hxxps://github[.]com/Endermanch/MalwareDatabase

max time kernel
108s
max time network
106s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19-08-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

8^/10

discovery evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
35	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4460	taskkill.exe
4320	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Evascape.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Evascape (1).zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3808	msedge.exe
3808	msedge.exe
2352	msedge.exe
2352	msedge.exe
4172	msedge.exe
4172	msedge.exe
3132	identity_helper.exe
3132	identity_helper.exe
424	msedge.exe
424	msedge.exe
4328	msedge.exe
4328	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	4320	taskkill.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1840	2352	msedge.exe	81
PID 2352 wrote to memory of 1840	2352	msedge.exe	81
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3888	2352	msedge.exe	83
PID 2352 wrote to memory of 3808	2352	msedge.exe	84
PID 2352 wrote to memory of 3808	2352	msedge.exe	84
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85
PID 2352 wrote to memory of 4496	2352	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3f483cb8,0x7ffb3f483cc8,0x7ffb3f483cd8
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1908,16189586825026272797,12716826391123112074,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3788 /prefetch:8
  2⤵
  PID:3900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\Temp1_Evascape (1).zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Evascape (1).zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:1404
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
610d0b3e61d21de60b8de5d2e6822c72

SHA1
f32be5fe794d3a681fe93371e6e2837c8c0eab9e

SHA256
e22275873af8a9d7c21e12d257fe28bd2ff290287e1ae8d8f98fb29e4fba5340

SHA512
ab3e5f4601d02bfb551dcc961a58c11066064535215d092224de60806375cd2653539ec4ff32e5e3f091a9b12d01719b3c9334650f910d5abd48c48ddd05a8e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0fe96fb6342bbbeebc823d3214c2b31e

SHA1
24512e348090987f42aab0397e37822b8db2819e

SHA256
38312f108b50d482c5453f1c1d0147b22b204527d11c75033b503130ab93b53d

SHA512
25ca721bfc51d657e9400ea1cc138022c834469ac14bc8b7b54f3ab631bd3b44a55738bbfe4bbc02e3417a7813d8117644e3b7e0c216930ceb8912ca4f754d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
591B

MD5
068d2bed8706c18f3e112ce3d644d255

SHA1
a9f6cae04c84b99564769ae590070553a2ed3dcf

SHA256
c8f8d37ae6e2b1d3d043541d628aad4a7475b970f05492b0e49c12cf29c2fd83

SHA512
d2cfe65d707285311494f3b8c2efda09c4c11c9f3d25df6a8a778ea56cd4f742bda3d0d9e59e4bc253660998d9a8440051873ce5d0b02ba07f07d48ef0767497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
19f559b33c64c646c0a26768648c5387

SHA1
1043199e315e0bef73cc44084252273bdd349c37

SHA256
cac06b5124067ea86b766525123afca5112cb9e84d4c28cc5323f7a74596d85d

SHA512
fea22db044d8346f0f0a2479fdaf1be1541be13df99ae8437aa31acc36980086861c43a620d33ba5adba025f3bb5f7ffc01e31cbcb4e70da132a318eec58b9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e68af69eb17a57b948bb4209e98587f

SHA1
db691a3a89ebbadac81b22a1e0e03a12506d9c47

SHA256
c2e813242b8cac766896b4987c734a1cd678d952f5ecab497423b5e00332f2e3

SHA512
622a4dbd0998d820286d67d2ef44afa0911f7564b3fc374d07791751d65783cfc28596ae783efe145537bd929bdcd0383377dd23ef2d90c82600c2bd77065bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f74947c4403985cda3b0275494da1d36

SHA1
3e35d258e0e49b9ac2fd47637f4fa8cc77701ce4

SHA256
53c773bdcb433c7e5f79aca302075a0acc820bf73b4a31582a0c5e18e82af254

SHA512
e41038e4382b8ea7a6ed9edb617f68bc4f77bf8632fbebfe780d995b53e2f28e2845676b96982cd4f8d5b3853b421379a9d22790602fb1c69862caa796170153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b58b21068bc93185b0d24b8f0b185d55

