3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782.exe
Size

455KB
MD5

577f83b8929cf480740a24d0a49e04b6
SHA1

05e1df85247cd84eecd2465932325015e37b26dd
SHA256

3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782
SHA512

a6a6874e3ba5c825ab97ec266cee0b2366f85418057055a3367de7afb65105dfac277da3dcc298a37d8df3bfdc7551f27548bbfe85241b91fd82750f2a682052
SSDEEP

6144:FLHIWp/cH4GuKiHqbLZkH4GuKiHqbLZnEt:FbE2x

Score

6^/10

microsoft persistence phishing

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\aabf5a13-2990-40d2-ae90-e996b099e30a.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221202093919.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exe

pid process

500 msedge.exe
500 msedge.exe
4164 msedge.exe
4164 msedge.exe
1244 msedge.exe
1244 msedge.exe
1548 identity_helper.exe
1548 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1244 msedge.exe
1244 msedge.exe
1244 msedge.exe
1244 msedge.exe
1244 msedge.exe
1244 msedge.exe
1244 msedge.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

1244 msedge.exe
1244 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
500	msedge.exe
500	msedge.exe
4164	msedge.exe
4164	msedge.exe
1244	msedge.exe
1244	msedge.exe
1548	identity_helper.exe
1548	identity_helper.exe

pid	process
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe

pid	process
1244	msedge.exe
1244	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4824 wrote to memory of 1244	4824	3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782.exe	msedge.exe
PID 4824 wrote to memory of 1244	4824	3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782.exe	msedge.exe
PID 1244 wrote to memory of 4704	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 4704	1244	msedge.exe	msedge.exe
PID 4824 wrote to memory of 324	4824	3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782.exe	msedge.exe
PID 4824 wrote to memory of 324	4824	3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782.exe	msedge.exe
PID 324 wrote to memory of 1648	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 1648	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 784	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 4164	324	msedge.exe	msedge.exe
PID 324 wrote to memory of 4164	324	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe
PID 1244 wrote to memory of 2512	1244	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782.exe
"C:\Users\Admin\AppData\Local\Temp\3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe9b1346f8,0x7ffe9b134708,0x7ffe9b134718
3⤵
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2
3⤵
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
3⤵
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
3⤵
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
3⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
3⤵
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5056 /prefetch:8
3⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
3⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
3⤵
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5932 /prefetch:8
3⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
3⤵
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
3⤵
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
3⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,9347728845683265030,3491698222183219570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0x7ff73a285460,0x7ff73a285470,0x7ff73a285480
4⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=3d5c58bcb104ecd270c198910bb9947f1b4887e7f340e9e934e44a5718cd2782.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe9b1346f8,0x7ffe9b134708,0x7ffe9b134718
3⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10540214518702155121,11186513143959957322,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
3⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10540214518702155121,11186513143959957322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
3121a89c589b43806469c733a1d6fbb1

SHA1
af970955ec34de61958a2b1e0bf271d440b514d1

SHA256
c57070af2586a5fa446a93cde9c596e9cea16c136c803b4eb920d70da56b5e45

SHA512
b02b94cc6438ccab4267eca60f66a63da970761c74f04e46541d5eb84c9f98fcff54aa8448b8d6862a588f58fcecc904104aef9b6c7fee050ab87383ad688c6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
e88ea76161eea4a00b2019224690ca06

SHA1
787e843f6656918e0bd1292a085b587f4e240618

SHA256
ce161ed1ddcd7660cdf46ab6dd1f38c4dab3e36b21535eec14f90a8940ca734a

SHA512
492425c5a76c1bd2c1875ba67a04b5943453ccb5308a3e0d5b21da82669e6b2d87df6e185eccc953b7dd2651e9085fd47908742f0b255f03910b8f5ff421ac10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
286b565d61c8e9b7652e0725c7a0b264

SHA1
d296c0f8a7ef20b96698ebd11a0f79fafa136b8f

SHA256
48281a4c5a9348974d78506dc4b3af3520728195c4e55b12d70c7580cf844036

SHA512
271cdca6849294dc49cd0cadedc15500a6100fdb3644ed3338438f02e331335eb3ad72273d9bd23eda6f8728cf81e3b4bd095d90d3766b46cf52adb6d01c0878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
6c31457bc0b7a2f02ecf8f5e0e816a8c

SHA1
659e62ed75c76092d26a29177d80d0689dac4e02

SHA256
51f3d1b3b32aa1ceb22882a60f2f8ee4dc209665533cee94e06c1d6c81d5ff33

SHA512
e82b36ab1b95572e1ca6dfc8f1c5f91aebf0845077ef354b860bfca45e22f5a65abcc88b4b9f848ee32bb819389e6c9765d197d1ffb105f5ea5c233bfeb4c5e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
286b565d61c8e9b7652e0725c7a0b264

SHA1
d296c0f8a7ef20b96698ebd11a0f79fafa136b8f

SHA256
48281a4c5a9348974d78506dc4b3af3520728195c4e55b12d70c7580cf844036

SHA512
271cdca6849294dc49cd0cadedc15500a6100fdb3644ed3338438f02e331335eb3ad72273d9bd23eda6f8728cf81e3b4bd095d90d3766b46cf52adb6d01c0878

Download Submit
\??\pipe\LOCAL\crashpad_1244_LEMUEZGFRRXVTMWG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_324_IFRLZJGBHTYAFGEJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/324-134-0x0000000000000000-mapping.dmp

Download
memory/500-147-0x0000000000000000-mapping.dmp

Download
memory/784-142-0x0000000000000000-mapping.dmp

Download
memory/1244-132-0x0000000000000000-mapping.dmp

Download
memory/1436-167-0x0000000000000000-mapping.dmp

Download
memory/1460-173-0x0000000000000000-mapping.dmp

Download
memory/1548-175-0x0000000000000000-mapping.dmp

Download
memory/1596-154-0x0000000000000000-mapping.dmp

Download
memory/1648-135-0x0000000000000000-mapping.dmp

Download
memory/2444-163-0x0000000000000000-mapping.dmp

Download
memory/2512-145-0x0000000000000000-mapping.dmp

Download
memory/3140-150-0x0000000000000000-mapping.dmp

Download
memory/3448-158-0x0000000000000000-mapping.dmp

Download
memory/3468-177-0x0000000000000000-mapping.dmp

Download
memory/3936-169-0x0000000000000000-mapping.dmp

Download
memory/4024-171-0x0000000000000000-mapping.dmp

Download
memory/4040-165-0x0000000000000000-mapping.dmp

Download
memory/4164-143-0x0000000000000000-mapping.dmp

Download
memory/4496-176-0x0000000000000000-mapping.dmp

Download
memory/4704-133-0x0000000000000000-mapping.dmp

Download
memory/5048-156-0x0000000000000000-mapping.dmp

Download