aa126abde8bf474ff9d0c8b3c589848d1a352b944ded4828970267d2a0c038bf

Resubmissions

25-11-2023 19:05

231125-xr1vwscb46 7

25-11-2023 18:58

231125-xmvhbaca92 7

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2023 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

genshin_update_mods_41_26_be4c0.exe
Size

6.2MB
MD5

ce5415c477a478f1b60dd1267770030a
SHA1

4fff0863e9ab65d44c91803d43702ab44dee6e3d
SHA256

aa126abde8bf474ff9d0c8b3c589848d1a352b944ded4828970267d2a0c038bf
SHA512

59eb7f2eb43dd25f3cfab1d4a5d5c451623c9c8621b16bf09a4d095630c27c6ef6ac4db3fd32a9113830412c9853ce24d73a97eb45ec081b4501a8f556a56269
SSDEEP

196608:NasQbxbAQnwejuJDUX47dwdW0LBwnCOD:yxnaUX47d4SR

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
956	genshin_update_mods_41_26_be4c0.exe
956	genshin_update_mods_41_26_be4c0.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3811856890-180006922-3689258494-1000\{453A15E4-AEEF-4B0F-898A-0C7B2DA8F465}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
1984	msedge.exe
1984	msedge.exe
4916	identity_helper.exe
4916	identity_helper.exe
1052	msedge.exe
1052	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 956	544	genshin_update_mods_41_26_be4c0.exe	85
PID 544 wrote to memory of 956	544	genshin_update_mods_41_26_be4c0.exe	85
PID 1984 wrote to memory of 1428	1984	msedge.exe	105
PID 1984 wrote to memory of 1428	1984	msedge.exe	105
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 4520	1984	msedge.exe	107
PID 1984 wrote to memory of 3400	1984	msedge.exe	106
PID 1984 wrote to memory of 3400	1984	msedge.exe	106
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108
PID 1984 wrote to memory of 772	1984	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\genshin_update_mods_41_26_be4c0.exe
"C:\Users\Admin\AppData\Local\Temp\genshin_update_mods_41_26_be4c0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\genshin_update_mods_41_26_be4c0.exe
  "C:\Users\Admin\AppData\Local\Temp\genshin_update_mods_41_26_be4c0.exe"
  2⤵
  - Loads dropped DLL
  PID:956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdc2b246f8,0x7ffdc2b24708,0x7ffdc2b24718
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13831793120777675367,10668575779778955014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:4480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
c1169c27234242f2f17d8d704d2458df

SHA1
f7dce1965e9f258d1c23ecb1077151b1e9453321

SHA256
77fbc4240b49263e8791780ab2209bc00eda07a8bb8d47718e1948f5cef61223

SHA512
e81530f2051ffe28bc031b7e540267204d8cd43bf313e403c76e671286c3c19ed36c3b958329931a184f644e89799a09c48d86a65494c9d7b06f8c3df7ff14bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0629525c94f6548880f5f3a67846755e

SHA1
40ef667fc04bb1c0ae4bf2c17ded88594f0f4423

SHA256
812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee

SHA512
f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
24fc5fd18aab52176b10b19ea97af68a

SHA1
06c67a4c93cca554ce2b39571839dd24b977a26a

SHA256
ffa585e6a73cd12c18336f95411c4ecef0ffd7a91c30e43cfcd5cbcf6abb22f8

SHA512
27f74b8472f52484b727ab7e435496d985e9397e2734ac6a2b077682250f33a04ad064c129976d414ad71a157d164689de1068adff38af547e8def4dd829e9c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1777acf61f9e9bd2ae9d782131d91d20

SHA1
10708b76d19cdc5da482fcb661a34163983c3a54

SHA256
8951977c0065fb25f37711cfbb25a2e69aa318c7af882723406b85eafb7101d6

SHA512
2afe3b74e45ab496d2c3655e6af9288b610a0efeec463f45114aa1514786f193c4f438b66a360295b12327a93dd8013882e1b01ef439c01f2a6d71fc8fcb4f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d7612fce226b4cb1320f084d3581b76a

SHA1
5288e6ce4333e57b82da0c251d68fb16f65d0d1f

SHA256
fb26a7a04e4eb16ccebe6fc56e961173c7d9721624d41c09e21ae830f62a5960

SHA512
ee95d65d3c860c167aaaaa6795bfbb956ff600cc5fbbfdcb9bffd28ed158e46d4d3d16e610b0a14eea0042095189ddcdd1e2c26ba595586a75eea5e635759226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ed414fcfba96b2861f5f7883960dbcc4

SHA1
e2e46c0668c4d716de7286d91025589e97baf57a

SHA256
69715d73ced1136b8badacdc973bdcf79b6c0f8e4e4eb97e1e43d0a0b0ce3272

SHA512
7c1669b5b551fd968f2ba339dc32792c45c74ca009a6b82a68bff7c57c1377f7aa152d937437da82de45908bc649f0eba5f70cf1f44612d673d634359a5c2181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2d9586f3132bdbaf9b8397ad1ea41e4e

SHA1
41418d16f47c729c5952aa94558a979165244845

SHA256
8d317bdb1541201645319c10646d54e7161067f9d321dc13bfe58a5d1f4d0733

SHA512
663446bf38b93074ccfc4f86aed033d374b9e4f8d5e106ad67e026d7d216d5c24a87844119a725f05a86f54ca3136972495ead3c0734db7c8d6b099e3a0988f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
02a871784970decbebe47b7770168c7e

SHA1
b09532f6cc0da2963cdc4fbaf672b457677ace2c

SHA256
130f7c82b2da75e8639b92ffbe78df9bd037973bc9a9fc90e190a23e236473d4

SHA512
3a88a65048e55812ecb9d64bb28269f1680140cd93347f74ceb9ad87fc43d767cf340050629ce415f14153d489bffaa0f7356fdd69a0c78fe0cfcc59b3ca9807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591ee8.TMP

Filesize
1KB

MD5
592a04326cd4b336f3c88ce212a8d06d

SHA1
f9dc892d5235b6157ea7db9b5436c735a0c849c0

SHA256
3eecad2f0d8300611019ad0d00c8ade043d763cce77bc6164409ff9c78ef5346

SHA512
415ea00198fe67d4b6bd06a2009cedc063a837fdfa0b1b74f6fd010ce7539c64b738003f7d55cfb530ba8664c29475f080af67170395034d4faed32e3b79a08d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b4624b38-09d1-420c-ab52-cbc1dd7d6bdf.tmp

Filesize
24KB

MD5
fd20981c7184673929dfcab50885629b

SHA1
14c2437aad662b119689008273844bac535f946c

SHA256
28b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22

SHA512
b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9906adef746b2d53b8cd6aa7b21f8ce9

SHA1
8f70bbfd96d19fb7ac6a709ff7d0c9410ad081f9

SHA256
c62c42980826cf8b1a50a78e80919d910a30e235096fdbc0714b51b02df2a7d6

SHA512
358fea588c7238152ba8e645fc65da5c4ed27b7b4fb18c5d051a2844854d1999df267211cf34eb7eccbfb25c8f3bacab72b691fbbb6c47c8b5384617eb781d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_bz2.pyd

Filesize
82KB

MD5
a8a37ba5e81d967433809bf14d34e81d

SHA1
e4d9265449950b5c5a665e8163f7dda2badd5c41

SHA256
50e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b

SHA512
b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_decimal.pyd

Filesize
247KB

MD5
5e8aa9cd4742a51acc5b2155770241d5

SHA1
af030327ea6702a081de422168d812263f581470

SHA256
59fee7a8d0a85ed98bbf5dfb7a0ad64b60cbe88427efd98b3c9faad3e4421a87

SHA512
e751621902897db7274b481386a811d2aabb63aa67759107c2f61bf29afc5437e7f5892158c83810dd5b5b498d160e308e6ed6453102d9bb58fc8f7dabf58697

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_hashlib.pyd

Filesize
63KB

MD5
1c88b53c50b5f2bb687b554a2fc7685d

SHA1
bfe6fdb8377498bbefcaad1e6b8805473a4ccbf3

SHA256
19dd3b5ebb840885543974a4cb6c8ea4539d76e3672be0f390a3a82443391778

SHA512
a312b11c85aaa325ab801c728397d5c7049b55fa00f24d30f32bf5cc0ad160678b40f354d9d5ec34384634950b5d6eda601e21934c929b4bc7f6ef50f16e3f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_lzma.pyd

Filesize
155KB

MD5
bc07d7ac5fdc92db1e23395fde3420f2

SHA1
e89479381beeba40992d8eb306850977d3b95806

SHA256
ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b

SHA512
b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\_socket.pyd

Filesize
77KB

MD5
290dbf92268aebde8b9507b157bef602

SHA1
bea7221d7abbbc48840b46a19049217b27d3d13a

SHA256
e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe

SHA512
9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\base_library.zip

Filesize
1.4MB

MD5
2efeab81308c47666dfffc980b9fe559

SHA1
8fbb7bbdb97e888220df45cc5732595961dbe067

SHA256
a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad

SHA512
39b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\select.pyd

Filesize
29KB

MD5
4ac28414a1d101e94198ae0ac3bd1eb8

SHA1
718fbf58ab92a2be2efdb84d26e4d37eb50ef825

SHA256
b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5

SHA512
2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5442\unicodedata.pyd

Filesize
1.1MB

MD5
2ab7e66dff1893fea6f124971221a2a9

SHA1
3be5864bc4176c552282f9da5fbd70cc1593eb02

SHA256
a5db7900ecd5ea5ab1c06a8f94b2885f00dd2e1adf34bcb50c8a71691a97804f

SHA512
985480fffcc7e1a25c0070f44492744c3820334a35b9a72b9147898395ab60c7a73ea8bbc761de5cc3b6f8799d07a96c2880a7b56953249230b05dd59a1390ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit