ec59faa2e955b1af1abf656a306713a49a65bd64cdc09c74395acf9d394772

SHA512
0cb151ac22ff36d3cd810b7753335aa7436f7d8ec81cc18a0779745b6f59eb48fdb7e64b5aaab125ba9cde34ce883d40a5ff474d8e8da61135150711ba10f145

Download Submit
C:\Users\Admin\Downloads\metrofax.doc

Filesize
221KB

MD5
28e855032f83adbd2d8499af6d2d0e22

SHA1
6b590325e2e465d9762fa5d1877846667268558a

SHA256
b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

SHA512
e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34

Download Submit
\??\pipe\crashpad_2092_MQFUIDXCGSVUKMUE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5096-255-0x00007FFA50AE0000-0x00007FFA50AF0000-memory.dmp

Filesize
64KB

Download
memory/5096-264-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-252-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-253-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-254-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-251-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-256-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-258-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-257-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-259-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-260-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-262-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-263-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-250-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-267-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-276-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-266-0x00007FFA50AE0000-0x00007FFA50AF0000-memory.dmp

Filesize
64KB

Download
memory/5096-265-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-261-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-278-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-277-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-247-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-246-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-245-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp

Filesize
64KB

Download
memory/5096-241-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp

Filesize
64KB

Download
memory/5096-244-0x00007FFA945B5000-0x00007FFA945B6000-memory.dmp

Filesize
4KB

Download
memory/5096-243-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp

Filesize
64KB

Download
memory/5096-242-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp

Filesize
64KB

Download