hxxps://dl-cli[.]pstmn[.]io/install/win64[.]ps1

Analysis

max time kernel
169s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dl-cli.pstmn.io/install/win64.ps1

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 608192.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4856	powershell.exe
852	msedge.exe
852	msedge.exe
3108	msedge.exe
3108	msedge.exe
3904	msedge.exe
3904	msedge.exe
3940	identity_helper.exe
3940	identity_helper.exe
5184	msedge.exe
5184	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 1868	3108	msedge.exe	100
PID 3108 wrote to memory of 1868	3108	msedge.exe	100
PID 436 wrote to memory of 4460	436	msedge.exe	103
PID 436 wrote to memory of 4460	436	msedge.exe	103
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 396	3108	msedge.exe	104
PID 3108 wrote to memory of 852	3108	msedge.exe	105
PID 3108 wrote to memory of 852	3108	msedge.exe	105
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106
PID 3108 wrote to memory of 4256	3108	msedge.exe	106

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File https://dl-cli.pstmn.io/install/win64.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9e3bb46f8,0x7ff9e3bb4708,0x7ff9e3bb4718
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,11321525336452749107,2325583177207556432,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4332 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e3bb46f8,0x7ff9e3bb4708,0x7ff9e3bb4718
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,11013931978494191892,5331333001280321126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,11013931978494191892,5331333001280321126,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:1428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\618e0e4d-2229-446f-9e9a-229178256495.tmp

Filesize
5KB

MD5
b6737a74636083a9346ee405a901abc7

SHA1
0784366cc05985eba519ba010306a8a4d21ba43f

SHA256
03cc2ba7bc32f6a0bf525d7c32fa09bfb292c8a00e677228ffe50805083439b2

SHA512
ae529b9cd694ea090e752621da858c69e5bc3b14454992c78a8139e53d5e5c8e342b1db1c1a17e143528cc5b1221633348febc071b0b44f8bcf611bced95b124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
253B

MD5
6837c6730f1c91fd3196c0aa3fd6d77d

SHA1
bd81796bbf86b4d7e4aa6317618e61ae7ac5f52c

SHA256
8176957d4c2862601d51ba2b302d6f709565460bf2a8666bb24d75fedfd63722

SHA512
a4fc78b2fe4beee78b1b1af3e790a00173b336008f237ef7a8cc00067b3a1b393ada2bce3a45f7fb7798c482c8b62b0fb15879aa316d24479c67850ef9d333b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8f19e2c16d126b103436106b8f81731a

SHA1
9af85dfb74ba36229a328f1939ca1a5835377faa

SHA256
ce3b81322137132b35990897e1f7beda6777f39c5d59b1b158d1aa6aafaf0114

SHA512
c1c0f77a32078a4e60111150eb86d9c9941768577587a06b18260ff5f69f7e9fbae7db8af1494fc8cd922b060522be5b5a8813b4ed469bbfc1b1d5a4a5f3f0d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
670f4b05c38ad326cdc30d192cc44e00

SHA1
1f529861baba99f8c7aa0e430b37f8d0bfc6019d

SHA256
7729738c26097020bd062c1168cafb9f428a199875095557cf4ef5920932fb34

SHA512
d8b497b3bcbd6c44b91af3faf29d1d33cb6091b8309c6c68fa0f6e9268dbaf99634d62a19d664168a2af37ad07f5722862de42f2142dfebdeec2b2bcfa1ffe8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f3f77183d4962c6f9831dc12057e19b9

SHA1
3897deae3c6a3dd8737a853df57231724f85df9a

SHA256
b74acb09d81b0aee7cd1417d7c809bd8192bad0bcc9d6a8340bca59e67d2277c

SHA512
4939f1852eda777da8576b6ff0bb578c36956de0e9f119d6b85b87f9ec9b30f1c8e0c2f58922528871903dce6a208244c1bfb1a0671875dc71e798e1204c6608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a3b8f3e56ea4c574deb376340a544b64

SHA1
b48954c258f1e1dfb1b597ab3a172e6812528b81

SHA256
5c3add68e11c7feae6fa6179a9e1e797212918e36ef6884ed62beb17a15f7cfe

SHA512
01a29fcfa37f82ce0f0c1458d9186361704fe54406cf52066573c59c874de539ad160fd83e7df66aac7a1a07a5f7d7b2c18b7ccf69a9d4fc7891d2b684ebdd1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c046a04a2c07341e12ee5c3a417a010a

SHA1
83f76d2bb0d50c6830feeaf0493343c7a119c231

SHA256
9915a6e17f0bbd0db389ab44537d8c00a88d3ffdd3924302ed2c75f9af5b34e9

SHA512
2a552e826876ee48e3bd761bf7fad83184707c438871a9e8de6098423c0c487858d335f927c017fd1742d7d56c1340ba998ff578634b1761df1467a5308c19dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1138bafafd0ef5d4cbd50b8b37802886

SHA1
37846e8f14b92e720233ee8c21c7296f5f282d86

SHA256
dfe9d05091f641cf6f0cef9f0b9ac2a083f6d95d2db6ee9817d56d61e74b43d8

SHA512
d0438f77c5bb5bd01203d4625bd6e3a18db7310cfa8de9a1a6a1fe3af4ddbddad837d3b1dee406d58fad4b112eb8952ff5391bd305f96e55e996b7ed245f5d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1138bafafd0ef5d4cbd50b8b37802886

SHA1
37846e8f14b92e720233ee8c21c7296f5f282d86

SHA256
dfe9d05091f641cf6f0cef9f0b9ac2a083f6d95d2db6ee9817d56d61e74b43d8

SHA512
d0438f77c5bb5bd01203d4625bd6e3a18db7310cfa8de9a1a6a1fe3af4ddbddad837d3b1dee406d58fad4b112eb8952ff5391bd305f96e55e996b7ed245f5d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70fecf38fd038c48e05474d7fb031747

SHA1
5fa3992399bfc736adcd69c672270fc1bc0a82c4

SHA256
e71bf823f5cde7c9700904729d6413031e3343bdf85b25c4ad668b57869333a3

SHA512
8ab5910648110afa6456437d67bae8a9f1cceae62d1a27f6fadc4997fb1952bac27be55ee3c96ca409c949a92f6c9d26215653d93fdbdad1595798bc24808c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c046a04a2c07341e12ee5c3a417a010a

SHA1
83f76d2bb0d50c6830feeaf0493343c7a119c231

SHA256
9915a6e17f0bbd0db389ab44537d8c00a88d3ffdd3924302ed2c75f9af5b34e9

SHA512
2a552e826876ee48e3bd761bf7fad83184707c438871a9e8de6098423c0c487858d335f927c017fd1742d7d56c1340ba998ff578634b1761df1467a5308c19dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c046a04a2c07341e12ee5c3a417a010a

SHA1
83f76d2bb0d50c6830feeaf0493343c7a119c231

SHA256
9915a6e17f0bbd0db389ab44537d8c00a88d3ffdd3924302ed2c75f9af5b34e9

SHA512
2a552e826876ee48e3bd761bf7fad83184707c438871a9e8de6098423c0c487858d335f927c017fd1742d7d56c1340ba998ff578634b1761df1467a5308c19dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvg44oih.niv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 608192.crdownload

Filesize
1KB

MD5
85a1e1c0cc3b9f043dbacfff56335607

SHA1
ac4cb655a78a5634f6a87c82bec33a4391269a3f

SHA256
e8c4ec795a14587d3b3ce34b73eca090ea9d9957fb612300abc6239ec293eb26

SHA512
9531d8b59be82c3ac2b05d4a2831bd75c4a8f09e1e3c58a900aa323a9b942829afcc066c406089baafda7f55269f9b46216c503cee487ac5b2cf56dab4df1dbb

Download Submit
memory/4856-12-0x00007FF9E3E80000-0x00007FF9E4941000-memory.dmp

Filesize
10.8MB

Download
memory/4856-9-0x0000024CA5480000-0x0000024CA54A2000-memory.dmp

Filesize
136KB

Download
memory/4856-13-0x00007FF9E3E80000-0x00007FF9E4941000-memory.dmp

Filesize
10.8MB

Download