Analysis Overview
Threat Level: Likely malicious
The file https://github.com/Da2dalus/The-MALWARE-Repo was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Enumerates connected drives
Subvert Trust Controls: Mark-of-the-Web Bypass
Drops file in Windows directory
Program crash
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
NTFS ADS
Modifies registry class
Enumerates system info in registry
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 16:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 16:24
Reported
2024-08-06 16:34
Platform
win10v2004-20240802-en
Max time kernel
573s
Max time network
501s
Command Line
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\2229298842\349655694.pri | C:\Windows\system32\LogonUI.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{0046A46A-D761-4B64-82C4-BEEEC12802D0}\8tr.exe:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe |
System Location Discovery: System Language Discovery
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{404CBF5C-64A2-4D80-8233-EE40D1266679} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 = 4e0031000000000006596783100054656d7000003a0009000400efbe0259836306597b832e00000096e101000000010000000000000000000000000000009b58ae00540065006d007000000014000000 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 50003100000000000259506e100041646d696e003c0009000400efbe0259836306590e832e00000077e101000000010000000000000000000000000000006c514100410064006d0069006e00000014000000 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\MRUListEx = ffffffff | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 7800310000000000025983631100557365727300640009000400efbe874f774806590e832e000000c70500000000010000000000000000003a00000000008f90650055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "3" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{DA716F31-33C3-4B98-BC3D-B318F6AF6908} | C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 56003100000000000259836312004170704461746100400009000400efbe0259836306590e832e00000082e1010000000100000000000000000000000000000091df54004100700070004400610074006100000016000000 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 = 50003100000000000259876510004c6f63616c003c0009000400efbe0259836306590e832e00000095e101000000010000000000000000000000000000007eef83004c006f00630061006c00000014000000 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{6AAA4AF6-8668-4064-9C86-DCE3D45710B1} | C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{0046A46A-D761-4B64-82C4-BEEEC12802D0}\8tr.exe:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe65f946f8,0x7ffe65f94708,0x7ffe65f94718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5508 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3480 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5676 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5792 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3468 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1477995745203510813,7756426987470213046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Pony\metrofax.doc" /o ""
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5304 -ip 5304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 1556
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x40c
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe"
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe"
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Curfun.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Curfun.exe"
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Flasher.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Flasher.exe"
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Flasher.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Flasher.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa391e855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| GB | 20.26.156.216:443 | codeload.github.com | tcp |
| US | 8.8.8.8:53 | 216.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| NL | 2.17.112.8:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.112.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| NL | 2.17.112.33:443 | r.bing.com | tcp |
| NL | 2.17.112.33:443 | r.bing.com | tcp |
| NL | 2.17.112.26:443 | th.bing.com | tcp |
| NL | 2.17.112.26:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.134:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 33.112.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.112.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 2.18.190.145:443 | aefd.nelreports.net | tcp |
| US | 8.8.8.8:53 | 145.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| NL | 2.17.112.50:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | 50.112.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| FR | 92.122.219.160:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 160.219.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 2.18.190.140:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | 140.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 2.18.190.140:443 | aefd.nelreports.net | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 983cbc1f706a155d63496ebc4d66515e |
| SHA1 | 223d0071718b80cad9239e58c5e8e64df6e2a2fe |
| SHA256 | cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c |
| SHA512 | d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd |
\??\pipe\LOCAL\crashpad_4896_CGNLMFYTQJKXGLBC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 111c361619c017b5d09a13a56938bd54 |
| SHA1 | e02b363a8ceb95751623f25025a9299a2c931e07 |
| SHA256 | d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc |
| SHA512 | fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0f34932ea3d29c6e3092785f700d13aa |
| SHA1 | df7cbe6b81d1ede8a11654418ed2a07cfe057096 |
| SHA256 | 521f6e0f294b117e4e81238b49bb68da2e48e347ac46fdc998ba4904bd120943 |
| SHA512 | 90c842ad2aff0bce72fcfea6d27f931b5088dddc48aea97a584a18e3852228f282e7204e57cc51ca7c5a8f9b1132c1e6e03d36a712a6d7b797e15e271b2c2788 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 01df0cdf53241e0e25ed5839fa9eba6a |
| SHA1 | 3a5dc6c3bc08e1ff213196ea29042ad7a5e3f30a |
| SHA256 | 2f8e2c7e6e809c374a0530fc93eb92146bb12b9417f9a5e543d32484d954507d |
| SHA512 | daf74a8c13a5b0695c90dd132206119f8a7e623358c45bf56a5d85bca03fa50527232e0733999585c751857a69ab3d7c7807af7243ad774b0d29421faffbc0a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 634969117e816c8472f13c1d41bcb185 |
| SHA1 | ac62b2362c0930cfcc92f605b994f5d4b28fe890 |
| SHA256 | 90da5f218e09001b6987e534b22e19cec1babff4b278fbec6fdbe9ce80f9fa5d |
| SHA512 | e2e043d28b28ee3dcf0d168c987822d469286bf1bdd596c47c46fe94069606d4e4585329e34d63e4dfdbc2cf94cb5d219deffe6337bf3e3bba50fe9dd9c9951b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 39f7d587edf0d2b93c749ec1495595ee |
| SHA1 | f580426ce71060d988c2ce3c617cb573af67d5e4 |
| SHA256 | 53d92d04e26ab448ea5d35305217351352c2a2ead2ad7cf4775925342e1a6511 |
| SHA512 | 1636e08843d82b7b41ef7e85b30e3701ccc826309f3d25e8d4ffcd3215209a3b7256d7054227ae9cd1bc7c71179c1d70ca894a7a264f4edb5ee876193953d968 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f23f.TMP
| MD5 | 82a9f6d1426940ee04307372b2c5ce58 |
| SHA1 | c9bf2a8f1e4a7d90b486606129b74908d5e2d15a |
| SHA256 | 92ed37fd79dc4d8d3538f08e17e3d3631f1493a0691579db6814eb6ae7014ae7 |
| SHA512 | abb44225662ecd1a26f1def65d7362dbd4a43209ea1d6358c12e9f4b7dfc875b685e3c44dc9210b21be357cc8f3ac0bb2100324a773d3cf29b5d4c437ec30678 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 354f182972985430e61317a35f737466 |
| SHA1 | a03836bb31e2642f4912e58931cf1915f1e07dfb |
| SHA256 | 88fa25892cd6c081f37e03e4f1c8c97c6aadbae361e92d1df2cd269bad73142f |
| SHA512 | a0700d2b2d16557ebbef43a931c6d635cfa3395f58c9a5c4454c2a058776dc99ea29f71214bbb72bcdc9df9a86a819657dc003f4778d6ccbc9ea36ffe08cc4bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 3e8f487ebc61ed5c31159d675ceae4c5 |
| SHA1 | dcba28143d739cec290282043d85564bf0d2282a |
| SHA256 | f83c518eb5f27141bdc7b0f87710a1a919af7b702a43c12305f8207baeeb5265 |
| SHA512 | f3307a798b5700473c415d4f355510eafffc5ff7ed77022603cc9b2a0b882ebf8b3f926607cbeda70993c0b20865e84579d56939061ded518b667691fc26b18d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6c3a24b6de10e67e132b563c93d57818 |
| SHA1 | 73581ba8a85d678478fcc84e3d842cfcff08a1b8 |
| SHA256 | e5ab06f9b7261262b8a764c9b2140ba6d88e4b8f738d7603569c0012a9047f11 |
| SHA512 | 0d56d48e1732ce0e3ae6f721350f617c9c1a3b7f234672e26c4697bc5a07dd2acaaca549f74ef845853204dc26e4808078e4bd8c14fa23682af8618a2a311fe4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fab41c023ec674b6d293b68c6ca66820 |
| SHA1 | d5902204036ca0862afa9ef56bfa5d445638b4f6 |
| SHA256 | 1bbf2424197c9fae5fe6c7c08f7cf14d74b1f26d07ba5a8f72149d9dee041f8c |
| SHA512 | e88b022d5ea24198f45244a56f793b64d92225b557f655721fba6007adfbb78c0d0ac65a3fb55e53ee1dd2a802500673190e53d49b19bfb973fe712fee8aafe4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d55324578c0c78f0cff4901cb04a0bdb |
| SHA1 | b3346d0c06a06726ca3bfbc0d9e3869d4c188efb |
| SHA256 | 7445b04aae288bdebbcf783fea0df3cdf124230187a97376a479529a68bd41b2 |
| SHA512 | 1853ec3c7f2c8fdc9e2e79dfb807afdf4da01499380e9ec1e85e23826942e649a6a9c3d025e987c166c7bfb6c7ddfae7cbd1ed2ba5e5686c1b788748564641e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c006f961fbe0932feb72c23f2c5ec792 |
| SHA1 | 16e706e78fd10066fc91f35bc729944fc6fd735d |
| SHA256 | db115a62577d64b1481b28ae52f5c929d97ab729af33beb20f4e1153e886ee51 |
| SHA512 | 89f18e322527937b1c5aed0509668f8338b649ee8c2971737e8453f489434d10deda16ca4a746cef686b9bd32e38996031aa299cd8ee76f851c9fe9600ea1d75 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 03c4da2955a9d777a99c23b67af04641 |
| SHA1 | fcd702992a8148bf5dc308ad1dc42e0e752ce941 |
| SHA256 | c9b99bb103da6a6b8b04a44928d56a176a1111394150dc00e738a9872f920fa1 |
| SHA512 | 8699c1b5771c07f7b292a966644895b279c8a2246a8b98ba058911b9de23374181354d61dc87b4d60711bdafe501c8d7ae49d4fdd2c49cb8a271d1f0f41dc0f5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 2e2ee354c210ddd2fc2c456e785021c4 |
| SHA1 | c00c5f09f2cb77decaf739c0ab3235a65ea1e9f7 |
| SHA256 | ab9baa69fb541029b6a57caf687182fa612f351df7c00b1d75ce86a04a84860c |
| SHA512 | 8341e7031432bce522d08f776db5656c1406fa181a6376d39f6814473ee1d559bb12cd4fb824b59c7f0db9f5c769ec4e26cc889dd291965b180f9d8943b73c22 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 6104e556275c8076f98e39fa713885d5 |
| SHA1 | 2dd4551c7bab3b44d5c439152f13fd8d186c82cc |
| SHA256 | 3e977c1ce1b00aa38f56acaa3940db40f2d1a2fa82a81a557b0aa29c49e4d063 |
| SHA512 | 5d526144a0d677fb68abc2d35de31da3d07b5ba78e8735e46031bc1591954fcabc899b1101f40fc89261f61761ed598157b367c4d636d0cb4ee811614edb83ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
| MD5 | 2e86a72f4e82614cd4842950d2e0a716 |
| SHA1 | d7b4ee0c9af735d098bff474632fc2c0113e0b9c |
| SHA256 | c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f |
