hxxps://drive[.]google[.]com/file/d/1Rpaw3v2HysDga4S6Nm-rgyXwSxMWyta2/view?usp=sharing

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
05-07-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Rpaw3v2HysDga4S6Nm-rgyXwSxMWyta2/view?usp=sharing

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
5	drive.google.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\teaclicker_build4.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1080	msedge.exe
1080	msedge.exe
3096	msedge.exe
3096	msedge.exe
1404	msedge.exe
1404	msedge.exe
2584	identity_helper.exe
2584	identity_helper.exe
904	msedge.exe
904	msedge.exe
5128	msedge.exe
5128	msedge.exe
5128	msedge.exe
5128	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	956	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	TeaClicker Remake.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 1256	3096	msedge.exe	77
PID 3096 wrote to memory of 1256	3096	msedge.exe	77
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 3572	3096	msedge.exe	79
PID 3096 wrote to memory of 1080	3096	msedge.exe	80
PID 3096 wrote to memory of 1080	3096	msedge.exe	80
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81
PID 3096 wrote to memory of 1372	3096	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1Rpaw3v2HysDga4S6Nm-rgyXwSxMWyta2/view?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd19bb3cb8,0x7ffd19bb3cc8,0x7ffd19bb3cd8
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5448 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
  2⤵
  PID:596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,6275655331959358144,13584957476988335904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:5344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2016

C:\Users\Admin\Desktop\gameBuild4\TeaClicker Remake.exe
"C:\Users\Admin\Desktop\gameBuild4\TeaClicker Remake.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4808
- C:\Users\Admin\Desktop\gameBuild4\UnityCrashHandler64.exe
  "C:\Users\Admin\Desktop\gameBuild4\UnityCrashHandler64.exe" --attach 4808 2560937955328
  2⤵
  PID:4080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004A8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3244

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4268

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b1f20c797906f82fd003270485ceaef

SHA1
51ee0859382d77aba329e0ec2dad81b383c534ed

SHA256
7980e988f80ffc29a79b2d13c0d4160ad1d1f77fb6ddd95b7ec263b7421a0c91

SHA512
7b8f859ffa55759a1e90540754bc80a4218ddf2ee953736865ba4c5c9aa33556bd8ac45da1dce7426c75c5d754268c450054f875927cbba800ad665f09941cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
11b22949a84a750056bef0aa6ea4fc45

SHA1
c3d49da0344a2bb3cebbce6569b1fd223aa2ebd8

SHA256
59db861ff42f39a5f777bd9b8a167b7b15c96e60ed148ea875a9f1f0d4caaa6f

SHA512
01bbc38a4b8fb8a53c3897d63d3362c8a980fcb395986671cfd13e0fa893a68ab3e45379127da69565e0b1e4125a41834c62b06b8d9b852c6b71a1ec68a930b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
8c2ef744411d43e8de8158f1dca42927

SHA1
494b576ee1d681fd1ba96f05cc7538d1251866e2

SHA256
4a63e3a7f13b7f9211ab4bce1ef6bd2827da049941d38b632c974cf862a9724d

SHA512
6f3217c813b14d195a83991ba5e350a98065b0caa45a403d3c696e5f91aeae13c712ce3229a0ef6c446f377c8b7772d29d12551804a01c96c241a48c28f53cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
536cbf16d395bfd3d9dcfd7bdd12a598

SHA1
f239e2ec01ba27f12e1400c3e0ce903dae40c21b

SHA256
654ad848e1f7c44d27050d97f04d4e2ddcefcc68057b34897bbb3e491ae65047

SHA512
909f66cb10adfade9b3299ec6abf9cd2256293893619300562aff6e4fa2ec71ea65832403f60324cc8256748493d6e3c7457825b4abd64c97423f1a000a56374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b54bae5b0c780b8fb0b5dc2c0bd2cc3a

SHA1
08f1c326e17d1458e60bd17f5fa0cfc7a7936643

SHA256
0f33395a7a15a91496086e0a0992cb5244f7cc9f8cd442683bc248832aad6b90

SHA512
52e3947bee50fb475a49ea4b21dac6a87d60fbe1b7705cb70cebc62bb542ac9680ede8a736b8626985a1ca0e5e97ceae7514580e6bfe6b4e357ca8901dbab58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ddb0eebe2c08af8ff76cb75114179008

SHA1
9aaa051d8f199dfec4cea82099f1acd6c3a83844

SHA256
508ea623ca91e091b084536d87ba677a417077dcc3de78988530d00b15a24f75

SHA512
6c865ccecec8898eb7b42bffe9cc6e6196693d100a446d89be5a858fd3e6806c3894430643d329d2a16949238b27ba86099e0c3382d5fa937db9655c28f84f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45914ec34b6ea656177d9d14d1ee1b5b

SHA1
78a2bdd2d9742d29a25aa22554b2769394fb3829

SHA256
13128990e0d334d4db0b8e3f2b2a7c5326a14368a6f7d78bb30d85e22726c58f

SHA512
33e0b7a2c3ab40f3f4e6ac74f0fa825aae4f12229a03c2ff24b3ee0bb017c247adb2b5633dc67be2b6e8682993855f8d3985a2a671a038380b0079980c92d9ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b5efe9b27ae4ef3684a0a84e8c49d9e6

SHA1
1e86e1d7e72640ecf5f500fdab9aeed42d4a20f4

SHA256
8fc0c1068a216d57341da68010b764209b56a498935271efa92c656a4e916c23

SHA512
3a0189387d2ff82f0e9caa74f9aab3047ec5f53c8c48cb5547ac4b60ffdafd975cb4bbd72f9dd0549df51b360c9e9a2065796c48b32c8e70dcee3caf217d2646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8f55a0a998246557dc271ff92d9302f4

SHA1
830c042824af99c79627354ee4d670bea036c5ae

SHA256
b1f15c8ceae7a908b7975ec4f1dbaed6290e3ab9e43d917c0fa06d07f4ab33c2

SHA512
aba8bcb81a8893333abf699e9805211df4a670dc0a42d9f132a39b964134e19ea17a101d4cd7d947689e1b4a38bfda46018305f1389feb6dfd9f6d30dc99318d

Download Submit
C:\Users\Admin\Desktop\BackupUse.M2V

Filesize
545KB

MD5
babc472a1222d5d4aa2c36000c8cb796

SHA1
50309cc76b63be6e5aac2992f50b75429eb50adb

SHA256
b2278c59b74dad115e45d2d6b031e392fb7dbc02793571e9c0b1f23f459cfa70

SHA512
dd2549ac847bbb7d6031afb38ca2aa0e2a56218e4cace81f8277c7a74eca83a18bab48bf7d4dff8404936578c0bd3097603d929aeb75035caa92ea43d6959c87

Download Submit
C:\Users\Admin\Desktop\CheckpointFormat.m4a

Filesize
345KB

MD5
7f5584937b77828ce0a663610ffdebf5

SHA1
cf38fbf715cef8ca6d2791641f8d3b715751489d

SHA256
4ec7d0b8b9be41c334cb20981639db42046abe8c28c3b451a3b58d5bf6f3bb97

SHA512
20170f3576cff0db1307d149e0179a84ac9ac0b3970ab28b96b9a2f20570951709f52e82f49029c7d9b5bcb7432baf2cd6312f22b4bc61f5719a4b96e1a03ada

Download Submit
C:\Users\Admin\Desktop\CompleteConvertTo.contact

Filesize
290KB

MD5
2a76674784710d7b6471aedcf05b93b7

SHA1
389d7de73a97138af99d7593149b5f99002ab860

SHA256
34237af4c25122771a7a0fd63e58dbcde2a1ae1622f4e76166333050fcc3ea6e

SHA512
49187cb1a8db3827d305a2ec1210208550cde61986d6e1910d1870c5b51c45f043f6fcda8dbdef282359f224be3743dd6b578c30cf0f720469fed611c98c1167

Download Submit
C:\Users\Admin\Desktop\CompressResize.pptx

Filesize
527KB

MD5
bfd0a5980517e94642c7acb5872ecc53

SHA1
ac04a8b742520a55f42caec85a2d08b2253858cc

SHA256
e114c843d4659de54e0e16d33ee7ac7f987381199b86f779be29f43a784b7b11

SHA512
f402067ff78f3d75acb9e54dcf9af5292e70e75c4154d56db951194b66830ebcac2d80eaf60d6febf6b65e5fd8388b2193405cff9da27e88940a28ffee8b607a

Download Submit
C:\Users\Admin\Desktop\ConvertFromDisable.mp3

Filesize
436KB

MD5
226cd4b44dc605cee236a104e64b0ec9

SHA1
af1a7ed6fe97f95910259bad5bd2b06fbb4fba70

SHA256
db0fb254aa699329b2566eb43a0c26d31c3026e6b02ee42b7850777060c62a59

SHA512
4679042cafc6d7bdcc54cb1954546ee19d4c7e2d1e64e8f64064fc61747dd12781bab3afba62f1ce8423b57f4bfc6a2ae8427834aa3618a90ece4c04db42107c

Download Submit
C:\Users\Admin\Desktop\DisableInstall.vsdx

Filesize
672KB

MD5
4eb03cb4e46faaeedfa1a755baca05c5

SHA1
338175514babfd0c92356b2bc7fd253156ab8ebf

SHA256
f61e5ab99a20a898e3b2c9a2aa2f4ae3c97cf859eff8526613ffa1a719a4e81a

SHA512
cd38a7de9b1e318349f7369b9a28754b831d13ca0cfa807b9bb94c67a6d8942233961f2bda8b2de294d0d8c9b640208f5ec65ece5496144eb342b133cf217836

Download Submit
C:\Users\Admin\Desktop\EnablePing.potx

Filesize
418KB

MD5
a37e51080fce4dc8e9016df9ff048ceb

SHA1
490b2b19cdd42b2e7b93072c14e3661596114602

SHA256
2e251dc675f2979b4b19ca363b51de0a856201dac77c2a10b1462df028bfa710

SHA512
45026ef7e0a76d16d552c0bc42d863b26c461d276a422f15e460a3814675483ed6d04d282df4add3aebe9a5aeba24ff1c8d546622ad56d3a0823db43fa201cc6

Download Submit
C:\Users\Admin\Desktop\EnterRemove.jpeg

Filesize
926KB

MD5
8b06dd6d029878bc10d24a9957ba0007

SHA1
49744a9a78478da63136cb3525b14156dca48bd5

SHA256
6f3d5adcb5e10b2784036d2f14a75cb2b98ef955e2122e27898f0599ab735e2c

SHA512
3d78a8a3f5eb7f0476b1bcf2d65cf9762f96a8349ab6f03e995731e769c756f73e1c4954187748cafa916042b4b845251cf6475598470b1b429053e7e1698213

Download Submit
C:\Users\Admin\Desktop\ExitRequest.aiff

Filesize
563KB

MD5
2c75ec5a26a5f1995502eef383eed0e7

SHA1
9b4c95b3e2a17db390977bbd923a9fec93a9f1f0

SHA256
d5ff2ac9fe8c19cd101695ceba64df94da135b527c7c7026def229f882974493

SHA512
cd63bc672d9f29f4565a8e2627c9fc4aa03b3de4fa7b6698423b5eb3257e0e1f477bd45ee91adaeceed0db73fdbaa94cd41cfe63ea4cfb4919dc48aa3dc30e76

Download Submit
C:\Users\Admin\Desktop\ExitSelect.3gp2

Filesize
327KB

MD5
00839b965e84cf71d051c1fc9af5717d

SHA1
9cb432a576f7b1122517f029f3e7621b8512bf6b

SHA256
c02896ba8eb447b914067fca55eed73dee55f69da588a4869213acb4653d9fcc

SHA512
a42aa0b856973ff6c57da2d9466e911af2ed994a69dccaf2b493cc6d3aa415b30eeb072b6f55e1f4f07254ab261948b61f66fe1367cb89449b0b6ee2924be740

Download Submit
C:\Users\Admin\Desktop\ExportGroup.WTV

Filesize
236KB

MD5
533fc7bf7807fbd59197de5d0e4f2844

SHA1
d3a947c9f2f55a75ea443030b05af6282fdf707c

SHA256
170b59eaf2087e9bbc9f26916d4ff158761ed1ffe20017b194b91e3e0bec3b63

SHA512
1026403ad317f22b8814e906d35e1f656d85e405ce472738d09725af4f51df759ad4a1a318c6dd1116f8274ddf8c3b0838ec54e606d0b28ecf49ffa92f083a53

Download Submit
C:\Users\Admin\Desktop\FormatEdit.3gp

Filesize
363KB

MD5
3058ef4c2ffb3c587a8cbebd2465de1a

SHA1
7ed97834776bfdcc3c9744b91786355d0795c184

SHA256
2e8c30fa3b048e74cad3283c32dea73c3898df8c2bd9caeeec9a469253b31511

SHA512
6d60d5cf7d7b998276bf0cd6ddcdae90e8cbf183689707b384bfbbdb4a6be657fd5afc52aea98eb2771cd4d1e4fc1d43960f2b9f8fd454880d8251be65b6df78

Download Submit
C:\Users\Admin\Desktop\ImportDisable.mhtml

Filesize
309KB

MD5
a67872a0978d25689932cb7e15a0a3fe

SHA1
0dc286ac7298cb4bb170f931100bea74a871bb35

SHA256
83dbb4a2899b5dad978b907eba8782ca9041d3ab9b262817f0654923cf822158

SHA512
5bcd42395d40e96ea21d4c6db3070c8577a4e5900c82543b1fe6dca72a8961fe559aa90e474a2a3c928869fc871dfdff96e05a9b18e34790fcdad759b0c21945

Download Submit
C:\Users\Admin\Desktop\InitializeDismount.dotm

Filesize
636KB

MD5
9f8e647db9563ed35f65fc5f56a8624f

SHA1
bf7f81080465e92bcdfa3703d20a270a07436ae6

SHA256
a9489df59ec1b38534d2f123bbf7751465c33c997fb6c61585def74fa252952b

SHA512
c749750c81c867095f4bee63185ebab996285ab650d5a2edbe2d29b72fc60c19c77750387b31e6d996bf66ee4da4bdd25c8e5bd7b4297f417003e19d3879f70a

Download Submit
C:\Users\Admin\Desktop\OpenRedo.jpg

Filesize
472KB

MD5
b60bf723b3c34a584b22be31fcf80d58

SHA1
5e0200fa9b96cacb796439d0f4cb06a44b898c9c

SHA256
56ff196b5beb1200977d8a2b89e9e12619b6d7f77842f7179f1dc3b4fcb801d3

SHA512
c8cec592827abd78b286dde934307a5b9fcf72319829017ad78d77d361d6f035fa887b4c5cc6a93a9697ff9be214ec282a171db7e6f196f7ecd597380759c985

Download Submit
C:\Users\Admin\Desktop\OptimizeMerge.mp2

Filesize
581KB

MD5
acf2f7a9eb60b7c94250ac29397b570f

SHA1
b7e8600017220aab9a2aedd6547df3162605a734

SHA256
62f69a29f75b913dbd367dda893114af3780e6451606adb595a0f7f2573e4f38

SHA512
fa815eca7bcc8845b71b38214073760fdffc61f0451648dc054b351a1210d4956109686e4d47c8dbfd0d253d2bfa8dc033e686fd08ceda9409e2593b9aad9fed

Download Submit
C:\Users\Admin\Desktop\RegisterWrite.mid

Filesize
618KB

MD5
c5c50009fa60a8b2d1f61e972259af74

SHA1
e3fef7750de9522627b870ce7c34779033702c8d

SHA256
76d7c57e1c2e19e0108f647b3b294a15dcb4d9e77991cc5098341f9562ab5e04

SHA512
1ea7aec91f0f00898f30279f3074c4084f55837025430cd84350b0b120a3e782651f2ec325e9bf22a771ac0e57f0981173c1ad3189f4fe6a71214debe2b104da

Download Submit
C:\Users\Admin\Desktop\ResetImport.xsl

Filesize
454KB

MD5
5fd15384d308de0132de403d19c13aa4

SHA1
66b98736d3c0d8f20b51eacd5ccb9608dfd597b0

SHA256
72dff05e94180f7b4fffdb78b5e05efea4bf855a1110a4d383c9935861cd0929

SHA512
e69cd03f71746664513f593f6d9242e912437480e7197e36ac2f16227dd8945263d8ec6514bf007f950c93dcbd9b5c31c0cb5043953b77921800f75c6a5f38be

Download Submit
C:\Users\Admin\Desktop\ResolveFormat.xml

Filesize
254KB

MD5
a04a6ccb0c41ac7164497b6f5b414c6c

SHA1
bf134301e5c31f369dbdb8c3ece2f5c07df4a51d

SHA256
97c91bd157bad1c01899b8ae9487f88aaa3d0a012fb2e11ba5f299362512011c

SHA512
5b5faed0ce204dc71ae466db4b28160b6a6b990f6758c46ae37be3f69c323b689c197d0876e8e45a0f0c5e6e26f149c583e384b71204af675ed44167a9e670ab

Download Submit
C:\Users\Admin\Desktop\RestartReset.svg

Filesize
399KB

MD5
9df3580ebf112ce0cbe0cb856c8b1f44

SHA1
656fe3a96cb57ed49f53aca3aef96580fa0320b4

SHA256
2d55a43db24eaec6a70645f5edb90f1efd5795b7762ab23efe60498f6e77ad4d

SHA512
26093ab6fda3db19f3d9c96cf22ec4eedcfa5a4972460156b7744171d673da80d1d607c519ec296b6eed81c8e855ae003a52bea9c437660675fbc6715fe87d2f

Download Submit
C:\Users\Admin\Desktop\SaveAssert.shtml

Filesize
508KB

MD5
f25508cc5209552debdd8bbe5a82061c

SHA1
6179a9a6d073eb9c9b016229eb0d44bc2301eb46

SHA256
656681c97747acb185b2ec81d74ce60ba23f8d0529b7ac2ff566b705a08b5531

SHA512
32420eaef56a5434f046e0ec222b494e08d823df0ef64bbbbc3eb48c76d53986e109be1fb6fd9d3603c734f8491d8405eb307917e885a1ade76094795cd9872e

Download Submit
C:\Users\Admin\Desktop\StepClear.zip

Filesize
272KB

MD5
8fdebc850a0b00af7e06aa48711eb7f6

SHA1
21328ecad28823ef4b9819a1abce3560c71141cf

SHA256
b73f54772fa86c1bba1ac35d753bf15731ceb1c0261de0c618ab746406af553b

SHA512
1159946f00873be54435360068d8b967de6ae5061414738e87d6c3cebeb67c822839fb10fb3bce5d55520294c675f34ce626135ec53ae85503fb64d3304bb11b

Download Submit
C:\Users\Admin\Desktop\SyncLock.cab

Filesize
654KB

MD5
8b193eeba1a9f335bff210fb372723d1

SHA1
3105fe69c17c5838abf11dc432e43cf74e444e2c

SHA256
ac72dda4f6eecaf5214b2919f8a8ace3148c24a7c3dfa34db656fb00707876b7

SHA512
efc6ee76e5879bca8e541e7883fcff30938706399697a188f13aee093c104a745df0d2dca5417973dc9be33637e1b5caebfd8e4934be59c806bb39fc4ccaffac

Download Submit
C:\Users\Admin\Desktop\UnblockConvert.ogg

Filesize
599KB

MD5
e5194dec5a22ec441516b9f66f0a66e0

SHA1
23001ea0bf4c51ff601683d5669fd10e7d3fb536

SHA256
d177936817ad85f6cfa288dd61328880d7a45df7c557392b9d7af5a7abc84cf5

SHA512
f83cbe17c0714e3713b91a52707a97d8edcdefa4c9a9243159ff35a0c19132b7e60f95b9b64789534215d36cbea8addc990c44bcd963209fc6152cd30123dad8

Download Submit
C:\Users\Admin\Desktop\UndoRename.asp

Filesize
490KB

MD5
d3b40b77101cad55c779f3e04f601fe6

SHA1
920c8ee7e29b0f10bd2113f19fc41cf78c074781

SHA256
eb24129a6fe24da439a29479b0c48f4e4826c902c196d66b5184cae8d16057b1

SHA512
d1e7706141b66e759aa1c1b9e709204b14e05ff334ac98e8b5d69c062dd6c35d3a9abc69ce27aeb1a9be263ed190ab64a413d1822d648c0e7b74251d4761232b

Download Submit
C:\Users\Admin\Desktop\WriteWait.bin

Filesize
381KB

MD5
d3a6a5e9e6e26ea2c918dd6f4c1eee35

SHA1
23d7197e55961c22ab684ee375d4af588791a17e

SHA256
74314736de2c7044d1e0ab244fb2b66abbacc8de39ce1352033132d27f1ab948

SHA512
bd679533285dfcd243dca82bb29e340f9f901200054c11492f4e7ef32bfb3f6e7b700ca2e20fc0107fe3778f5c5f712d8179d78600a96a0f0c895a12acc30715

Download Submit
C:\Users\Admin\Downloads\teaclicker_build4.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit