hxxp://cdn[.]discordapp[.]com/attachments/1113838861139853314/1113838978618114099/GrimWalker[.]rar

Resubmissions

01/06/2023, 22:43

230601-2nc2wahb91 4

01/06/2023, 22:03

230601-1ycy7ahb3v 7

Analysis

max time kernel
300s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2023, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cdn.discordapp.com/attachments/1113838861139853314/1113838978618114099/GrimWalker.rar

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d63a6e6b-32bc-434d-a402-32be780ec660.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230602004436.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4152	powershell.exe
4152	powershell.exe
4572	msedge.exe
4572	msedge.exe
3456	msedge.exe
3456	msedge.exe
1016	msedge.exe
1016	msedge.exe
4692	identity_helper.exe
4692	identity_helper.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeRestorePrivilege	3784	7zG.exe
Token: 35	3784	7zG.exe
Token: SeSecurityPrivilege	3784	7zG.exe
Token: SeSecurityPrivilege	3784	7zG.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3784	7zG.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1956	3456	msedge.exe	85
PID 3456 wrote to memory of 1956	3456	msedge.exe	85
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 932	3456	msedge.exe	87
PID 3456 wrote to memory of 4572	3456	msedge.exe	88
PID 3456 wrote to memory of 4572	3456	msedge.exe	88
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89
PID 3456 wrote to memory of 4580	3456	msedge.exe	89

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge http://cdn.discordapp.com/attachments/1113838861139853314/1113838978618114099/GrimWalker.rar
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch http://cdn.discordapp.com/attachments/1113838861139853314/1113838978618114099/GrimWalker.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf65e46f8,0x7ffbf65e4708,0x7ffbf65e4718
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2800
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1c0,0x22c,0x7ff6bb7b5460,0x7ff6bb7b5470,0x7ff6bb7b5480
    3⤵
    PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,18413780978614782288,7229804471657974801,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4936 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4368

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap3039:82:7zEvent4772
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae2c65ccf1085f2a624551421576a3ee

SHA1
f1dea6ccfbd7803cc4489b9260758b8ad053e08e

SHA256
49bfbbfbdb367d1c91863108c87b4f2f2cfffbbbb5e9c1256344bc7f52038c54

SHA512
3abbfbb4804c6b1d1a579e56a04057f5d9c52cfd48ecbae42d919398f70da2eacd5a35cb3c3d0a559ad3515fadb1734b0d47be48dce0fdd9fd11578948a6c7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c3770be634be8da92e71a3f9f76d79d3

SHA1
f4538b79d313dd46e55d1fd3e6ca3d4681fe4c3f

SHA256
23549094c00feed7abf21e56caae3c8b22a7bd89cfc2f5ea369cf13259273432

SHA512
09c1a087be6dcb49fd0725936571946266f31298f8ae141d59b9ac60f3f0fe8e7d964f661818d72682633845b48dbb906d8c89bb33bd2060bb4971b3e14fc4a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
162KB

MD5
44ec03cb3248c903b67751ea27df310a

SHA1
c57e9cf90caf30457e9d57db750b8a0eb8856770

SHA256
d4de4a836d11828dd561db1eb8d7fd48a7e0ce9afd8645e2eabb19a1267b6894

SHA512
657e8958d97eab524224bbd8903e0bd7d0c2640805f77da7546060164fe03f7b6ece99a005ef44e41b7233a2e24ffc63430b2fe3c87f61a1b26e0d7c7e52c365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
41KB

MD5
97b897507875112c8847d8574f31dca9

SHA1
dc7c408753f023644e6fb03e9c0871c6d9bf4ba2

SHA256
c64f9189b6dff4a900bf8cd253c9af9a3e627d36aaccf000a9305962201676fe

SHA512
1367715738fdced351db63a72be02277a6a41b274f2e6d898039a794626367fb12ebed971ce5865bb2bbdb657b45c70e1bf6c3b56b489db45b80365c63f2cdeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
41KB

MD5
d527c35a56f1b675bb6b167e9091300d

SHA1
8a211606d81c7e37d69e70c20841c85f489f36d9

SHA256
3724b0492e636be066b054b924e6cbc9eee7bc1779bc55c364a7b2da98cd8770

SHA512
dd160958775966ef3e4ae0f12867ebd4a9f6e7c479abbed605503e140fede0061841f49a1f165281f71444d72699d8bdab0ac34aeaa495f684aab713d01fdbf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
75c6520c65a0751d59f05ded1aebba99

SHA1
49453978e3c2b0d95969f9e01baddd68d3cac8bf

SHA256
4408ad5a0fd5b24f0b3f4e24702e0db839d971be6c1b72c05320c7459c62ca1d

SHA512
7f874993f992a0aff3b229854cd1bb1b20c3cc0eaf43139b48b1e2b7dc3ca894a92b2c851b3823b05cb3629fecb5b6696e1562cc45db2bf0f0ddf36b0c765020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
96be4c40d2790deac3a7d846025b6a8a

SHA1
35e5bb0cf6fa1adf1ecf3448640e44376baebf91

SHA256
cc968fb6f397c234506df64e26b61f461765cab8324dd7bd7d7863100e8fd63f

SHA512
fb92e231f76d9c7731ce195ea6ce37a785deb6c55fd07fe7bc15a798697003add1b4f11a8e59e2d6f268afb30a22ff989adc4189e04a0a68548859ecfdf31c39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
e6ef4f5d69b2766380cd613e76141d22

SHA1
73a224ba5a77bdf2dba8a86c17e1c481411aed58

SHA256
32ff891db2e5249efe806cb36615fbf79a176d1c55d13102769d3f6e5a7e102c

SHA512
4237f5c117dd82e418e7af2465ad82a71ac1416a3d8b7a16dd01b3f2d63dd34072877453f00be47d4c944fa2b9d60896bc016832a83dc79faae25a2e98b5bed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
340df50e25d88b808940eca371077e7d

SHA1
437eaf905fe2feab2aaf6a7748a9f27e6eb53fa3

SHA256
f53c7b10a9fd84d5e6a0ef188ca109cb0630eeb5e5e4a2d2bb562b81fa1b4497

SHA512
a093e9c4070f523954049dfa83cf44610ceba2a646723cb9cb7d36c7c4ee6da1dd6c397f4aa724c300a4a60bc5b81fbcc4bec4053769611d6e32ec7a07bb5a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b17275405fe03757a8562fc3945daed0

SHA1
e2796639108e3825c76a7c4d0c4dc9f18075a5cd

SHA256
5b6e6acbc84d8b78157f628dfc1826a7d59ea21bab1ba93230545d16cc37fe45

SHA512
2bd0a7831dff0e3584671d63e3150f7e1fa15d80a73116ec74a2bf6b4c2f170fa127b45222e2d1f1350987f3868ef8f8e0d06cd7db60f284746c494175899b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ed368ab8804f9cb8dd3862f2a136c82b

SHA1
c6d5fb8fa2a022a8e5136da6619ef25560cd3960

SHA256
9a41317d3e8d803570223ba26511bd0ffb4d0c367441ed3d18ef864b43cd36e8

SHA512
afc370a97a384f646c3ec55096f2d00b73b1e869aca473c18b708e29599a725c5b44f339b625c7f480f082d33095ccb7d2a747e2380d0555d4cd7155d1bcc26d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
598dcfdf3281043e675d0e6df2ed8b49

SHA1
da054cc73548f64c635b36441fd12e8d814c7f2c

SHA256
c1046e7a841d2b05316268a4a49f323caded2f8a59017ab1d9d431df041e5c9c

SHA512
e419246752e920fc514f34568fc05f3af10047879eee2bf6289a6d0d7310612d6a378a9aa812e30d0b60841658f8f8bd49fde4bc475722af923372e1fce8abc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5551c6fcbd12ae436621b78e916033d6

