1f18dd9584f4598b2576c4e7101353c20d33fb2932647814925af0db77ed0d00

Analysis

max time kernel
155s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f18dd9584f4598b2576c4e7101353c20d33fb2932647814925af0db77ed0d00.exe
Size

44KB
MD5

77c428a82bfde26dec3a8a2924cc4c0f
SHA1

5deea76762267d4bdd815c03b9cd90ae3696c137
SHA256

1f18dd9584f4598b2576c4e7101353c20d33fb2932647814925af0db77ed0d00
SHA512

6d476acd5240fc8c94e878f9fcbff0b6283933eda75d76603629ff8a607deda41466c67e331cabff070ffda148f2c9411fdd349cf828b7134e68372c93d6e7e8
SSDEEP

768:rXOlA6yvucR5MWB0siLGHkHzYwBqBQKpAq:rXO/yWwsseGsTBqlpd

Score

6^/10

microsoft persistence phishing

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\52b2dee3-f004-4787-be1f-e0ab14970144.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221002064313.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
3372	msedge.exe
3372	msedge.exe
5076	msedge.exe
5076	msedge.exe
2344	identity_helper.exe
2344	identity_helper.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 5076	540	1f18dd9584f4598b2576c4e7101353c20d33fb2932647814925af0db77ed0d00.exe	82
PID 540 wrote to memory of 5076	540	1f18dd9584f4598b2576c4e7101353c20d33fb2932647814925af0db77ed0d00.exe	82
PID 5076 wrote to memory of 5044	5076	msedge.exe	83
PID 5076 wrote to memory of 5044	5076	msedge.exe	83
PID 540 wrote to memory of 1220	540	1f18dd9584f4598b2576c4e7101353c20d33fb2932647814925af0db77ed0d00.exe	86
PID 540 wrote to memory of 1220	540	1f18dd9584f4598b2576c4e7101353c20d33fb2932647814925af0db77ed0d00.exe	86
PID 1220 wrote to memory of 4892	1220	msedge.exe	87
PID 1220 wrote to memory of 4892	1220	msedge.exe	87
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4848	5076	msedge.exe	88
PID 5076 wrote to memory of 4804	5076	msedge.exe	89
PID 5076 wrote to memory of 4804	5076	msedge.exe	89
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90
PID 1220 wrote to memory of 4068	1220	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\1f18dd9584f4598b2576c4e7101353c20d33fb2932647814925af0db77ed0d00.exe
"C:\Users\Admin\AppData\Local\Temp\1f18dd9584f4598b2576c4e7101353c20d33fb2932647814925af0db77ed0d00.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1f18dd9584f4598b2576c4e7101353c20d33fb2932647814925af0db77ed0d00.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe99e346f8,0x7ffe99e34708,0x7ffe99e34718
    3⤵
    PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:4848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
    3⤵
    PID:3120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 /prefetch:8
    3⤵
    PID:4228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
    3⤵
    PID:1128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
    3⤵
    PID:536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5572 /prefetch:8
    3⤵
    PID:3512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
    3⤵
    PID:1164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
    3⤵
    PID:2844
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
    3⤵
    PID:3016
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:3512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff733325460,0x7ff733325470,0x7ff733325480
      4⤵
      PID:3776
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3024929743690306554,9039367282015987908,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3212 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1f18dd9584f4598b2576c4e7101353c20d33fb2932647814925af0db77ed0d00.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xb0,0x104,0x7ffe99e346f8,0x7ffe99e34708,0x7ffe99e34718
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17695138259727844635,11471792299593908917,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:4068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17695138259727844635,11471792299593908917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
fc4451743ae6d96d07076f3062309c18

SHA1
ffe7b073fc93cc73b1779d73528763a15c701ec6

SHA256
1e1ab179c71a268faa3558cb48f11d2c9ea8d30f6cd6b90d8f5a68c03769f6be

SHA512
c2d22f63a041d8bcd2440b89aa12f6e08b6e483a637e6bbee20e83803dc0d9ea3fb826e8a33612e5d38f55bd34e5a80961ec35ebade192fc72f7a281d2fa7ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
412B

MD5
b3e49d846c667d7176d844f188fbe370

SHA1
1011ea718fda618a98d8140e5a4266e896798c6b

SHA256
e17f7a4b1d3149b0bb551e9f699f5a0ae03139018fa6454f1c0950bab3c9df9e

SHA512
9438cbd92f99687b04d88e03ed38133785b6a606fb24c267eabfe43295b0600243191ee44446b5666ce9a3506918ad3ac4119e4d64aa3f23b819a9e2c9e058b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
77eb2b71325f922f17597093effc391f

SHA1
29b73f47762466bd53c7a8640b79a7928c44ece3

SHA256
15da3567559efc1fb49dcb301e512ceb68756976019d45dea4fa18f27d7443a2

SHA512
d478ed820651949f334fa1ea76c7b0a10a4f6c10a263e7b9229aa510c5649a509d9148e140e6ee1208bd42a32f6c6e3f6bf085e3afa111ec4ec714851eb98533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
5c19c9bd47d74db58cdd0206c2e93c97

SHA1
6d3ac5bb9f5d0ed7de3872e22d820db2450450ef

SHA256
4167d4e85f51318ecac1e829c618fdc11d8de16ef5092f90247bee943c440729

SHA512
22ed4728d9ea7ca1c1fc3ef5f728b6650b31911193b08702a7a3aede186b6d14b64aef96ec33abd79ec21e8abd15672e45696a7653acc7da52fd0598cfa70b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
77eb2b71325f922f17597093effc391f

SHA1
29b73f47762466bd53c7a8640b79a7928c44ece3

SHA256
15da3567559efc1fb49dcb301e512ceb68756976019d45dea4fa18f27d7443a2

SHA512
d478ed820651949f334fa1ea76c7b0a10a4f6c10a263e7b9229aa510c5649a509d9148e140e6ee1208bd42a32f6c6e3f6bf085e3afa111ec4ec714851eb98533

Download Submit