hxxps://github[.]com/orangegrouptech/Biohazards-from-orangegrouptech

Resubmissions

05-01-2025 16:38

250105-t5tf7a1rdn 10

05-01-2025 16:37

250105-t4zltazjfv 8

Analysis

max time kernel
31s
max time network
54s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-01-2025 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/orangegrouptech/Biohazards-from-orangegrouptech

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
66	raw.githubusercontent.com
67	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\161cf609-4088-46d5-bb6e-cc66fe66cf08.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250105163741.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5704	taskkill.exe
5696	taskkill.exe
6096	taskkill.exe
6108	taskkill.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1716	msedge.exe
1716	msedge.exe
704	msedge.exe
704	msedge.exe
3836	identity_helper.exe
3836	identity_helper.exe
2704	msedge.exe
2704	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe
704	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 1340	704	msedge.exe	81
PID 704 wrote to memory of 1340	704	msedge.exe	81
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 2936	704	msedge.exe	82
PID 704 wrote to memory of 1716	704	msedge.exe	83
PID 704 wrote to memory of 1716	704	msedge.exe	83
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84
PID 704 wrote to memory of 2176	704	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/orangegrouptech/Biohazards-from-orangegrouptech
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff87dec46f8,0x7ff87dec4708,0x7ff87dec4718
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1968
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff794eb5460,0x7ff794eb5470,0x7ff794eb5480
    3⤵
    PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6700 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,6319528872873047505,10271333612042587673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Users\Admin\Downloads\000.exe
  "C:\Users\Admin\Downloads\000.exe"
  2⤵
  PID:5292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    PID:5592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:5704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6096
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      PID:5376
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      PID:4744
- C:\Users\Admin\Downloads\000.exe
  "C:\Users\Admin\Downloads\000.exe"
  2⤵
  PID:5408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    PID:5544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:5696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6108
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      PID:1336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b19b7ecb6ee133c2ff01f7888eae612

SHA1
a592cab7e180cc5c9ac7f4098a3c8c35b89f8253

SHA256
972bc0df18e9a9438dbc5763e29916a24b7e4f15415641230c900b6281515e78

SHA512
16301409fee3a129612cfe7bdb96b010d3da39124aa88b2d111f18d5ae5d4fc8c3c663809148dd07c7f3cd37bb78bd71e25be1584bd2d0bacf529fa7f3461fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23fa82e121d8f73e1416906076e9a963

SHA1
b4666301311a7ccaabbad363cd1dec06f8541da4

SHA256
5fd39927e65645635ebd716dd0aef59e64aacd4b9a6c896328b5b23b6c75159e

SHA512
64920d7d818031469edff5619c00a06e5a2320bc08b3a8a6cd288c75d2a470f8c188c694046d149fa622cbb40b1f8bf572ac3d6dfc59b62a4638341ccb467dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
222f381548b9ae117f38ac57456babcf

SHA1
07269d7b9f35c115f6012d775931173e9903ac22

SHA256
a7c9c3140ec22dfe81931387ebf31532065028b7fca1ef66f71ed77b09c23c01

SHA512
4bbb63a3913558eaf5cc5ca4d14dc0bd4e9d1c3eb391cd2c28b0e8d3a57950c65ccf9164353801297a6e04df2cb8b45a98fb3da3cb86c6dd0fb64c88e18e2fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d65cfc711363c8adf9ceef3f6560a041

SHA1
66ea61ed9e2e5f0b5e30d9a833c120af4b8a7ece

SHA256
574a695f855a0e577de237fae046768662865ceba2fd2223391f4b05233040a1

SHA512
b40c5b3987c20ae0807d0b6f7ec3b920439bcf0a15439d253da65efdd63c4272f671cc61e0a232f0756987610109ec059c0cf787518608d0dddf89833fe3f5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
58daff33878c229bec760196495f1328

SHA1
d477808d03e4a76f5b8884cd71d5c5a24f5d3d48

SHA256
4f0720bea86fd236dcb5236ff849c3c94f6851af7e33294c1986f52e8acc93f2

SHA512
9d89f82d12b49c936c319190856af63ffe5f4d1ee8bc8e54d6d8d9aa055dc4838942fbe592a5acec207c598dd18dbd3275a01bf5af8c0b277421d52c295c0983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a7eb1aff064ec301b05cb8dec93d8c58

SHA1
c3d89b7eccc65ec84d67b24f7492550a46427933

SHA256
11f4810aefbeb018f3b8ff4106798f4f89354ad6601da4d4dbf9f3fc46d0f399

SHA512
95e1ac651032df58451dfec5beb0a5eedb9c9c2d2747c5c3bbb5a4c3fcb149070937e3c4183ed09253dab7432012b93491dcc390d5c436093bbdd1ac43f7fe4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f1965f8ff10ee42095c3eb00de712437

SHA1
bceb5e0fc2950e8e81f3c30b3e782e004597278e

SHA256
8cbf8cb9b46646c17b8cf33f4d4662f5554de99fe29033cf434f291ce28f4f3f

SHA512
26727b9257072c347058779d9984aebd0ae7d6a9a1aa140c06ee1ec339eb0c72add58c2dc883d9cf54768497f24e5000dc812c008bacef7a8547645c925067cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8cd513127214e252edf0454f329bc002

SHA1
6f47fac6be8e7331e54203a7865e86b32cddf16b

SHA256
3df220380a8bf881117c17102a5c70ae7deea18ec92e7c478df2ee904d882108

SHA512
0b6d2f2e12bb8b15175875b7118778e57475934dee0476bc3ec989c5408d1ff5cf1c2d5dce4bd980a3ef9bfee232f974fa90050171826f3f0847f9682ae7e4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
371edf34cc4edfe5fc16d906571e1a49

SHA1
2b0f160569aff513f7ac25a16adf02758cca07fc

SHA256
ee07b7e150c132312f076f2fe4c58445fcf86aea9eda0468b6ee040b5f690d35

SHA512
9598bca019b2acf65bc0511062e8edf53e00b3801d7a9b49f9c6b7209bcf7ff782ec215716955d5f378f952d77435bccf210384909f28bffa83fa9ac8589cdb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
6c88f2ba2b7cb1267c004e1dd7c9b353

SHA1
1524caac7a857802ee09987d7d3188dd44255c77

SHA256
fbdc2916eba9fb31baa9be1dbb5449f8a442929cd97336f551f0f359d7561506

SHA512
6a6b87dfe74000653deda17968705de938a332b63ed62a29237837b78bba86ef3177f1b99477136a9c6646e47a45610068d8d8279bd3bbd2f22c817ef82ca100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
97f9fd6e11ba79fea46afe25e26ddbde

SHA1
f7a84f4e76614db0dca9eaf7067f509fc5322833

SHA256
b9afbb34840f6c5cd67f4f462f14ad23f9406d4e0ba8a19ee2c23441c2897b2f

SHA512
53a1d6c2a0cad4d6026079da5f500c2323b784de9fe1727f77d4a1e9b4fd0cab7aa3dadc4d0f7b08861125599637f700b24333c0c1240c37875d20a0926e79ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a930.TMP

Filesize
874B

MD5
632e0ab1b25a2e465666a4ab71969bab

SHA1
df7405e34077ded0ea47fc62f0c4f47c405def73

SHA256
e4d5e53efc4402740b99caa5a44df989eada4ca864634e80a92138b06996f2a2

SHA512
17300cf6cf40279d54b8a0411ba72a45a549f58b8d7ea6288aa0317d0f58fe18297c2dce5ab5aa3fd5b76ae969b699beefa221e8225a883982b88550db11ded3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c1a314292964c10ff4ef8866bbafb035

SHA1
fa669a7076fd5c700dae649bfc717fe8c9d10429

SHA256
5e8c7c85e981f0da471a8e8678375dbbd875438e8242270a5a8cdb8a9d03afba

SHA512
97155ecb62b2ae9d26ac888b9a2292d6604ac56a0d6c2deac23689a3dc9c837197f797b85b9ad54b58f520f8d42361b8f6b1a19bc329000c55165a8443f5befe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
29ef32a4d0054cbaf47903dc014ad480

SHA1
b240194c15fcb6d4b03c2ac4a52dcd83159f4de6

SHA256
5a344a40cc1e42f5e4c7704fc5449f5c7d9a60e5e3b4ab9985e2ee0fdf48a289

SHA512
f3ae6786238937086990fbe004a43e47183b86c6f721de09021fd3406e3aa5d8f8e1f2d9563d92c155f28629aa3e6853f76c98fe4a7700e40347724d23200801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
d93b86445c01075c8867da3d16265f9d

SHA1
7aa24a01ad0eef56d6430eebdb3e2a1a8957d6db

SHA256
2540e8ef89cd138aecacd44dc2c6ea1822c31cddba36fbea465aa2ef25f4b7c7

SHA512
722f33e21f87e3ede19e3a0500e0a1f8c3439a3b48bd0353a0311f396383779c400bd8f7f92666ab0ba034d47086e8b2e33ac1d88696ef6c4964e93b7ab5b90a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
90280bf7cc3fae43e94ac04435d2ade5

SHA1
0802be217293e1647171bba54320d992be2daa5e

SHA256
823d6bf7d53bde8d6a02e8ceaea3447701d943f3d40e82a7a2cbba98e015d0f3

SHA512
1664046403fc39ae7408078a21bbebddb7356a8b8dd8d9ae05ee364f5e4be9bb5c0fe472fa71a89c2bbfc73fb2c6ebff0309d1bc99da908af72262fecf44df4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\icon.ico

Filesize
361KB

MD5
a4b9662cf3b6ea6626f6081c0d8c13f3

SHA1
946501d358e5e3b10223431e474607e0eb248796

SHA256
84a1c2713642090523f05d9fb015c537fd210d3200cadaf442bb67cf1834b356

SHA512
4e94dcf9200bfd6d685f93acaa0bd93d49bb0fe2229f3105e22b8893e0d530ad15e8dce5be6db1c1db393fcc169defc43f12e35308be30b054631487d16cbf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.mp4

Filesize
81KB

MD5
d2774b188ab5dde3e2df5033a676a0b4

SHA1
6e8f668cba211f1c3303e4947676f2fc9e4a1bcc

SHA256
95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443

SHA512
3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
dedee29a75ef636e2f7773a055893501

SHA1
3f699837eb62b929a6b7d180d6cac52e2e0cf616

SHA256
f2260572b7d5c649358e52725f3cc39e38329cf6fedaf436f728a095c8d8e2f4

SHA512
ce864526014f6ec85eca688edc4f580b6d533f0c5bb55903bd5d1be8a82f01602268b2416b04598c4f25ab2acc78854206e08ca5ce26c5c66ccd5230a6aa2e18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
61b1e0bb769f2fa81cdf1859738d3d79

SHA1
5ff1755a306a87d6a58d82fc64cd50ae5012124f

SHA256
4e4a2dbbde4b0ebd83d25106fd8959982cc92e750bab7b0e5f0107d2f3c95342

SHA512
a0c4cae5a9efcdcb639bd8b089ee01836e7cff3d2737fd5aeeeb9db3975ff71424d3199cf52ff98c93f9a3769938c38b665aea94c2c7ff54480ad589e619460a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 666556.crdownload

Filesize
6.7MB

MD5
d5671758956b39e048680b6a8275e96a

SHA1
33c341130bf9c93311001a6284692c86fec200ef

SHA256
4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47

SHA512
972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7

Download Submit
memory/5292-445-0x00000000064F0000-0x0000000006A96000-memory.dmp

Filesize
5.6MB

Download
memory/5292-494-0x0000000009B90000-0x0000000009BA0000-memory.dmp

Filesize
64KB

Download
memory/5292-485-0x0000000009B90000-0x0000000009BA0000-memory.dmp

Filesize
64KB

Download
memory/5292-480-0x00000000098B0000-0x00000000098C0000-memory.dmp

Filesize
64KB

Download
memory/5292-484-0x00000000098B0000-0x00000000098C0000-memory.dmp

Filesize
64KB

Download
memory/5292-488-0x0000000009B90000-0x0000000009BA0000-memory.dmp

Filesize
64KB

Download
memory/5292-482-0x00000000098B0000-0x00000000098C0000-memory.dmp

Filesize
64KB

Download
memory/5292-490-0x00000000098B0000-0x00000000098C0000-memory.dmp

Filesize
64KB

Download
memory/5292-478-0x00000000098B0000-0x00000000098C0000-memory.dmp

Filesize
64KB

Download
memory/5292-444-0x0000000000310000-0x00000000009BE000-memory.dmp

Filesize
6.7MB

Download
memory/5292-492-0x00000000098B0000-0x00000000098C0000-memory.dmp

Filesize
64KB

Download
memory/5408-471-0x000000000C470000-0x000000000C4A8000-memory.dmp

Filesize
224KB

Download
memory/5408-493-0x000000000C6A0000-0x000000000C6B0000-memory.dmp

Filesize
64KB

Download
memory/5408-491-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

Filesize
64KB

Download
memory/5408-477-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

Filesize
64KB

Download
memory/5408-481-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

Filesize
64KB

Download
memory/5408-489-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

Filesize
64KB

Download
memory/5408-483-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

Filesize
64KB

Download
memory/5408-487-0x000000000C6A0000-0x000000000C6B0000-memory.dmp

Filesize
64KB

Download
memory/5408-486-0x000000000C6A0000-0x000000000C6B0000-memory.dmp

Filesize
64KB

Download
memory/5408-479-0x000000000C4E0000-0x000000000C4F0000-memory.dmp

Filesize
64KB

Download
memory/5408-472-0x000000000C440000-0x000000000C44E000-memory.dmp

Filesize
56KB

Download