4ebc2909f676bfe052c3afea0c5ece94e25aaf7056b9392b9cdeb64ef5d33deb

Analysis

max time kernel
170s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ebc2909f676bfe052c3afea0c5ece94e25aaf7056b9392b9cdeb64ef5d33deb.exe
Size

381KB
MD5

7a57ab6e8506f0e54408bd299c7542a0
SHA1

25ccaff8c326fb348c58467da08688d64b24676f
SHA256

4ebc2909f676bfe052c3afea0c5ece94e25aaf7056b9392b9cdeb64ef5d33deb
SHA512

af1afe8581355679ab63c32f653b8971ad9e065cf2654edc746fb491aeaa9f7298a496a275958dc1abc333217dafe371b2fd4aa1d6a75e98227dc2faedef34e8
SSDEEP

6144:KCvc/B+c/Bahv2KuxaO+VOVXl+g2bje/TcpqoUv/bbyTfBU1ieA8:fv7v2lf+VOVrt/TJJ/vIfKA8

Score

6^/10

microsoft persistence phishing

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1b8ad81d-3044-4561-bb1c-96f43ff3e6ca.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221002070932.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1248	msedge.exe
1248	msedge.exe
4040	msedge.exe
4040	msedge.exe
4168	msedge.exe
4168	msedge.exe
628	identity_helper.exe
628	identity_helper.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4040 msedge.exe
4040 msedge.exe
4040 msedge.exe
4040 msedge.exe
4040 msedge.exe
4040 msedge.exe
4040 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

4040 msedge.exe
4040 msedge.exe
4040 msedge.exe

pid	process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

pid	process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ebc2909f676bfe052c3afea0c5ece94e25aaf7056b9392b9cdeb64ef5d33deb.exemsedge.exe

description	pid	process	target process
PID 1092 wrote to memory of 4040	1092	4ebc2909f676bfe052c3afea0c5ece94e25aaf7056b9392b9cdeb64ef5d33deb.exe	msedge.exe
PID 1092 wrote to memory of 4040	1092	4ebc2909f676bfe052c3afea0c5ece94e25aaf7056b9392b9cdeb64ef5d33deb.exe	msedge.exe
PID 4040 wrote to memory of 1584	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 1584	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4816	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 1248	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 1248	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 4948	4040	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\4ebc2909f676bfe052c3afea0c5ece94e25aaf7056b9392b9cdeb64ef5d33deb.exe
"C:\Users\Admin\AppData\Local\Temp\4ebc2909f676bfe052c3afea0c5ece94e25aaf7056b9392b9cdeb64ef5d33deb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=4ebc2909f676bfe052c3afea0c5ece94e25aaf7056b9392b9cdeb64ef5d33deb.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f47e46f8,0x7ff8f47e4708,0x7ff8f47e4718
3⤵
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
3⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
3⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
3⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
3⤵
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
3⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
3⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
3⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6384 /prefetch:8
3⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
3⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1120 /prefetch:1
3⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
3⤵
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7eb055460,0x7ff7eb055470,0x7ff7eb055480
4⤵
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1247559679388236301,11075995404402483495,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4788 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=4ebc2909f676bfe052c3afea0c5ece94e25aaf7056b9392b9cdeb64ef5d33deb.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8f47e46f8,0x7ff8f47e4708,0x7ff8f47e4718
3⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5312852158951807549,16909029528112584074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
471B

MD5
fc4451743ae6d96d07076f3062309c18

SHA1
ffe7b073fc93cc73b1779d73528763a15c701ec6

SHA256
1e1ab179c71a268faa3558cb48f11d2c9ea8d30f6cd6b90d8f5a68c03769f6be

SHA512
c2d22f63a041d8bcd2440b89aa12f6e08b6e483a637e6bbee20e83803dc0d9ea3fb826e8a33612e5d38f55bd34e5a80961ec35ebade192fc72f7a281d2fa7ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
412B

MD5
5ad288aedb1095423a563b1805eb40c8

SHA1
a983da66a10857bb89a918dddd4fd7b12abc230b

SHA256
0b368aea4d9221c81600832f720db194bbac87e30ddcaa91ba12256e475fb3eb

SHA512
350c454a6136b77115c3ac0cc79f27c119c802e063eb7616bc5ed2d86ac0cda08091eebef0c466653d9714dfe2e75b17928d83cd79355de654e81afb28208379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8be9513fd38b94d4f6b5011b68b60326

SHA1
47feef421fe8de09e36ca685e9cf19d404aa8917

SHA256
5bf3203e8be948e62917ebab13e1b21aec105c473089b233874fac8e5748bb2d

SHA512
cb3dbfa46f3ee28956deab38fefa8276f9efa6ea978ff6b7f810f7f9ba106ed569f017cf5c840ae90fc5f83a1e6dbe50efef8e3412f4f38452a00915b2cc58bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
a8117aa711296c165c2e8a0f1c517ccc

SHA1
26a71b263984ae1cb067ede894a89aa93ada372a

SHA256
9a3b0450d6cbc2182b60541db8d7ddc376af2f9f20237be40094dd7052f5ce77

SHA512
888bea7d503a1022d4a96a7f4de05c0e28b67153f528f192e593068c4dde2468a7857e07518aa46e6343a7d6ac5ae41677ff19cf629023095398e5dbf6d7f59d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
53e90a5f961660349b3154b1c8a6ed0a

SHA1
ec1b255e70e9d6b615d2dde4fb6ad82d042105b5

SHA256
a72d9bb47dcc52b79f4400e625ac0e3f8a7d1b4e0a54c2a07a406f84baabfa95

SHA512
d2f151fa5f2e291cebd9c3cc80626544ac43f1eea79d49bea6d22ab9cba308318f7c3c948727faf3ff0e47dab2eb71a338775ff2aa8ce2b8950479f518c3dde5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
cc03d43b6461fcd0337af8cf2c219793

SHA1
999ec2f0a85cb05be69dd004af2cf31956a1279b

SHA256
3c8f6dcb246294f21103d9a4807e3439a3df045102e9cb39d3aaa4be4e7d0ae4

SHA512
b4e6b2bbdd7242aae099f0ae17dcebb965ccf76a858cfe88915bd7fa0c8806b900d7dc4a9f1ceefada736c22ad03b7f9af275e19a193fb5392750691962548da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638002810792906586
Filesize
4KB

MD5
432778b585897d0b910239ce38a2df68

SHA1
6e54340a96d3cda2c41fb818217c001ab5c1126d

SHA256
d297d111a5f7e93967ac23b0d54ccf7456e408d1c1bbacb2d3a728d2ae40d644

SHA512
6f5bbbd4af8bc2ae18ef2f186e6c6a29a9e5933f3ff98a1c438421c20375184479da861a722a55b1258f18b99682cd31b579f2496f702a78e4820a7f13f05caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
d4dba390ab9454a5408405d55f013558

SHA1
f3ce9d1b11ba8cb019cac4178a37b4a7d9b72891

SHA256
fa728d3a97a5694c54522b3bbe9ae4fef0970ef62b1bab8ba316a56f8e429caf

SHA512
ef0b93e93758b60816ebc23a44fdde3cf3dc5ead7f9db4fe0caa10159c9a171541149d17366b1f64c62d3933f792d757e8dc96b15db31920a7f49ccef506666d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638001453611427348
Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
\??\pipe\LOCAL\crashpad_4040_OHNWVQBXEGIAPDGD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4468_HUCNIKWQJTXWBAQN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/628-176-0x0000000000000000-mapping.dmp

Download
memory/1092-148-0x00000000002A0000-0x0000000000302000-memory.dmp

Filesize
392KB

Download
memory/1092-132-0x00000000002A0000-0x0000000000302000-memory.dmp

Filesize
392KB

Download
memory/1248-137-0x0000000000000000-mapping.dmp

Download
memory/1584-134-0x0000000000000000-mapping.dmp

Download
memory/1684-173-0x0000000000000000-mapping.dmp

Download
memory/2200-144-0x0000000000000000-mapping.dmp

Download
memory/2436-171-0x0000000000000000-mapping.dmp

Download
memory/3124-146-0x0000000000000000-mapping.dmp

Download
memory/3240-142-0x0000000000000000-mapping.dmp

Download
memory/3364-164-0x0000000000000000-mapping.dmp

Download
memory/3704-174-0x0000000000000000-mapping.dmp

Download
memory/3956-175-0x0000000000000000-mapping.dmp

Download
memory/4040-133-0x0000000000000000-mapping.dmp

Download
memory/4168-155-0x0000000000000000-mapping.dmp

Download
memory/4468-145-0x0000000000000000-mapping.dmp

Download
memory/4488-157-0x0000000000000000-mapping.dmp

Download
memory/4724-169-0x0000000000000000-mapping.dmp

Download
memory/4792-177-0x0000000000000000-mapping.dmp

Download
memory/4816-136-0x0000000000000000-mapping.dmp

Download
memory/4948-140-0x0000000000000000-mapping.dmp

Download
memory/5092-166-0x0000000000000000-mapping.dmp

Download