7425812a7f08b34a8dc11f0f8518a8d19eb90954dadd9b9ac4db02bedd746f6f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
02/07/2023, 23:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1168-54-0x0000000000280000-0x00000000002B0000-memory.exe
Size

192KB
MD5

bc40c8b4e28dd170f2561a5aefd130de
SHA1

089a16e2a3e24fd2f7271068d0c03e591354e2eb
SHA256

7425812a7f08b34a8dc11f0f8518a8d19eb90954dadd9b9ac4db02bedd746f6f
SHA512

6c4ee4d2d77f7dbbd673f916fad68b446b9507b2185745c559e89ddb60c54dd3a4dc1e1b1db741215fddacd5752c82820e5818cbc9e69b879686035ec6828133
SSDEEP

1536:3hbEey6y36sv0W7TDGOIrHuyk7xk2W5/uGxNFVYQffbuclGHQ4N0GkRP8e8h3:3lEebE6Cyk9i5/uGxNMS3azNM8e8h3

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B8F712ED-71A9-40E2-8F24-7212066C79E8}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{74B09345-A042-40ED-87AF-E2275C5CE75B}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0E88CC34-A79D-4BD2-8E22-6A84814BE10E}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A0A4ACEB-9C98-4308-9C26-1A3604831742}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4567E4E1-A524-44F0-B56F-FF953F1E6C65}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5CE49B18-2F58-4DF2-9A66-B5FA162D3904}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FCD4E483-E671-4CB1-BD84-EBF59AE7AFA9}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8B571224-49FC-4CF8-AD9D-99DD079D3FCE}.catalogItem	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230702234146.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\50388423-83bb-4351-8038-ebd26b6f699b.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1124	msedge.exe
1124	msedge.exe
2388	msedge.exe
2388	msedge.exe
2176	identity_helper.exe
2176	identity_helper.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2388	2356	1168-54-0x0000000000280000-0x00000000002B0000-memory.exe	93
PID 2356 wrote to memory of 2388	2356	1168-54-0x0000000000280000-0x00000000002B0000-memory.exe	93
PID 2388 wrote to memory of 1508	2388	msedge.exe	94
PID 2388 wrote to memory of 1508	2388	msedge.exe	94
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1016	2388	msedge.exe	95
PID 2388 wrote to memory of 1124	2388	msedge.exe	96
PID 2388 wrote to memory of 1124	2388	msedge.exe	96
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98
PID 2388 wrote to memory of 3836	2388	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\1168-54-0x0000000000280000-0x00000000002B0000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1168-54-0x0000000000280000-0x00000000002B0000-memory.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1168-54-0x0000000000280000-0x00000000002B0000-memory.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7fff754b46f8,0x7fff754b4708,0x7fff754b4718
    3⤵
    PID:1508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:1016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
    3⤵
    PID:3836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
    3⤵
    PID:1836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
    3⤵
    PID:2456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
    3⤵
    PID:3824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
    3⤵
    PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
    3⤵
    PID:4292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
    3⤵
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
    3⤵
    PID:216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
    3⤵
    PID:2152
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6580 /prefetch:8
    3⤵
    PID:4796
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:3128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff607e15460,0x7ff607e15470,0x7ff607e15480
      4⤵
      PID:3264
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6580 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,8572473523933497098,10782235060644700654,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3172 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1168-54-0x0000000000280000-0x00000000002B0000-memory.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff754b46f8,0x7fff754b4708,0x7fff754b4718
    3⤵
    PID:3960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5a9f76dde5876d055fc0a4a821de6d02

SHA1
3cb30f2ff875cff6a4e4be0c7506254e076ad4df

SHA256
323204c96cf3ed35bb893c2f20a444cd0c7aa0b44749174b7b22ab351b2edf1a

SHA512
b805309fbbc622f2e47c9d4397662713b37879d0ea0602675c0894e655b9dcd34d483a02c6bdb73b5c6ce084ca7523e038104bce428a5bc7be3569c0d18b9091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6abe43658387f0826ca6d505ba2a9b0c

SHA1
ba777e01296195063af3aef86ad61289215991b6

SHA256
2683def01b6ee96268c1ee356bee3d8540683e6c830f6860a903cffc07f345e7

SHA512
2ca9e4ef89bc9d518a08ead9420610b2c24574f474f03545a65d589a8ee01a926b7da3d344e227a7f056a004766344bbb57d37f2d0cc3dd0078ddd9eedc87b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
93c5bbcafcf5bb0c6f5a69213346cd57

SHA1
83be2db3ee167ca94d828fb6b5c259dd83f1c43c

SHA256
bf6963b8e445330d682f6cc98cb90b97971d914dc8dfab0945a6e4d2feab4f44

SHA512
6df37202e72db7f2e711b82601bc4c5ec01a918dfece209e734473b826a4cbdbb12ddbab8232e03afdb695bdad14c5b944cc26de99d9b2bff678a3fc267d3fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
df94c80efa568138515ebb2d824d4009

SHA1
cb24d072103cf1fa760f4523a8f0fb5f4cb92bf9

SHA256
1af2aaa5c27a900ab19b1b4c8c91c4232ab10e559a5f4a0ecff8db9af006af34

SHA512
c750053db6c899cfb104d541ba339422056269f23580bd26275f760aad4cb14a04b04a44bcf0f7ae68f94c149e4caf9c4da49e117ed8715dab01bb3bd2aa8ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe570659.TMP

