hxxps://d3hwtxj0w1i8v8[.]cloudfront[.]net/2024/07/2/116/TA[.]xlsx

Resubmissions

12/07/2024, 11:28

240712-nld99s1fpp 1

12/07/2024, 07:42

240712-jjwz3swhja 1

12/07/2024, 07:30

240712-jb5x1stfll 1

12/07/2024, 07:25

240712-h82feswdkg 1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://d3hwtxj0w1i8v8.cloudfront.net/2024/07/2/116/TA.xlsx

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3000	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4688	msedge.exe
4688	msedge.exe
2960	msedge.exe
2960	msedge.exe
5028	identity_helper.exe
5028	identity_helper.exe
3700	msedge.exe
3700	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3000	EXCEL.EXE
3000	EXCEL.EXE
3000	EXCEL.EXE
3000	EXCEL.EXE
3000	EXCEL.EXE
3000	EXCEL.EXE
3000	EXCEL.EXE
3000	EXCEL.EXE
3000	EXCEL.EXE
3000	EXCEL.EXE
3000	EXCEL.EXE
3000	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2280	2960	msedge.exe	83
PID 2960 wrote to memory of 2280	2960	msedge.exe	83
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 3008	2960	msedge.exe	84
PID 2960 wrote to memory of 4688	2960	msedge.exe	85
PID 2960 wrote to memory of 4688	2960	msedge.exe	85
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86
PID 2960 wrote to memory of 2104	2960	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://d3hwtxj0w1i8v8.cloudfront.net/2024/07/2/116/TA.xlsx
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefe46f8,0x7ffaaefe4708,0x7ffaaefe4718
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2009586109378335277,1211727490394160606,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\TA.xlsx"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
210676dde5c0bd984dc057e2333e1075

SHA1
2d2f8c14ee48a2580f852db7ac605f81b5b1399a

SHA256
2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5

SHA512
aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4e6521c03f1bc16d91d99c059cc5424

SHA1
043665051c486192a6eefe6d0632cf34ae8e89ad

SHA256
7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1

SHA512
0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\32c5338a-3c2f-43e7-9831-de98d8968d29.tmp

Filesize
6KB

MD5
3ed12dab79ea8a626e2cca54cfa112ec

SHA1
7217cb34ec195cc8da72019ac363ccd1e7a44d4e

SHA256
b47105218e2429a956ceeba72e939b07b715025611728d3ac208a38bc0f7d90f

SHA512
4eeba73377d437bc21a9d97e403b5bb683a12285df674f0e0316a34b11e02c40a41930fda6bb21ead7884945a2ae5a09112cd05380aa970f3e16c4206874d631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0df0571b6a2b5c5fad85e5ed0f39776

SHA1
ff54df9c8d3fb98964d3ca948f762acc6411ed83

SHA256
4507d8f360cb26684aa63a82fe7b1919d5771454559c6be6f48c6051ac1756cb

SHA512
d62475b6723e8af90a3747eff8aaa5ec3c4f2c9bfbe4fcea9cefc109c5af6bb97aa51e6c118d49faff8801c8ff6537b7045fb0ca407cc1b827cf76820a6c1075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e67822eef7f1fbf812619668a83ae27f

SHA1
6533a0e2c2313e7bb603bae33d1239821aee1146

SHA256
b3ce84d465dbf095cdc73c2bf7bbbef2d2b4de7d524eb19994b9d2f479aaf823

SHA512
d7802711d3574c42aebb9ab81ae877a48b79783cdc3cfcb2c51417e2f1d5a5e6f184fa68af0afd015dda12ff9dbddcb3f2081dbd27d2385da21a3d263c3d42cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
536d787bd63976f3c041015d19b5b3eb

SHA1
db91459a804617c42b3c715f5bb9b99c795a8e34

SHA256
341248d64ff4a49f09eefd9526e44b5263871db62154b8c67187c09e732799db

SHA512
6a849540e2a6bc90e3a8576d473db23b181653c2893bf7ea581165c1f08f9edc0c0503cac66596e4396b010643ff893ec3fb1d9b5f250f1b6744e2aaae3ff559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
03f0cfb25d08d66eef9d0813e44716f5

SHA1
e1000e06c14f236e29af33563fd689019e25f9e1

SHA256
d9ff92dbf6c15b725818572690f77af76432957ce4087e3f4491d69a33414f1b

SHA512
8ed66b9a194b2c0b11d848e03b05a004aedfdc00c5516716d2ba208b61c51087e31d0b556abff1dddefb6ae58e7e99998faa334e74c9e9cd3758b8807bf75dd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e1f710981495f896364f1a1652bb306f

SHA1
1d28d56e5004b784c7f1ca9454173c909d5ff673

SHA256
f92d2cc062046beee3b5994de00c49f0f19d87c81ea1a1015a8bf1880ec725c8

SHA512
9cb2a96e84d8ca9e26a4a5b19820213dac0fd87f905717ea6a982f813c2edd180f3593a7ff3b247d7d15f69606d03dd280c84eb98903ce1bdb528de0531457eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
1b6812a525a1d37f2a38ad4e90283250

SHA1
6e989b30e4eda4c63cf88d838631e7856d5f0ee1

SHA256
550d73b2e6389b1ac706a98a6a0f93f4867461d6568bd35648335e0ab8d920f4

SHA512
e479d0d103295a5a9210fe8f26023ed0781c6bf7be00d733a1f2bd1ea4cf274183dccbfc1c2244fc966f5f6b5b4375c15c422ecff915c64850ed684dee9c5670

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
238B

MD5
1370e91ff4966cbf61364f4cbc55be37

SHA1
3fa200b74252b764429572c08ed7e1b2b0f879ac

SHA256
763b229a7062d96257abe2bec415fe51b6e54b87c278cae933b8a164f1fa3a11

SHA512
31d1bcf1ae864624bf02ae5dd60cc62875cce5a3734caa4b6583dccc260574841659c7ba2ffe93a40fef10b3da2394449e91dbffd94b73b0f4dfb69f2b3049a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
665B

MD5
efa745374eabe978080bd0af09195c2e

SHA1
0a76878b59b3d39d25e43b98fd3bc88e023eb49f

SHA256
6a3b4f952bef5238ecf0716f9b871b15eed698dc5ac06cf27b0a1c36943f0549

SHA512
3bc87b8fb1451cdea1638a04c0e85708c4c7030697a320afb11b28ee756df3ebfdc62d9107724ea68cb1a8e8a425f2d0bc18dfe58223f7a28b9dcf3c9df2a097

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
f63915f3ca4ecce2930e40551eda03ca

SHA1
3ced43bdb6fe07b03d20b731019ed308bc786254

SHA256
1c36080e2d3bcc9d92709875d63568da61000b96cbcdb31ddaf5a041357d95f0

SHA512
5cbb2956c7802fa3c8d039ba59182d65aeccc3dc7c12f09bbcf0367c78de89bc1a8736dba378a35b10cf40e0b5641ec70d1904a78965b788178a57dbb43d6c1f

Download Submit
C:\Users\Admin\Downloads\TA.xlsx

Filesize
272KB

MD5
95bd674471a1dde0b7ce34673a1b640e

SHA1
9ff7ed92bab683abe58ce6796d0ca7cd840ef6db

SHA256
c27950ac4d525c834ace8c52a3d2abbba6e3122a0ef177d82feadb2c38014066

SHA512
718072bb08d14644c29522500af328bb1e82affcbd1ed8a14083c6391992187ea3cc08c77fe2623de08acfaeab78f20e16f2b8cbc7639079035b2d51792a4aab

Download Submit
memory/3000-60-0x00007FFA7B8D0000-0x00007FFA7B8E0000-memory.dmp

Filesize
64KB

Download
memory/3000-59-0x00007FFA7B8D0000-0x00007FFA7B8E0000-memory.dmp

Filesize
64KB

Download
memory/3000-58-0x00007FFA7E190000-0x00007FFA7E1A0000-memory.dmp

Filesize
64KB

Download
memory/3000-57-0x00007FFA7E190000-0x00007FFA7E1A0000-memory.dmp

Filesize
64KB

Download
memory/3000-56-0x00007FFA7E190000-0x00007FFA7E1A0000-memory.dmp

Filesize
64KB

Download
memory/3000-55-0x00007FFA7E190000-0x00007FFA7E1A0000-memory.dmp

Filesize
64KB

Download
memory/3000-54-0x00007FFA7E190000-0x00007FFA7E1A0000-memory.dmp

Filesize
64KB

Download