8413c7496ca732666d112ca9d565560a8563b4a1614e8eeeeade360156604e0b

Analysis

max time kernel
72s
max time network
76s
platform
windows10-2004_x64
resource
win10v2004-20230221-es
resource tags

arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
26-03-2023 05:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

bootdata.exe
Size

8KB
MD5

0a78174420568e5aff0b81ec0050deef
SHA1

5acead5f8cd93ad5dbf7dd3044d82f1d937aab5f
SHA256

8413c7496ca732666d112ca9d565560a8563b4a1614e8eeeeade360156604e0b
SHA512

49a0a19d2fa3dd09d822fbb46c0bf8cb55c7a2a75a997b25949b5a343586a27c0fb2113718edcf7d32643e48df6554c5e4d3ba288dd459f1f0c8d649460834e8
SSDEEP

192:EqK0Y1xMew6EjI6b08a7W2f5tgN1eo2Ypv:EqKwTk67a7W2I2Ypv

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

bootdata.exe

description ioc process

File opened for modification \??\PhysicalDrive0 bootdata.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	bootdata.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230326071444.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dc8fc7ba-6bcb-4e90-8c72-172e52489edf.tmp	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "241"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

3600 msedge.exe
3600 msedge.exe
4720 msedge.exe
4720 msedge.exe
4348 identity_helper.exe
4348 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4720 msedge.exe
4720 msedge.exe
4720 msedge.exe
4720 msedge.exe
4720 msedge.exe
4720 msedge.exe
4720 msedge.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exe

pid process

4720 msedge.exe
4720 msedge.exe
4720 msedge.exe
4720 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4656 LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
3600	msedge.exe
3600	msedge.exe
4720	msedge.exe
4720	msedge.exe
4348	identity_helper.exe
4348	identity_helper.exe

pid	process
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe

pid	process
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe

pid	process
4656	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4720 wrote to memory of 2500	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 2500	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3280	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3600	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 3600	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe
PID 4720 wrote to memory of 4616	4720	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\bootdata.exe
"C:\Users\Admin\AppData\Local\Temp\bootdata.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffff13146f8,0x7ffff1314708,0x7ffff1314718
2⤵
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
2⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
2⤵
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
2⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
2⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
2⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
2⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
2⤵
- Drops file in Program Files directory
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe4,0xe0,0xdc,0x110,0x114,0x7ff6ae1b5460,0x7ff6ae1b5470,0x7ff6ae1b5480
3⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
2⤵
PID:2616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8718829811120465422,5826375223148897210,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
2⤵
PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3987855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5a10efe23009825eadc90c37a38d9401

SHA1
fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0

SHA256
05e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5

SHA512
89416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c1a3c45dc07f766430f7feaa3000fb18

SHA1
698a0485bcf0ab2a9283d4ebd31ade980b0661d1

SHA256
adaba08026551b1b8f6c120143686da79f916d02adbef4a8d1c184e32a19fd48

SHA512
9fc93f01ab4b14f555791d757ffe881787cc697102547c61847552e597e206e70c6d35fedff559c72a0a67d1b95e769095ecb0a8a7d4f07cf58a7a0d57d3e9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
40daf2e6efef487f816666435576c70d

SHA1
43a1800644263b0df19b4714574b26f5c4b7f9ac

SHA256
fda43fcfd59aefb94300ef1b9add0edd6945c2fdb280a25bf5f159cb6eec83d5

SHA512
fd5c66c57893b7e12b2bd1bf36fdbe682abf40d1fd2a72518e74dfdd477d8ecb2c06bcb6d178f380c928038e723fc3f2525c6afa234117a9440269317ea05181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
f4d737e6097653823991959376da47b7

SHA1
ba6b22c215516524ccd0039f3b78de830cf911f7

SHA256
a577714887f0cae5d035eb291aa77aa1381782dc3a467f22abcaa7c25bcc6b2c

SHA512
a2fa371121bdddec2ae3666860bb20ef4e4a8eafc7409439b9f532ca62668505effe572bff56bdf326a8b8072c25b89c388ed881a7d630434187b70847066ae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
d8195be3aea9d72cf57637fadd6db687

SHA1
d49c8a11b3d227606472d424dde5718adf453761

SHA256
e1446ba9e4287da94594122197e8585d93169dff92aad39e35cbac0f2c511e62

SHA512
de7aefe490205dbc3665a8ef0e311a13379b18d290ef670100bc7d9a53c8a322bf37ac4c82613f444b5aa8b63349a8abfbe1191e2173f7f4fd0b6810509c126e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e192f2d176b5f597d80147e70d53e534

SHA1
cb3c0535ef7f2a70c3c5989be24f71c9c2a4970f

SHA256
f50ed8ef3be8213020e8f9abc420699fbbb9c8bebe3c856d9495b7c821b328b3

SHA512
17c6b3dcf5df1ea7037ff8891ac84ddebc31cc60a203362338c2b2a4ebbef3b93a3e23e167c5ea8496f9f39097c13fd4ab19e6cce434c7c99122a3c410ecbb99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7761e4530abaa55216836a05ab0c0b9a

SHA1
f9af61e61d151808275175193b1c69db53afb2f9

SHA256
789433a4698638b519774430da2e9b53d9453792ae194827776d3ff9929355bf

SHA512
d7829362951e176226c523dafb27ed880776b964833a7c166f1581f707b3eeb8870108ca5cdc5fe3500049edb7904107f644d02a9204fca92c691ce0d2a3b7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
5edab6d3ffbeee247ccb4423f929a323

SHA1
a4ad201d149d59392a2a3163bd86ee900e20f3d9

SHA256
460cddb95ea1d9bc8d95d295dd051b49a1436437a91ddec5f131235b2d516933

SHA512
263fa99f03ea1ef381ca19f10fbe0362c1f9c129502dc6b730b076cafcf34b40a70ee8a0ee9446ec9c89c3a2d9855450609ec0f8cf9d0a1b2aebdd12be58d38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
b156edc8fd826af37b7048347770ee51

SHA1
bbcfb3c0da943c7dd0092815a76714320442fcf4

SHA256
7b75fed79b213b39b8248066c3d6fe6a5eb1f34cd300c2317f73c96e701ca0bd

SHA512
5840168a9e9837799a4bb32a27c53e7ffb6928b7da3837453cde841dd4dc0dc37e5b017556adea3e19fa903978870bd7c9543419eb1344f50c8a56f157241bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
169a90955f6996594bb32ee266848ab2

SHA1
5ec4438eb033c4f1127d8addc5aadfae659b3b27

SHA256
c5202bbc161c3f3214df6d3fa92cc7cec718c26c12220f41e98f680602510456

SHA512
be941fb0cbc8dbdc1d53fcf7832f759b2d38a7fde9a38c7b406b8812062cc229c69eda2fa88e94aef4fd7aa8f583b3d2f5232575ab827a470135484171515b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
22463fc38742effae596e27fea25366b

SHA1
840cf1b93508fda7d7cdebed8e19ec82627b3ec8

SHA256
3e6abf5c19d17c1341ffea6db46f758c884791568b9e63863754d18748f0775b

SHA512
263edb07a644a3c4d9d41116cef2186e10682ac7eb5ccf8cf84eeacbeb7f34127268914137e41513dd9670e80018cda49c0713b01365ac6459a60685ccaa039d

Download Submit
\??\pipe\LOCAL\crashpad_4720_KAKOLHZYMSFATDXV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4512-134-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4512-133-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads