hxxps://sites[.]google[.]com/site/classroom6x/cookie-clicker

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sites.google.com/site/classroom6x/cookie-clicker

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4636	msedge.exe
4636	msedge.exe
5064	msedge.exe
5064	msedge.exe
4248	identity_helper.exe
4248	identity_helper.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2196	5064	msedge.exe	83
PID 5064 wrote to memory of 2196	5064	msedge.exe	83
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 3172	5064	msedge.exe	85
PID 5064 wrote to memory of 4636	5064	msedge.exe	84
PID 5064 wrote to memory of 4636	5064	msedge.exe	84
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86
PID 5064 wrote to memory of 1520	5064	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sites.google.com/site/classroom6x/cookie-clicker
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99ac046f8,0x7ff99ac04708,0x7ff99ac04718
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,13620491985372361543,2090263252288548100,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7200 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0629525c94f6548880f5f3a67846755e

SHA1
40ef667fc04bb1c0ae4bf2c17ded88594f0f4423

SHA256
812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee

SHA512
f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\09426cfe-443d-4192-9017-0d410282fbd6.tmp

Filesize
6KB

MD5
61187c7ac5b0467e7adc1f447bf5b674

SHA1
e530693bf6ed4bf782f3d751c92bafb22a696624

SHA256
0cea27103b408dbdfe315319cd24f9723532f7a4766d3027cbe188f254f8d11d

SHA512
f0dd088dd73bb178c378f1d2f3ae9b982af035bd8955123cb097310259f867a62a7b5e408275f3fc928545e7b716a90aa2377f2349f695f718efa501991b9629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
20KB

MD5
2ca43a7e9a4071b6e42b798ed3a51bde

SHA1
95ba7cef2ce26e2eec3a9ab173ce12c24dbcee6d

SHA256
60a2f2a39b716c74549a23808c34ef61559cc14b880b008b6423bf3a757a2891

SHA512
d558485bf4f78c81ee8eaa7e9b7b986795f3a567942eb3ef9514f3073747441d3dc9c71304d9a5cce3bd05142165931058cbaf579db057fef523f07e9298495e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
91KB

MD5
04f6229708c58994e06f3609614e8f88

SHA1
36a9997d70a77e639d3098070df55d701c845248

SHA256
e28cb798f21d11214a1c18cf6d64a79dfcd32b0224994fe977010450374dd2d9

SHA512
9472ed23d8945ba34b322f0bb91166df338f1b4740c3e170f0f8468dc0a158d209055be8f6dbe9fb2280d2e6fbec315c2cab09977841ba9302b3ed5785dfebe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
81KB

MD5
b6430785c107ec57c95963d75da6bf14

SHA1
59c31bb34bfa213570a263e10f53c5962ec727f6

SHA256
2b5c390638ef0da5b6bcf0ce48faa4196bbafaea34a3fd3f37d72e3e75c11c4c

SHA512
da3bd658b5e6907be3af2c100d48185a92d03c2329a15b7f6e3c49c6b138f81732a2a63d96428f6a173d92f6a1c84080f5ab5bd100233554684b40b64089afac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
19KB

MD5
52912305be1d42d4229f8a741d4f5dbc

SHA1
9e65d8e23abb9fa44aa6a1888d4fce2bb9c5079c

SHA256
b8cdd2f04085c2a664c8cd3828fb4c6572602f916b0ca0816f92f9bc008e35d4

SHA512
3f7942805a687e1213c870ad8c2350c0de4777aebd2fffdb4f6c1ba0878067c34c7c78b659d924a185758d17bde35c269707345f57ebfbe33210e280e561e09f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8ea5a0eef41dbb5d2e97119ea09006a0

SHA1
91ff4bf75ed38e3b55b4faaea215eb1846df219a

SHA256
1ff2dc2a4c1ae5d4937e4665bfbe4fd6423beb6e26d344eb317d8dd49d8e4ab4

SHA512
590f04203b47b861aa8307463f16477f0557cae9a6258c3bf6afc3a68708919b9a8c2a2ee21f66d870ae3a4e38afa16b00409298d1ed61901b7255d99bf69b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
7b89d1c5ccf4e1ca91e82b67b7526271

SHA1
9ff74ee07a4a79fa9f84aaceadea5e9ba035ef26

SHA256
84fd10a9f47eb84279cd55633f0c6425c0d18e0d7a2169d8f1a7c3dc966ab201

SHA512
6bfb475eca89bbe77d88607948aae872ca35fa7c533451404d2b34ea82054f6bcc0f6433a0ef04c017a5f33cad6fbc0c9d05678238b85b2851b7d2d6019c8b07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
76c6a8e948e9403c5ea913d8f512c3d0

SHA1
fcd9420252a3116499f34a0e54c95152ee8190a0

SHA256
e20169842ad953b62ee1d9b1ba6e0e305821adb5b4b62dd0ad3a080bdc3c766c

SHA512
bbc43a4189d463a0eaba23a34df2eba5bde25d177cf581c0340e462e8f7cd1c6f8c61b0c42f809d60918a2a4cfa44d93d85d91ca109d8d461a63dff9b0b4bb9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
13dcc2743b97c35814d7a529146c35ae

SHA1
c8bb88c3254ff11051800d86d5fbe92364a8f0e2

SHA256
fb8dfc7a90d48d2a2e96328b5a6fc1657ffa24e160152d0f408b1563fb16080f

SHA512
ffa468066d63b709baa5cf305266d57a02084fc5c4466046f55943373105883b0c17238b9491ad89b992d1fab7c05162880f9fdf9e77f18afd4064ed0cb4c56d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
509e6f0c4c636dc28735548bab40696b

SHA1
3dc6df609adb30a01c45ab97eefa188e8d9e3809

SHA256
72b5000fc4856ebbe727becbd70354d5f2badfb4ff323c0b76ef2f76a8bd016b

SHA512
4cad9d112f210f01eeda84d1385aecc8fd230cf85e9828579cabc8e90c103d3335fa3929f576907006f0624bcef1d8eae2346df68b7ab8f5bad32fdf6aa12767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
5a31870c36f5748efca7b65b14253ebe

SHA1
6ea333b1f3d04592b4af5c5b7ce1a5833aac8ca9

SHA256
aeb4aa2a2ab9c1df5b0f52454a335cba4fd35c3238b74cdd8ae738ce69c93975

SHA512
2898fc922b6e6b7748f9e512143a7f4bc29f6068c4bffc02cbfbd59f95f91336b71ac5fe5e7cbae1d477888abf5645b3e1f60a455618865a9975f880174ea94a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ef77062c019e508e1c0cff41cca4f7cc

SHA1
3c7370c6c735061ec4353f13034b7ec4f5184d31

SHA256
8b175d39cfd182d1099fb99850a60e3b297204adf77c9f55da130c0b7e7076ad

SHA512
7db450fe16be633326a86eafade979d41041c18d3da650b425ae4eb98dd71ed84aa62b3a8f01cff3474ee39bdbea0971f289bc0cbc40b06a073543c5964d4111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed2611206f2f2adcfe7f8ae01c2abb6c

SHA1
f69deaed6146f07f211f7ce48232d8b37ccc8263

SHA256
9ba029058d8d4516b7a8c7a64c56fa2b3bb88a91b9a6662ca6aec0792baa5e0c

SHA512
2e93a5235c283150be0a689c3b00381b040c26cde5b991dd13c8929dab79343ee2b2d4d21b5693dd3421a3d424ea3cc771d7b4b84ea3dcffe8db9c3374b822dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
25d63e7ae6262c5073df391ee4b3c579

SHA1
5530a7ec27a7a18f54eb3a7ed306f05c44f6147c

SHA256
266af950f9fc47679b0cdb1b4d67303215905afafb6fce53158a90b0bca34897

SHA512
91acf34491b9a679f4d3039ddef5a445b871e4f0166318eef92d970215e1cb0575837ee9277313c5364f436a4333a718f4974c75c25eca4cd9789aa495d40149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
9bdbbcba7c7a37b456a70027f10af1d8

SHA1
0b45197417dc89a8835652ecb7e062169cc30c92

SHA256
4104447d59d2f8e8b20a388437d21d078650d5703f6cc82736c20a43a136ebe1

SHA512
1dcb936a2541fc8560c5e7e6560489f89c29112445c5e6f617c76fdde62c381f1dd7b9388f70f236a42a1bffa8ac327b3bfc136c0f65e9dff712fc47b3de26e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15f6d9154d0c1e69c399812b576e932c

SHA1
bb3bb681261b6956f5b41d4e640c788fe2cc58cd

SHA256
f6ad6622e51c8bd0d17768fc17a5adf8f634ceab7efc9947219cd1c89cc0887b

SHA512
7847ac6db5b39d93598f8b03ede7bcba1a95e8cf4849821f502af1046e62240f0a5629b45371e3632fb53d3e9f4012e2009bc00bd4ad9d6ca48e918ad7e368a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
0b62454f75352e1353844c23d32926ed

SHA1
e74db564d0c0148bac5cdabdc6cf8c7a5b6672ed

SHA256
0909a537fd538165a4a994cddd573514ac3a510b643411dc3a4b860f725f0b56

SHA512
b71c96209ec6e61041be95d9435f55ac0eeea4975d0b63eb082d58a1e0ed3ad203026160ef69254db657a58ed0f8166e78dd88cbc77c3b4389bd37cd83b2b1f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
fd20981c7184673929dfcab50885629b

SHA1
14c2437aad662b119689008273844bac535f946c

SHA256
28b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22

SHA512
b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba47e86ffe28a8c983baca22fa2ce71a9ccd6d8c\e85ccb73-ffd5-4bc9-bc01-5afce4541c32\index-dir\the-real-index

Filesize
72B

MD5
62b979c5d2db44f942c4bc885970dff6

SHA1
18cc4d83ff61af12a813a283b5b73ad282c210b2

SHA256
27528f2d9557ffbb58a84b6a0910b3e03b67d0fd7d6861b216bd86072ca6bda2

SHA512
9d08cef214f275b822c5d89da69d24a57066210a120970a723ec39ff086f4fba29c00697e43459431faade4e718476d25a6d51ca93fec4ba735952a103c8a676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba47e86ffe28a8c983baca22fa2ce71a9ccd6d8c\e85ccb73-ffd5-4bc9-bc01-5afce4541c32\index-dir\the-real-index~RFe58eab9.TMP

Filesize
48B

MD5
5af8e59ed823a8fdd178b7af99197ee6

SHA1
81558a6a5ebb14e75d1cde8e3480e55e3e73afe3

SHA256
b91435cc508b322dcf68527e593085d58cf279b9af37446e9845e6af7d3e752c

SHA512
15ce350e4eb25a45e3d333e869ec951a411eab848b0beeb1e13047e49c61221bcbd58bd7ad34999fd521ef65c6ca54bf198a282466ff9bb00fb51d7e523699b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba47e86ffe28a8c983baca22fa2ce71a9ccd6d8c\index.txt

Filesize
84B

MD5
1ddaf8e74bfc2d93f9b087ec8d18b565

SHA1
758be87241c62d6ccc285b21594bd3fad44bd0c1

SHA256
f998b7e3d476cd61168f1ca850a2f3489a82a8afb896b3e3dff687129bbb682e

SHA512
9f28e5dde80ac8ede021d5d5a1feda515deb9b5bc66fd688961bc0efaf0f97da29dec9462941e2a77744c475cbf2f89a176acaa47ddb55abde535925af6461c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba47e86ffe28a8c983baca22fa2ce71a9ccd6d8c\index.txt~RFe58eae8.TMP

Filesize
90B

MD5
ff0f2f5e1140800bd1b2f03f2be0e7ec

SHA1
fcd14b44392de071f92b6e1c3f1090b134f5a873

SHA256
538161b8e75ead5dadd13e7675414bb1b97ddbe3a2b4bd70ff64d46da99fb1a5

SHA512
49c8ee47410af21a01e520de6efd4496a93305b9be67bf51b46034b483e5a534edb812cf8d9af03708bd9b758c75853258cb01b699cecf422b6b1d77654a74b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
722f43bcabe9bc7c41a68d8422107a46

SHA1
961c49de1042e5bb084df56601199a80a301c81f

SHA256
be04599133ca314f4496d63bd6cf2babe6e280d91c109ebdd4bc57d8774e757b

SHA512
d17d570f46b68c491b9521eaa2229abd90a4dde7a42b6077f00a0f6e60c54ecb3d3a31598b54dc710401d23c10c35e4948f7b53a939ba5305b34a25cc503d6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58e971.TMP

Filesize
48B

MD5
3dfd972564e0d95561efa0b0defc0045

SHA1
bda32ffcb24105bc4bc6f4408453234a2ce383b4

SHA256
96015639a6a5ad76d75cfde4ee70dc69c50681b6267860248b9f01e2da84b7a9

SHA512
f7070f50681190c91e80f574577cb1b4fa90ef19b6a10e686a39c495f4104b70a2eaaaeed9a64cb2e78249702a4c9fb540327709a18342f4883b59fe81ea64f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2bef8c156811f0d3553c91c319f463ef

SHA1
be21a37f37ba080868c836b9cbc59a0f640263c7

SHA256
699d4073c1926e8b25546fcafb40054e79a85f79652c8640e4b29665e8beb78d

SHA512
f4740502ef5b84c66e2ba48494be34b34eea170f887c951c631132660962b95f0e4e9c3b490367e85a0536530d3a9f9dd9a1e607b2430be5dd50cf105c6e9fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
efa880954ba985b5b74601774f617a94

SHA1
b5b4291cde6a502e8bffa8aaaeef2906260b2306

SHA256
257118b364f8d1f45adaf02ec6372f0b753e2bb643800ddbfa33b57e0be7723e

SHA512
584ed4ecafa7063ab261c95d6b87428984836b92eb51842e873069d1663e4e1a04b09831596df97990ce9e3e1dba3d04d35658455b2d9f478be6d0cbe4fb7e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c0da.TMP

Filesize
873B

MD5
a2bf984cc6a01fff60665b9b97eb5390

SHA1
352d3e184c824f67be7012834eb294a26e271dbc

SHA256
23265969df49d7abe6eb420114f0ec4212e2bba4b5d02525f6a2b9dd1a6b226b

SHA512
8932569d9a596fdb06d67163788e8d83ab3a195ed795cb4aca2a52429742c08e7a9386cacce617a3076700ded797a3265fe54e2179d508dc1082cb9097d89258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0a6ca6a8dd19bb0d948212ff6dbb0ab6

SHA1
e9244d093281374b4ccb8e99bd0811775f5943f2

SHA256
6089f090894dbf135a3ba2ed9bc45242a510e710daed83044ab3f2ac4d7a35ac

SHA512
3c5befc6944e8dead39bac980c187ded011e65314681bee302c0dc0c29dec93691d224a800e5c7b6fbe17eb1468ceeb42b9bd9db12a44df9679b7b81e8acad8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit