hxxps://d3hwtxj0w1i8v8[.]cloudfront[.]net/2024/07/2/116/TA[.]xlsx

Resubmissions

12/07/2024, 11:28

240712-nld99s1fpp 1

12/07/2024, 07:42

240712-jjwz3swhja 1

12/07/2024, 07:30

240712-jb5x1stfll 1

12/07/2024, 07:25

240712-h82feswdkg 1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://d3hwtxj0w1i8v8.cloudfront.net/2024/07/2/116/TA.xlsx

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3848	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3648	msedge.exe
3648	msedge.exe
1140	msedge.exe
1140	msedge.exe
4820	identity_helper.exe
4820	identity_helper.exe
4372	msedge.exe
4372	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2908	1140	msedge.exe	83
PID 1140 wrote to memory of 2908	1140	msedge.exe	83
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 4764	1140	msedge.exe	84
PID 1140 wrote to memory of 3648	1140	msedge.exe	85
PID 1140 wrote to memory of 3648	1140	msedge.exe	85
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86
PID 1140 wrote to memory of 3500	1140	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://d3hwtxj0w1i8v8.cloudfront.net/2024/07/2/116/TA.xlsx
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbaaa46f8,0x7ffbbaaa4708,0x7ffbbaaa4718
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\TA.xlsx"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1997194064223709058,9819229513069358525,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3012 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
57354f4511ec8b364da7c6e45a17bfbd

SHA1
8b91bff8d2ad0a9548f11418c11f5ccc833a0923

SHA256
521d29f73099ca76c33f7127bfc903f5bd35f0a3d64993c044155c2100e9ede6

SHA512
03e6b8209ac286fa8f2809cf15b95aae07cded0e10948aae71bff2e8e9da2387fb0fd0dc472d2e2f2bb40a5385cd08bd2051146d28db1049bec521b50f520388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a99b90c36d174e27701deee2fe078532

SHA1
9a1aceb422b0ca709f4882c2d4986824b4ffd673

SHA256
9b8a13c78d1bb18ab24e185a1f6a9635703dacd5c21a9a4b04b42604666f0132

SHA512
9cf6b1f4e55f7c5660e28e90ca58499e5fc5e364223bb843916cc63182b5b025d8b1e7d8ddf944c3ac44850699c7932af09c162e46eecaa02c683a36079778af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c0439d1a070b452c0f54c80d3da21569

SHA1
9b754e8c51077ec6a7ddc71a0a0aef8bf664563a

SHA256
247542d703fe63dad7896d8dc9c2ac868240c2e2c386c027126dc0f227d376d3

SHA512
540a866e770ac3232433b024d84608b336095ea874ed6078a8122e6ef8cb82065f3bffa2f755aa205feacd180225884e7fcf1c12cd9a2c5abd77554892c74516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
5a820b7e2b18c2daa069809bdb2ec8bf

SHA1
1c796d6ed68870430542658643543a4517e0cbda

SHA256
809c4d2cb1fd7a2a566ceb3c759d2a8b77d973f2069258d6a5a66b91bb62999d

SHA512
238fdb53860aeeb592ea70da84304637868fae8a86a678c3d643fabefe32fe023dfba8f943aeb47eb85083f3141ead2335b4f45fc46849a7a431b44f56ee998d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
329B

MD5
32ffa922f4aa733ca3d0aa1712a50317

SHA1
72a9c7c9ae283996b7aa7892205a6370d1839a5b

SHA256
9d8710fa1b31d1ed420dc5338024a33f69332ac9ef7e655ea79eb73a4d2546be

SHA512
7b758ef20eeeb1879db857e7625ec3b0eb19d33f2a1b113f8005bbfb34fd98d5c3c980433ac7bd616d149b7e5eb393cf6a363d7880a8de5f9d3a57e492205b5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
9e8975f8166b1c17a952566a8408fdff

SHA1
d6bbc2d32325281d57600e5618e3b8b1ea23ee8f

SHA256
64dc621abdb6010243e3441926b7748f84099115b64165a559ecdfad25c30412

SHA512
db3a33183336cc133ea4ab4fb8c3dcdd230551282d749c867fe73187bb2d2778f5509e12f4fa367588d47dae9a270d916c343a2bb7925bf04f48494f37521b48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
b7a00da9bda7d6ebc61131d5d35c7c0d

SHA1
ae07ce9657908dabb40c5d48c58bf6733353854c

SHA256
c4decb5d3e551b66ff25d89b10da0da034e7627fe4a0ee1ea88bf993b09bd0c3

SHA512
55300b5ca90bf1c0d15196a3fb1d551df621cfeaad8c780487a566f470f36bb3c4f80e3361f60960de46a2ba563d1cd726fb229a4ee00a5be158955557e9c234

Download Submit
C:\Users\Admin\Downloads\TA.xlsx

Filesize
272KB

MD5
95bd674471a1dde0b7ce34673a1b640e

SHA1
9ff7ed92bab683abe58ce6796d0ca7cd840ef6db

SHA256
c27950ac4d525c834ace8c52a3d2abbba6e3122a0ef177d82feadb2c38014066

SHA512
718072bb08d14644c29522500af328bb1e82affcbd1ed8a14083c6391992187ea3cc08c77fe2623de08acfaeab78f20e16f2b8cbc7639079035b2d51792a4aab

Download Submit
memory/3848-63-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

Filesize
64KB

Download
memory/3848-65-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

Filesize
64KB

Download
memory/3848-66-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

Filesize
64KB

Download
memory/3848-67-0x00007FFB87430000-0x00007FFB87440000-memory.dmp

Filesize
64KB

Download
memory/3848-68-0x00007FFB87430000-0x00007FFB87440000-memory.dmp

Filesize
64KB

Download
memory/3848-64-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

Filesize
64KB

Download
memory/3848-62-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

Filesize
64KB

Download