SHA1
b7338c29a39c5f580cc4733aa6de0fefe6099295

SHA256
a1a18afb13e7ca8244f10cdbef334c1259a9f2f905b861f3d98c6ef34bbea7d6

SHA512
5069cff1d81528cc15c9be6e43471b19e46600887a2ebd7eb7071410538e4d12bf2c6e8b8f0175cbf6a489de709d93cc9099e57877ac53ac4a05fa245460424a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7cd8602346d2206826a91672fef5ecee

SHA1
cc4e47a045966d8e4a5beaf10a68a6304314d3e2

SHA256
0b869cb6653b93dd8c42b62b29a85af7bfd7951d2e5299f59bb71caf998a02dc

SHA512
773547ed46675225600f1fa5806ed0dec2ecb621b15bf24cfb59eb634b88988e12cbf6498f18b3f7fd2993f6c3305edea591e8ae68d28cd35fef932bfb2018ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d263.TMP

Filesize
1KB

MD5
d398e3cb93dc9d44cdc996814111c8e7

SHA1
97282c062cad0c76821c166cc29f6c041521f79c

SHA256
1336c5a4e443363f5365e6c0c59eab976307c79f378b1a83ce42689950258c19

SHA512
d4a0f29841a25bebf5d0e11f38a6ad61890352fcb02699e2bc5e86e64cfe1af215d6a0bf0c966cc4df152433fa832e271e7815d901f7d109764329c1c86e0b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8ffac1815756ebafd5df407729d154bd

SHA1
52e6cbfb4070c36f0f1d76dd1f3a5a596ac2e19b

SHA256
7c20baaf3ec9a7cc229beb54ea91737bf05b8a34e700f191964ed993a2bc3e18

SHA512
5ad0b85314bb327c8084c42214f1351eb2425758846b481d4a908c7505f80817bfb2d5f29a5ef359a80c7276bce0ea27a86f0b0eedcb753369b0429c935b0b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0994edee1c5931cc7c17bd791f5972d0

SHA1
86f74fe3bfb1329a7b3df1fad6b05ce312d235ce

SHA256
458229a60d548007449d25fc42be68ebb621013afd208cb63a8c54dc14459a1b

SHA512
71ea55ae9afc0e5e72e8cc29bfcb50feea92460c448e404fb9e41c3b13c8736d09cb67bf89c53fbdaea798b0207f322782b98936d98a8a5eb66e5bfc2d287c0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
71f737a10b6b170623d671a006001662

SHA1
56b971cd8518310c9b69cc9b3017c8c6bb3bf700

SHA256
550c14c75449d851ac269457d6180b93101d995f26c634ca60287a693329b609

SHA512
a5c92310216cb77e5051439d433c80998bad4cacbe97c57d15a399148c9ed1d9b2de6094a29941b8292ec3c98e59dc7bf610328bac6c681fb7f1023b4182f6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9e3a51b4ad559a5dda3cac22ec0a1ceb

SHA1
e156cc32cca38d1b4f7e383f5e387abaf5e1ea8f

SHA256
b020cc17b7cb3ffabf1cbf420695ebcc740197499c40c109a3e3117bf4e2444b

SHA512
4e5c2c87a7fe5f3fddf7bf28f7b60d2d973737c295beb38c8b8465dbcad8227387b669d36c7f45d394d7de1d48e0e54a44682bc323c889a09f66f3d941afd9ae

Download Submit
C:\Users\Admin\Downloads\Evascape.zip

Filesize
352KB

MD5
dc6e7760131e079e65bf8f2077813133

SHA1
9ac5dfb227ce624e82956de1c245616972794548

SHA256
3d84d2a869371e2196840f8382bf23691857303c82d7b5c1cace8a2c4e1d960e

SHA512
15c76977fa3532f0ec54751fb9377639daeab5ba430f5f3f098615ab868af45fa7a59a8f76c4583230fee0bf231ff75df68022b835be3deb1dc773d80929a8cb

Download Submit
C:\Users\Admin\Downloads\Evascape.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/1404-406-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download