| SHA512 | 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
| MD5 | d6b36c7d4b06f140f860ddc91a4c659c |
| SHA1 | ccf16571637b8d3e4c9423688c5bd06167bfb9e9 |
| SHA256 | 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92 |
| SHA512 | 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
| MD5 | b38fbbd0b5c8e8b4452b33d6f85df7dc |
| SHA1 | 386ba241790252df01a6a028b3238de2f995a559 |
| SHA256 | b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd |
| SHA512 | 546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
| MD5 | cc6a7af85ef808b23fb0d7856ed6aafb |
| SHA1 | 9c32e7d7b33e9769211fbce53001a17848d546b5 |
| SHA256 | 0d8b4860b16e4ee74beff0e2034bd195352dba61a455efdeb35d6ede7c4c7391 |
| SHA512 | d9e9086a0d6827ba073028b67a73e8d0936ff9813238075af53dd75af0f7417b56dc4642417ced05af36ec9e66bac671ab8ed9d0f73dd7b84a6695026ba2abf6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
| MD5 | 24a806fccb1d271a0e884e1897f2c1bc |
| SHA1 | 11bde7bb9cc39a5ef1bcddfc526f3083c9f2298a |
| SHA256 | e83f90413d723b682d15972abeaaa71b9cead9b0c25bf8aac88485d4be46fb85 |
| SHA512 | 33255665affcba0a0ada9cf3712ee237c92433a09cda894d63dd1384349e2159d0fe06fa09cca616668ef8fcbb8d0a73ef381d30702c20aad95fc5e9396101ae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017
| MD5 | 027a77a637cb439865b2008d68867e99 |
| SHA1 | ba448ff5be0d69dbe0889237693371f4f0a2425e |
| SHA256 | 6f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd |
| SHA512 | 66f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 38ae802b42291708a0d0b47ee5aa7306 |
| SHA1 | e02d2ac9c5b2a71d1d78a09a43f986c36fec0e13 |
| SHA256 | 98907e1e9b22373e576c9316432bcf452dfffba4770efcc78250c11c463f464e |
| SHA512 | f264594a87e672529eda50724f5e6fd6882f1d41e1b536854224cb86dba176f3d15cff7cd3514825c5e9d7c080915172ac2f46f15edcdb9c6a045e8eda990896 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0891b57d2fbaa474bb532a6add62966d |
| SHA1 | b67c87bd8a41a5a500318379b10c8fe7efb0628a |
| SHA256 | fba5a4f1fe790f85c29a40c4ae913bd4f904d0adc99704b72f67199d073d5376 |
| SHA512 | c60b4130330ee87fab26567d5f66510fec116f3319473c6df756c75e86c99fa2acd9d2a56755559586cb1622e7ccb715b3c16c73ee2116e2c432121933f2a137 |
memory/4244-677-0x0000023320840000-0x0000023320850000-memory.dmp
memory/4244-661-0x0000023320740000-0x0000023320750000-memory.dmp
memory/4244-693-0x0000023328B40000-0x0000023328B41000-memory.dmp
memory/4244-695-0x0000023328B70000-0x0000023328B71000-memory.dmp
memory/4244-696-0x0000023328B70000-0x0000023328B71000-memory.dmp
memory/4244-697-0x0000023328C80000-0x0000023328C81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b22521606a20ca82e7b397c1a0b1804a |
| SHA1 | d53d1f476dbbb4e939a1b05d85f5e50d2cf2d4ad |
| SHA256 | d02c2d7ff3e916b28248fca385f5c28dba1ebdb0904db077bda99e97b55d344d |
| SHA512 | 1165ef8b5c0970d11a1962430b6d9c016638d76438543cd82f89b7ad3e7596f64f0c8da704134c76a8f433dbdfbb754e53caa89bca2cf8eb41eebac387ec8a7c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018
| MD5 | b07f576446fc2d6b9923828d656cadff |
| SHA1 | 35b2a39b66c3de60e7ec273bdf5e71a7c1f4b103 |
| SHA256 | d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496 |
| SHA512 | 7358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019
| MD5 | d9b427d32109a7367b92e57dae471874 |
| SHA1 | ce04c8aeb6d89d0961f65b28a6f4a03381fc9c39 |
| SHA256 | 9b02f8fe6810cacb76fbbcefdb708f590e22b1014dcae2732b43896a7ac060f3 |
| SHA512 | dcabc4223745b69039ea6a634b2c5922f0a603e5eeb339f42160adc41c33b74911bb5a3daa169cd01c197aeaca09c5e4a34e759b64f552d15f7a45816105fb07 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4574aae056a0f5ebfe8aa2dfb79e4e8b |
| SHA1 | 7810104a625350edde75c78242b05c480a4b3bc0 |
| SHA256 | 4d2ecd34547261775513661b6fb928afa937bcad9320f91a81881efdc888872c |
| SHA512 | a35d3a251f83ba28f054ca63c18ce8663f034c3b0c80abe80522ae037005de5e4ad44536d3a430a87e5232e01152c0616c4ee9248f10a290001fea25ec9597b3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | cdc8573f985d58e7eb393cdda82687e1 |
| SHA1 | dc14e1bb0767ae37bfb2f391b0473af8c0085cf3 |
| SHA256 | d2efd040c2a38d4f058b87b2c1843d77b938e45fb99688b08272489fc9983565 |
| SHA512 | a9721e50e66bec6a1f6e533845bd88f45662100da7b24ee1f2a4c343d96241aed1ba280bc4517ec77a0f0b7ff52ad785418b231897ae9f1a0be605b8e6c3e76c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f67b98104902cac4816f18a41616059d |
| SHA1 | 2762883e7c5548f13471c032bb311cc22348d475 |
| SHA256 | 5fd2f1e8846e9bc725df1835f672694428412dd243b99c1fe2389009dafb8a3f |
| SHA512 | 2bd463e6464a29f54cd6c73279bbf0c86f53794422ff1a49b4c8803dd8205439a4988b981de23a119c1feacab55ee414e5de615d09972b58c44b0a05aa7a6d11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b75aa03017dc09c9c023ba1087b23348 |
| SHA1 | 417e7f89b4afb6d30e13606fbc32ffb091cf068b |
| SHA256 | 5d8bb30b541795c92e694f80f31dbf04ca155cdf601c6d38a962a4e8f8665403 |
| SHA512 | 38c0a005a29adbc2c8dfc157f907699de547b87cbac455d990a70afdab0872780dda2a286afb340f4b6a0ca3966bfa6b48adbac70c757b5722778975444c1296 |
memory/4596-1057-0x00007FFE350B0000-0x00007FFE350C0000-memory.dmp
memory/4596-1059-0x00007FFE350B0000-0x00007FFE350C0000-memory.dmp
memory/4596-1058-0x00007FFE350B0000-0x00007FFE350C0000-memory.dmp
memory/4596-1060-0x00007FFE350B0000-0x00007FFE350C0000-memory.dmp
memory/4596-1061-0x00007FFE350B0000-0x00007FFE350C0000-memory.dmp
memory/4596-1062-0x00007FFE32FD0000-0x00007FFE32FE0000-memory.dmp
memory/4596-1063-0x00007FFE32FD0000-0x00007FFE32FE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres
| MD5 | d1f63bbbc25ebaa972129f1626ff8532 |
| SHA1 | 6bff75410234e3d5323f34bf5358a7c3318f58e9 |
| SHA256 | 90d0ac85a55f052d0a93acc18297cc74a782546e5995a5a5b0c225b47aa0de7f |
| SHA512 | 3a2a7d66eccb28730f0834510dd0fd347ea6bc525169ad05b45d8062ed57ca0ea08448dd5c488ea52f8ec8c801d268c707f935abde2be5e72b4baefaddbb79f7 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
| MD5 | e117f89eaa1379010696e5be5e4dc001 |
| SHA1 | aadccd6656b534fe60a642b22ce09f967601112d |
| SHA256 | fa23544af63a8a149dea60f2ff037a52be7d93e6852cfadda1b2cf65aae3ea27 |
| SHA512 | d3fe31f4d741178f7a3c3119ac1b6dd2b31b9ae9a5d53f7993a126e389a7e922f68fe15d11f4f4c0d156beb35f33fa2198c64ce63308eb3286be3a5c617542b2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 0177ce2cb659bc239a63e6d3e02be52f |
| SHA1 | d2bb56edd28b88033a2b264839b03febfe6f0a4f |
| SHA256 | 3df4575ae3073d2928fddb184c4bb32d32c6d7cf9482148b925bea28d7c0351b |
| SHA512 | a9f3e27060de4c545e6f2a99f1d3ebb3cb85702fb41fafea8319b750e80e3a733450c4214d680bbbc97b0a653373c06af70a5f179041cf70b060e32cab585267 |
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf
| MD5 | bcfb74647eb3f5b3c309b83974c09f3c |
| SHA1 | 26d505a70cd87d125fed15c1ab54f5e64f701312 |
| SHA256 | d67ead894399990896a6b2a5dc1db7356f3f76b32125095e502a5c4592632d82 |
| SHA512 | 60f450506453a63a02353b139b78420c435329af050f34a531340e1808636a55478aa8b03a8a1fb6bd1e41c96cdccc4e88e05cd003c5dafed6f514bce37aa224 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B41D5BE3.emf
| MD5 | 0ed5bc16545d23c325d756013579a697 |
| SHA1 | dcdde3196414a743177131d7d906cb67315d88e7 |
| SHA256 | 3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3 |
| SHA512 | c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\70713530-8725-4B0E-9E52-91216000A2D4
| MD5 | 3f8333a107ad413c1fc5c6d9e3621fe2 |
| SHA1 | bdb1d63abd463b20286bd230aed542f56857c218 |
| SHA256 | 75da29510facb164cd1232bc3400b5e56a146ecea3857ff51a292e8bfe9b59aa |
| SHA512 | 711ce079cc5dde1388ba12cfa441043794cd4f8209281944197525f84790050e1e8e3438cc3d60f5fe08f403a209d6e741832964a3a9c677c20f3e403e636857 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
| MD5 | debba7594babd7860696b83291892ede |
| SHA1 | 3fbd2c37d37526595d05f6df373dff6bb0d45290 |
| SHA256 | bbfdbc681f6e35ddf9e69c17de29dd95bcca50745f8ac044e004286bebedeeb7 |
| SHA512 | ff8b900dd821a98730517fc48b0d5802ffbd267b363317bc391d96eb771d4fbb2f6cdd38a27fee3c9c6c7229b882e0ac79d8d2923a8dbacbaa9fa70aca1a3285 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
| MD5 | c37599898a24a20ab005a063e2f5e695 |
| SHA1 | 5efaaeae8b06e403f576f2b121d591575daa6e9a |
| SHA256 | 0f5567f2f8e7d2cbbf5f6b6ecfa3b8a9b8410ee9bb8a4b93ea66485dc49390a0 |
| SHA512 | f3ea82466e612978bb99bf48b5ec5b9caa31f9db29dfeaf3e509a28be510d0cd735a01e8e2d515116c3ea20bf27e32f576bf11f6bd8b470ce115a816b5354c00 |
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
| MD5 | 4782023837751aa0d070f3bd7f992286 |
| SHA1 | e47a406d2047a7e9741bc9c3d8ab42597a202d4c |
| SHA256 | 6c33717b958d7a74d5c27d0c3c33ed592cbb6f12d5d7dba7da271b27aba961d3 |
| SHA512 | d79772ebef590f865549a55684adb45abd718530cdb7801cd370d95531293980b3698a3d0b5e0af89470a2b74993fb3a74df52a2415c73605f9d48d97da18c60 |
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
| MD5 | 37a26f4259669587c887c1ee118ddbf0 |
| SHA1 | df560ab0ef2dc209a85bc34218988b3fbe815a4d |
| SHA256 | 1dabf140e2d2a868f8bc78ea0cb9a014236c8bf042dec8c579bd7a9721707970 |
| SHA512 | f7aff98fb9dde2c731246f9c73fd2f4e20128e4cab4b1ad66a34cdf96e4c021028702483db36f512062de36590622adefdb644a0e83d9f3ebf0614090225e3f0 |
memory/4392-1224-0x00007FFE350B0000-0x00007FFE350C0000-memory.dmp
memory/4392-1226-0x00007FFE350B0000-0x00007FFE350C0000-memory.dmp
memory/4392-1227-0x00007FFE350B0000-0x00007FFE350C0000-memory.dmp
memory/4392-1225-0x00007FFE350B0000-0x00007FFE350C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCD1B85.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 5d70df03676ea2629bb4317f82554ba4 |
| SHA1 | fe6d2a93bb8d4c85e620b385c75d0c149cb5f5c8 |
| SHA256 | caf07061d147e1151eee3f19106d8202ba716580dfaac2cd43015b4e0262cb4e |
| SHA512 | 881fdb1186ee3f7c846f44979151d5e91cf3ed66c4561467d41dcb74a2da752a11444b794037b015d63493d994012b67432ee087301f4616ef5b4816b319aa7b |
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of fygbf.asd
| MD5 | e644409d15bc7fad3062021f4f4ad4e4 |
| SHA1 | 771bc69396d17cd756615cc467752492090fe9be |
| SHA256 | 0ca3f9b3f0887541848e48dffccb8b8e7e4310d93e270be3a803d5ad24b1525f |
| SHA512 | 6be275ed430b68ea6a112cb726ec30ab1f3933d32f65c6b70ee249449ec9976f40b0a432c92fbe38964034421667be89dc33be845b67d4d57856e186ae3584aa |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
| MD5 | e4e83f8123e9740b8aa3c3dfa77c1c04 |
| SHA1 | 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 |
| SHA256 | 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
| SHA512 | bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
| MD5 | 6ca4960355e4951c72aa5f6364e459d5 |
| SHA1 | 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 |
| SHA256 | 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
| SHA512 | 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
| MD5 | f1b59332b953b3c99b3c95a44249c0d2 |
| SHA1 | 1b16a2ca32bf8481e18ff8b7365229b598908991 |
| SHA256 | 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c |
| SHA512 | 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
| MD5 | c56ff60fbd601e84edd5a0ff1010d584 |
| SHA1 | 342abb130dabeacde1d8ced806d67a3aef00a749 |
| SHA256 | 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c |
| SHA512 | acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e |
memory/5304-1787-0x0000000000A60000-0x0000000000AD2000-memory.dmp
memory/5304-1788-0x0000000005470000-0x000000000550C000-memory.dmp
memory/5304-1789-0x0000000005B20000-0x00000000060C4000-memory.dmp
memory/5304-1790-0x0000000005610000-0x00000000056A2000-memory.dmp
memory/5304-1791-0x0000000005570000-0x000000000557A000-memory.dmp
memory/5304-1792-0x00000000056B0000-0x0000000005706000-memory.dmp
memory/5304-1793-0x0000000005720000-0x000000000572A000-memory.dmp
memory/5568-1794-0x00000000002C0000-0x0000000000724000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/5568-1806-0x000000001B4A0000-0x000000001B4A8000-memory.dmp
memory/5568-1807-0x0000000020E10000-0x0000000020E48000-memory.dmp
memory/5568-1808-0x0000000020DD0000-0x0000000020DDE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 72eb14682d4d2c7cb069d1fa845ab926 |
| SHA1 | 21b30cd6703e8dd7dc82c52b42cf853b5788d91d |
| SHA256 | d5776d99bfded51cde07c28208a34363aff6471f7687e59fe8d15de66a8885da |
| SHA512 | 03cdc3117ee07802daf6268bda056a28b29473888f55b00c7b9e9a6e8d807748862ea18e9e61175a8b6094581ba69f589f878efc6c6488b9ac1f839bd0e99045 |
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\chilledwindows.mp4
| MD5 | 698ddcaec1edcf1245807627884edf9c |
| SHA1 | c7fcbeaa2aadffaf807c096c51fb14c47003ac20 |
| SHA256 | cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b |
| SHA512 | a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bf585d163dc8a8eddb7398d2bc91d096 |
| SHA1 | c912d7806e7f3e4d63c73e2a02b5e207406e3012 |
| SHA256 | 08975bfcb6c8f7c65521475956451376d7d82d17edc7121f990f4f4c3d2a3e28 |
| SHA512 | b57d163aa02bb0783eb8c9135a7956ab2a8f738ba5470b690f4d3e8e1292d9c9bcf9bb785cdf52ab4d27955698e029e0b68e91d9a964de100b02ddc921de1be5 |
memory/5528-1835-0x0000000000400000-0x00000000004A6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 368f49911d024f5b0ffe8bb08e0155af |
| SHA1 | 57d02102be9f9b030f3a0405987f16cb3e553afc |
| SHA256 | 3d49f96757b9a448941e4f656c3a9562c9a35253a0992f578e15be9af2085833 |
| SHA512 | 93a978c602f3a7cc9b0a78b9c80162ededa33a188f87bd37469afb2057b4bf0dac150c4931aec2c0e82bd2f65fb03345706efe720ec3a18db564aaf1a45e31e1 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ChilledWindows.exe.log
| MD5 | 6d1fdaa0eab80613585a67eddff3c32d |
| SHA1 | f270d9d29c067a7b03d381e52c922ad20a594de5 |
| SHA256 | 8e4e4153f0340300a69b3f25bfbc9ac720e7595783d683ccfbf7982267e0af1e |
| SHA512 | 97ac919b5203bc5d26b57be5173cc22f98e6a19eca7822d7e99eed7011d653bbbce64bf4d5e3c35cfc7ed8214d4efe54923819ff41fda95aaa40d485068c54d7 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | cc56153faf8ff7caa5c180ffa0621cf4 |
| SHA1 | d428e086d8ec33aa49caf3d768c19b471990b7a6 |
| SHA256 | 56a3bdd66fd6e9e84ea49bfd753cf18da7dafb7d621a3910b9b4241fb4d8c78f |
| SHA512 | 309293549c12eec79998cad8e594bd65136206ca27372732fade121fc88f58401ea045fc78fc63dbf2e629d8df27863b123246cc5191614554db8c9b3d5d1c5a |
memory/844-1878-0x000000001B1D0000-0x000000001B276000-memory.dmp
memory/844-1879-0x000000001B820000-0x000000001BCEE000-memory.dmp
memory/844-1880-0x000000001BD90000-0x000000001BE2C000-memory.dmp
memory/844-1881-0x0000000000B00000-0x0000000000B08000-memory.dmp
memory/844-1882-0x000000001BEB0000-0x000000001BEFC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | bafbead3438db73122ee07f1861075d5 |
| SHA1 | 54a9e99d648d07b85c7d6c7ba2ac7ab677b7c5dc |
| SHA256 | 19b609f0ee99f35713a35aad3cac44e409b41b7fd5f6d329e5ddca57fe612b93 |
| SHA512 | 466c3257a70a82f28cba60260ecf7bf3b91c22b770a9748ddde57134da8f7bbc6208cd8a7a0e302effbc8c2adbd2bf8dc484e2bb7bd4d575a0d362881b8608c4 |