Filesize
48B

MD5
abae1a4ef73b21d06661a35190a56e24

SHA1
025fb10f44080a7225384b5304f0830ec010ffdb

SHA256
34759c6a6d0e059b4f9966def0c3372f5210c410ed9bf5811fbb75a6f90bff64

SHA512
e0806d9130c2cabf3dc46aa3c3cbc20dcb065e009fec96f07a3af9e48ee516a20593cc39146919ddb5000170d739471598af2ec82a2c71a37914f11fb7102bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
2ea31b7775b3bc3c5519fc6c169e3d86

SHA1
7d6df8cfb1f6bd1e6aaedf051df48cd9ab1ac498

SHA256
4ec5ff9629d0587503e728f3676f9dbbd6b2924e9868650b60cefb0eb5800b05

SHA512
6f7e385d505674836e2c49a88f088d8534e020abfe8ec001854f15c833259889415616dcec55a60c7ddba62e7b5f5b3976f689314dde21ba984785b939ed400f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
566B

MD5
7169a1aa1ce3e2bf83ea29cbdb89a766

SHA1
17e2bf0f1e477e517d1e4fac2a063018d6944d28

SHA256
7f5ced99c59b59949680fcbaf98cae3af5f42d8c3854f3c395d608b9a9bc319c

SHA512
f6402334c930a87e7924f26b20923394209755764f4a6fb44950666bc79edf4d96d31d05c24f354d59ba6bb96ff8107239fa6cb812235130224a63c05fa76660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
027cdb2f3d8099191ce85d338bf1c465

SHA1
c8a7ea5d19a50b2ad32fc47595f1dc5b09728192

SHA256
09ac2b85730968218d1b007cd9a0ee49e0a3baf7163479481c0b74561f6ed15f

SHA512
8c1253f00b084d72b56d80f9aaf4b8033d64031d4e9eed5924e350f9a8b761fd9d309a4ccec8702a85e587855aa5d39b8bc1fa23ef64cf0b90e88145a80b61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3633b362a4874c4d28783e8ec2f18ba7

SHA1
409845fd154a0c51a1896a049b988248a3410015

SHA256
b043601bcc8e85b6ab52a5d3517f46561b2b2c199ac0fe7099ff9ae9a3f6276f

SHA512
d00cd4fbd6a8aae56f8607277d8682c530efddc1e27f8e03aa20f1fa369e0dee0227546c2e90fc0f2be3677e68cc22c56f9bd363baa4085861bb25a87b5774ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b4447eaad77f558a563e1ef45c8e88ab

SHA1
c879fc44793699108978fbc83eab2f829bba0cfa

SHA256
b05ce9dc557a1baa31fbc154be81b5b913cb21ffc4827782275cbb3fd322fdff

SHA512
c8d545bbbfeea36544c2e55d000b42d968588305363c272280eea81c335e3e99150083c932b60d288fc1a5f499fc73eae94de51b110a86b4338fc10ae621ef09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3922931a21a66290ecb769f2d79cc417

SHA1
d72bc5af3b2da078125ce71512249f67765624c3

SHA256
0eb33cdbc3b30f2dd68d3e4de912b61c6f29f3ddbf17b8e83948e9243763b8d4

SHA512
e4b1c22b64afa2120c2ae1385374747b04ea4b509fef1a27384755d57cfd4a86008cbf9af7095a1955c9934148b38cf7aa32b036d08702cbaa0ec9f5f59c3987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b359167b3568d1b4953adefdef0deb24

SHA1
98405d3ec52edeed62f8a42bfe766ecf395a95b6

SHA256
177289a899357233597b059fde47b7e54aba35ca95e2a2201fd8d3ca68273578

SHA512
28efc3e9bb0350c2229ffdfc0578c0ebc8276405849480c1762c75d616998f6ff654f7ffde3cf0676b62b583b5ec207e514040de1a809b465bb9e734e29c96b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8895ff7f8fd03909bbe033d5a412710b

SHA1
09d21c774919bbaf2239a2d04b6003471928d293

SHA256
8eca823a24aff4d81331c2234adfd151d49b28c3895f4766d13b0de9ceb220ea

SHA512
45fff99441df58511817442e9f0ae1a4441b771840c9653f2f4124cc9cb5d99c4b29514788f2ad2f416a4696908985eff42d1fea0a7154821750b5856969cac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
03f2520b35bd1475034a7faca12c749f

SHA1
9cae1cd11aaf71655ea65bced1ca93fafde18830

SHA256
25f80b2aca4dcea6660481e5823edec5f6324f69a457ca46367bb240b177296e

SHA512
8df8240fa20ccdd7f168b4679e663d0d94b52b0176a7ad842c5fb456b08b1fcf8d8a780d587cb5ff14e9728372d4f3dea62a02cfb455bfa396f979d94f90c608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
5f943f19d7125e0e68808a2ccb22e1fc

SHA1
6fdf109758c4490efdf89e389ea0caaef5a2939d

SHA256
9b64f599319afe2391e8f1b7693eab16cd8d16f1d7b122893eb5157c29b6296a

SHA512
787bdcd7d2d3fdda5fe22e7349a314e027e789926cac60954418c52be7b24578ecd894ce2d11112ec5b960ff84e9ad58c249af0f8e245322ff56b07c3c2ff37a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
fe34310c2bbfe99411462570bfb38a97

SHA1
04b393d13b0e7e49ef7dce2091641cfad74e4ecf

SHA256
25d49ecefcc968d79dd5f1e75c9df3e94acf8857396570bcbbf17c43f5389fb4

SHA512
2fed7c3a1dfe646f271fdd9d7ba1f031ae87757a437491faac6824eb4d188256b163f5dceb404167ab3bd114dc7bca4e5480f2505087055186fefae6bce38ba0

Download Submit