hxxps://github[.]com/AlapatiNandini/BH_CG_TPS_SC_10_B_QRLPerformer/blob/main/Data/Config[.]xlsx

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/AlapatiNandini/BH_CG_TPS_SC_10_B_QRLPerformer/blob/main/Data/Config.xlsx

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
64	raw.githubusercontent.com
65	raw.githubusercontent.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5932	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1752	msedge.exe
1752	msedge.exe
2600	msedge.exe
2600	msedge.exe
4888	identity_helper.exe
4888	identity_helper.exe
5728	msedge.exe
5728	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
5932	EXCEL.EXE
5932	EXCEL.EXE
5932	EXCEL.EXE
5932	EXCEL.EXE
5932	EXCEL.EXE
5932	EXCEL.EXE
5932	EXCEL.EXE
5932	EXCEL.EXE
5932	EXCEL.EXE
5932	EXCEL.EXE
5932	EXCEL.EXE
5932	EXCEL.EXE
5932	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 3484	2600	msedge.exe	83
PID 2600 wrote to memory of 3484	2600	msedge.exe	83
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1520	2600	msedge.exe	84
PID 2600 wrote to memory of 1752	2600	msedge.exe	85
PID 2600 wrote to memory of 1752	2600	msedge.exe	85
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86
PID 2600 wrote to memory of 2180	2600	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/AlapatiNandini/BH_CG_TPS_SC_10_B_QRLPerformer/blob/main/Data/Config.xlsx
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaa6046f8,0x7ffbaa604708,0x7ffbaa604718
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5728
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Config.xlsx"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15356428429661244156,10869378066077862607,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5b4c6ac8a6359394811cda9481aaac1c

SHA1
4307a2ed272c1857ad67c07b3edb297d45f8e363

SHA256
39c09f785f683cd16389b19d1a6b48e16a020298375cde71d794edee6492da5f

SHA512
b7f6a62693b1299ecbef7d0ba66470330ef3e10d8a11d60281ddd619a044bc283432b09e37a178f4b50c1678de5b526bfb88e7b06f4c6e5aa84b80368ec1145a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
024cb70daa50ba5e6b6d2857e2463e5e

SHA1
79cc9b10f8e9aa077ac849362d14abc7e4d24347

SHA256
cfee045eb6b710726867f3037d829fbf1a49ca111cb9054a583275a4fa72ef1a

SHA512
f90ced28d9ed87533fcbcf069c793a2024f07176333cc17c3ee68dd58f69bd8c7eca6da04c9b06237c1bb04c95783afb18c8c1055ec6cb87b456cebc8530feaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3122a9206d05c7219148175e99f2c1f

SHA1
91aeda98b1faa491fd0d434e1866c7232b302294

SHA256
6eb990e25bc906e372bfc05fcd6ded650716f0dfae40394bda8bcdb9c6393d9c

SHA512
143f7a6e2cb4755bbefd10830a1f0351561dbf5cebebc418e8a30d5e20d1f1794902b034e380034e09cf891d3d8605e310c3fa1034887c07e116076411ac95aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
13467cc62742c26437f52b052619ddf5

SHA1
60b069db3c1f480cfe0b97c9a712321b241d45b4

SHA256
105131294c81c5fbaf0e50cb76d7dd86ffef8be9ce46660ef2aecdadda7d29f3

SHA512
f3adae8d3d3ed326426f3f5b4f04077197f6cabf15d7ea871edbe575c7d08ec1860838fa705e4e851610525187430d2404b5b944f61295a29a185c781a8ae96b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cfee9f9083c48ff419e9a6c400277cfb

SHA1
a1f8a7f9b93af2ad08d32f7ea3a41a206fe6c849

SHA256
ea3e8fd5477e6431c50dcaf433c4529d0607ab934a1a0c903d30c4ca605c998b

SHA512
327b5012205cb7cd4563d829e5d2e1bcfab3ebf75357fec2b15c398f661ee32fab7cc6b3c5fdb1ec3ca01b88f10cdf8a9fcd12dfa8c94acdf5b8571f981428c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b8b1.TMP

Filesize
1KB

MD5
e20de1c58b73cc5cf1fcba984f29f1c6

SHA1
d5f2283f2774fdcf03cc099c2b3d609167fce40a

SHA256
659ada76fe1741f4b486ba5a0a2019c49eb6819485679aea736dccc9ce2859e8

SHA512
36244e3864a4ffac6937b2c35fe8835ba9f4761233b0605de83d199fe1aebb015cfe2f488c4187d7bb2d6bcd41514c699ece463e26ea972ba99d77ef84766d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
de7cfc2476d8f42ae4144934df817e92

SHA1
d2f9ff6b74cdcdd64381ada40d4d9a79d78e46b0

SHA256
08c3acdbac82faf84f75d400404012a94b11aa83862a7bc5d236a36dd4a525fc

SHA512
94640b43876ec2d42c18ae15516efe294adedfa93a405d756df55ea97729289cd8baac4e23544f7c99acf150d6c79046fae366266b33435b453c48ef84fc8de1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a11c501fa1ce324f80e9c2fb06c217b6

SHA1
d90a50256013cd4bc56702e19218bad8bd6e1a39

SHA256
0ef296bcfdc8cd0067c1eb720ada075796c502eba4e794e47cc0fd8f83508c0c

SHA512
c69c98b50fc5c06db92137e7ec11d815213dbec8cf581268ffe4613d1c3d4a8abdac7fe394b1a9e6c7a467fbcc76160a992b7232416356f07cbdc24f06927670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
144d9bf25847948b3504024e9315434b

SHA1
178b025c1582f3d8b3fc5c14efc94f156685fb32

SHA256
a5c9d0b831aa9b231505113f6cdca73fe07da73647e43d9e33aa5a6e16644a1b

SHA512
5c7a517d1c603b9931f31df95ccabe33b71b4da56adeb32480f4d0444e4fd32d9311d6a10fb380b0191a2137508ed05f6512e046e313d90432e07addcdfd5658

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
221B

MD5
d42fc1cdf6039efa50337e8f263a4789

SHA1
6a14d7b64751f701b38afee02962da86e284a9e2

SHA256
53deddfc647d21f146c6d7334e91f4a02bb47ff4f815ede3c3e4990e91a52997

SHA512
6f2555a686ea1981061434052df55efa8ce7d0047dab4e56a85e510b62cdfdbaf820962cc65303f1afd106de1c4b6a23f0ef24edfc1a7cd9b33f0dc1e2b174fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
658B

MD5
83897da495887c187e936cb9be671a1d

SHA1
ea7d98d096498e79bdc8e13bc793eeb72fe7db66

SHA256
bfdccbab945063f15d339a382f9438ce9ca808e9e54d9c0644b0a99acf7359b0

SHA512
bcdf707f7c3b3b6a89019fc9d59f08922cb5a33dc6e18b1c629c7b66f0ee61d580ce66ce9805f1aa4c7b3cacf34625e4223bc9adc4458c2c5c214fdfc147fe15

Download Submit
C:\Users\Admin\Downloads\Config.xlsx

Filesize
15KB

MD5
51c6c44acfa033008df4f75b4a1b8e6d

SHA1
925a8ad35104538f16d98b0253720de1027c4a94

SHA256
58ba6cb25e1bfb63aeb381bc5294472ffe89ecb7e86a4e02ee7c9f329e6a7343

SHA512
0e87265be561c8fd0ead6d9861e2529540eeda9c42b308bf4194da58dd63a9c93419b672b0c5fe73115df4372585e2b6e8a54704accbd54a65c1d9de91c22f02

Download Submit
memory/5932-183-0x00007FFB77280000-0x00007FFB77290000-memory.dmp

Filesize
64KB

Download
memory/5932-182-0x00007FFB77280000-0x00007FFB77290000-memory.dmp

Filesize
64KB

Download
memory/5932-181-0x00007FFB79690000-0x00007FFB796A0000-memory.dmp

Filesize
64KB

Download
memory/5932-180-0x00007FFB79690000-0x00007FFB796A0000-memory.dmp

Filesize
64KB

Download
memory/5932-179-0x00007FFB79690000-0x00007FFB796A0000-memory.dmp

Filesize
64KB

Download
memory/5932-177-0x00007FFB79690000-0x00007FFB796A0000-memory.dmp

Filesize
64KB

Download
memory/5932-178-0x00007FFB79690000-0x00007FFB796A0000-memory.dmp

Filesize
64KB

Download