SHA1
fa833024b8176bbb1c6d63358ee43a6b42671d4f

SHA256
dfa3d22f36bcebac095e20cb06e278b286bb46e72fb4ee88996b95aed37465ba

SHA512
31957e5f1f6032c59683a01e7a630f33083aafaeadffa496b9678e2ceb1e94056f09ad2d701883c1d60e176259ce5996428dd7b5b67b1f129c323c5f694a1a51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ddac9ac27efa88ec34c227f5f8ae3d96

SHA1
5dfb2fd3d1c444276982a02ea79390d2d0e8c863

SHA256
a9166318486546843d3de0f18528daf6aa7cd789863df35a45db9248b2c2cbdd

SHA512
a8ea2b37a86a11e147a4c29ffd93fd75d776e56221e93e9fb6342ea4d8249de394b54cec667608f9e6eafa33dda9cbe92661fd4db03612496bd27fb253652a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d17c6989678827a05faebe4cd08c8106

SHA1
ca0f04d1b541504f8dc594cf97c1362073086af6

SHA256
4da86004607a9ce3fc77122d6d10f164fae7b480249ea3006ee93cbceb55d5c2

SHA512
888949571de584b35936017eaa69281696c1bc380a58f91305e38add0c980001220b5df0a1ac9175f9f9601677837fab66803814415d84201abfe9d72219f076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
362dd059129703a01eb3ee8c47a5dd69

SHA1
55032886b470a58c97c1a88b620e07388876cf4f

SHA256
6eb28c6cc0da8bd2cba58b2c21ec0f81fcacf127de79a8a11586657a5d5937c4

SHA512
ccbb80a00be49b87a3885ee81ded7925940943e23458e29e7456866378edc1e621e4b35b93386f42cde88f493d92841652c0b2379e145225961a5d812b009038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b3fbb8a02260d5e41407a7e1af3ee2f6

SHA1
9180c8b9593405936b0fe52272571b63829525d4

SHA256
8c1434a31409aa606a51bdae37e0853597cb408a2cf199f05e02705df3fc15de

SHA512
8a6ec40722054025a8969a80e795b026fc806a0710eb2f9e016feb68cc09a19333404a8a62910e9b0335729fd64e8e1b6250513ffc334dc8d669d96de62eb5d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
cfd585ce0db9a1484f8223dc2cfce2f8

SHA1
4e5e287160c05ecdff8acdfa0899faa5bad4de82

SHA256
0bcae3ddcadfadb917e4f910daefde07af8d2708b7795f3a1146102dcf6cf445

SHA512
b45dd6c3231a79155508d807d4b6f839d49e6120841c4f31147a83039515d3358822fa1fa4ae6f770b4369b96f221326c0b80dc2f0cd99d605440b12c93fb648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d363cdf317590f3154be5625cddb3a17

SHA1
f17d666967c90655f26bf05fb4fda69dd959855b

SHA256
a3904f2e4596293cc279489fdaa30158b53eeaa39eb9365903be3feac051f180

SHA512
c676752f5dc408ef614e657c15220a6c4e7b16af0451964f3f97b4c354add80ce0aa5ef6e2109ca9f738731cef308356d3b7a2500c58e6b7b5f08e74719da248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe576513.TMP

Filesize
48B

MD5
1b837ce15448f58ac586eaac60d9a4cd

SHA1
e96f5b4a5667438537fbd80b179ba8bba686cb3a

SHA256
835f60658d1b141d83caf81cecc3bf43f0d21ee67908396a71d9a27737eade73

SHA512
f897079f3e02a3443e3da33f69354beee29462a002aa0c0e808070e370546e4b391e9bd2bf9135446acc39b1ab221961eedf5f6d8c03f55f209b329f5a017263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e30276e6-788c-4404-b422-0aa62cb28431.tmp

Filesize
1KB

MD5
0d6440e9791f04458ba3a58eafc9fe42

SHA1
949f507e7c5716c5b45bda37bbb6f111d551a368

SHA256
0f64033e6a346555a50dea2de0d35ddc9a0c95fd5f86fe23f48c2853e42c165b

SHA512
e79bcfad5a30f2bc7bea3abb090aefc5d030206778c70aa98cd3c9d103e01f8b28f8681a06ec2ffac81aae2ab7c86a90fb923150f12c079e1a6ec1515ce24aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
9535f3b13eb0f1829958619cf1b6871d

SHA1
56447c5acbc9381b831deb94611dc3a52cbcd0b0

SHA256
1812bf8cc860a6510c4beff68f5049f7d504481e927fa94ecfcd37cb6388ed66

SHA512
26670e3821e36a201c1bf4b83b8a243f9d297b765a1c2de6d9dd9849bbf0bff36199714d530db5a0d7d97696ee4ce09f7ec37e2b17f82e8e0f3791935ff3f070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cb68ec6ac658372a159a94cee9706e7e

SHA1
bcf3087ad2d4061f903b26e65cb62460db57ddf9

SHA256
b720f8cd20199568e2990008cd8cb7e9ac9b2576e9461cf22e86f6973f2fe5cb

SHA512
f564f73771c255ccf309f99b4952533e2205ee1db2206eb2da0482b6adaebabb57f9286e3c2e94f671ef736e34c80f342c90de7e2f6c9740e222968ff29d60f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ad8976cd7a72de7df5283150d3d58dcb

SHA1
3f803c8d98448cacbc93e7abf02d58cdb7d5e051

SHA256
8b1e45f67001f53cb0a31a27e5e5d71702893602534a10fda48e7b722107989f

SHA512
34737724f67eb3ba844224420bac83b999413b0d705cffb911f3480f2ef7d639d5f129ad7922c300a93a2810ba853f72e1bba417cf5f500dc461230dd2008c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnguosyp.uc3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
9c18f680d3d581279522c4dcae893b3a

SHA1
4eb02bc14597314dd95de684d627c62301db2979

SHA256
a1c45974b3a1453add2a923380af8b4280bcf215518ffdc35ac7d0a4c5915237

SHA512
e2c5da3c9bfcc1f9e428b8e14144ca1931b318a4d0cca36c4b4cab597a7daaf011f8e2663833abd351adb96d8a1136b6ebdccac5bafeefc54f455c5a5d6e5616

Download Submit
C:\Users\Admin\Downloads\GrimWalker.exe

Filesize
69.5MB

MD5
712881136b2a3f037073fb69eb6b034e

SHA1
9a72ef2553945c6f064f85fa505f256b39fbc9af

SHA256
667d393aabfa84c96085a1cdc28b17792dc4bc84957a5f942d4225a42b3a9795

SHA512
6faa411964d321842b10ca54e3362f43cf81af12634ae78a3a2f27facd0492f16cc52b9137a3d59fb5ebb50d4ad73dca88a5f9deb6b2f77c2c276e10a55b08dd

Download Submit
C:\Users\Admin\Downloads\GrimWalker.rar

Filesize
69.5MB

MD5
1593fca04dda81afeb341880aceb5256

SHA1
2e80a7d0b0f109062ce2839ff7f21ba1f96b006b

SHA256
0d1f93ab7b9ca44603bb70d1eb8f90cd7bc82e79e90583217619f87b3713fece

SHA512
efd9948bff9feee911ebd547bd4e25978d66a8b39ba37efa67ac6b89135f47a782fb468ea10df85e30418288a27420c68c6fc654341adea142bd8609531923f9

Download Submit
memory/4152-145-0x00000239765C0000-0x00000239765D0000-memory.dmp

Filesize
64KB

Download
memory/4152-144-0x00000239765C0000-0x00000239765D0000-memory.dmp

Filesize
64KB

Download
memory/4152-143-0x00000239765C0000-0x00000239765D0000-memory.dmp

Filesize
64KB

Download
memory/4152-142-0x0000023978CC0000-0x0000023978CE2000-memory.dmp

Filesize
136KB

Download