hxxps://cdn[.]discordapp[.]com/attachments/1210308753275224164/1210712513851686932/Spoofer[.]exe?ex=65eb8ee5&is=65d919e5&hm=46ff1adf3ab58fa18bdd46cb9ddb553cb2d48e024e2a23389a5eeaef0af09ab4&

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1210308753275224164/1210712513851686932/Spoofer.exe?ex=65eb8ee5&is=65d919e5&hm=46ff1adf3ab58fa18bdd46cb9ddb553cb2d48e024e2a23389a5eeaef0af09ab4&

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3384	Spoofer.exe
1668	Spoofer.exe
4368	Spoofer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 57206.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3848	WINWORD.EXE
3848	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1080	msedge.exe
1080	msedge.exe
412	msedge.exe
412	msedge.exe
2756	identity_helper.exe
2756	identity_helper.exe
4880	msedge.exe
4880	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3384	Spoofer.exe
1668	Spoofer.exe
4368	Spoofer.exe
3848	WINWORD.EXE
3848	WINWORD.EXE
3848	WINWORD.EXE
3848	WINWORD.EXE
3848	WINWORD.EXE
3848	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 2724	412	msedge.exe	66
PID 412 wrote to memory of 2724	412	msedge.exe	66
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 232	412	msedge.exe	87
PID 412 wrote to memory of 1080	412	msedge.exe	89
PID 412 wrote to memory of 1080	412	msedge.exe	89
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88
PID 412 wrote to memory of 2828	412	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1210308753275224164/1210712513851686932/Spoofer.exe?ex=65eb8ee5&is=65d919e5&hm=46ff1adf3ab58fa18bdd46cb9ddb553cb2d48e024e2a23389a5eeaef0af09ab4&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0xd8,0x104,0xfc,0x108,0x7ffad15846f8,0x7ffad1584708,0x7ffad1584718
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,15896865859495922180,10363204402029579521,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2864

C:\Users\Admin\Downloads\Spoofer.exe
"C:\Users\Admin\Downloads\Spoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\Spoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:912
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Downloads\Spoofer.exe" MD5
    3⤵
    PID:3056
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4472
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2996

C:\Users\Admin\Downloads\Spoofer.exe
"C:\Users\Admin\Downloads\Spoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\Spoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:5092
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Downloads\Spoofer.exe" MD5
    3⤵
    PID:2800
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2132
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4360

C:\Users\Admin\Downloads\Spoofer.exe
"C:\Users\Admin\Downloads\Spoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\Spoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:5052
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Downloads\Spoofer.exe" MD5
    3⤵
    PID:832
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4344
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4372

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Downloads\RestoreSync.dotx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
65a51c92c2d26dd2285bfd6ed6d4d196

SHA1
8b795f63db5306246cc7ae3441c7058a86e4d211

SHA256
bb69ea4c761c6299b0abbc78f3728f19b37454a0b4eb607680ed202f29b4bb01

SHA512
6156dd7cec9fee04971c9a4c2a5826ba1bb3ef8b6511f1cdf17968c8e5a18bc0135510c2bd05cc26f3e7ae71f6e50400cf7bec536b78d9fa37ede6547cfa17e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce1273b7d5888e76f37ce0c65671804c

SHA1
e11b606e9109b3ec15b42cf5ac1a6b9345973818

SHA256
eb1ba494db2fa795a4c59a63441bd4306bdb362998f555cadfe6abec5fd18b8c

SHA512
899d6735ff5e29a3a9ee7af471a9167967174e022b8b76745ce39d2235f1b59f3aa277cc52af446c16144cce1f6c24f86b039e2ca678a9adac224e4232e23086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1561c9667b1d9fb75eea6c926b3fab84

SHA1
bdb752290fc09f6faa7cef96204208993c69ac91

SHA256
0bb39af7c8b53e928cd4dc88ad3d61c1248d26f7035028ea374ead404383f372

SHA512
b70688f31ffa2f06917ecef1a90f1b4d68415efd17108a48e50150b27ede2bf46dcab61a18d035508c1bd48cad01b636e3046f8a15da892f111ac9406af13186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
012ac38c7db1fa664441ab6b22887354

SHA1
3e385b2d0b4958a56c782ec9b32fdc2470ec155a

SHA256
27436fee98ba39e8330ad756eb6dc9601a9d47f8899c87b5ac869e11d3ff00c5

SHA512
fe8446f633da780fedcf68d0975989f690f90b1d40a88553d2cf1ba92010e2f227f39e6967499cc4bb7fe2bba668e6b47db9a14cd6b4ab7f9942971656d2cf55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c399c6d5c1ac56b193e93db4784fe40

SHA1
3152811842b2d4594e0e00d41f35bf55ca55defd

SHA256
af9ebed5540b68f6e393442c9ff8293cadf83e62450944547b1c96162a7a9bfc

SHA512
1993e016e7fbf78b1f68b0cbfe0e90fe64da5cc4e0dde995f5fc6f3e4cb160277e7a2a0fdb8fe7cfb8f318fe177de79c6b30adaea02a43080c305aa0817ec217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7ad84df175f96318232aa70494cdfbc

SHA1
225abdea7447a6985a54627ed4903f899ec3f372

SHA256
76e6c0bdd296e31e2dbf47cbfbd455324da5a91edf76d055679b552d795a03a4

SHA512
43cd4fea7283ff3180d9036202f3b54c1e35542635f75989665fcd26992c3c53dfb8a3a6aa0061cb3a81e8c795fcd663796d141abc018e940b17e52b821affa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
a10047f70efe4bfaba5fbcdc1aa8475b

SHA1
8dc04362d16655b605970c15b9ef84d1ecaf7423

SHA256
fcf6812f98740cf0695c05646f849d1dd416aaa4afbf3327f3b5974d192cce63

SHA512
f631ab20b2926ea8f6c02300e9432f4dc40f5ff2f647431d1ad28b6fb3a2bcda7f8f85e42637be08c14a3cc9a8994df8d75b2f249f380526371b11e232651c5d

Download Submit
C:\Users\Admin\Downloads\Spoofer.exe

Filesize
657KB

MD5
57f173048d43318c6de29f76a2367db0

SHA1
67db6c6db95f6802100b3baccb6f5fa7e02d4454

SHA256
c5eb1addfbbe5c0fb32b64650ff1881833feda6f48de1df58e7398a6345f27ea

SHA512
9364ec1770efa69e04a3603d254b1aebf1985d503512f630b7265c42b22be90be56bd378a556e828a1067f5f487c087ee828402255628f221e23a3a209d53259

Download Submit
C:\Users\Admin\Downloads\Spoofer.exe

Filesize
357KB

MD5
08265472c9ff9492f88baa7e77f69276

SHA1
257170115b48f4f8fc1d410551541f24997e3444

SHA256
576465c1d8477397af6da6293696dd4a6a08a5f4ab03e6d037908749971fe99f

SHA512
b6c1155ad306ff65ad594b90fedc3d9762fc1c67740c1ef0629f98491e537578bd735e73cc3d8589dea8632a8c5f3aefbd3c2050084ccdabc4e39d1cfbf6f869

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 57206.crdownload

Filesize
64KB

MD5
ce7bc8923800d0d655b8402f050b7dd1

SHA1
b50f02090b62972dedc9737cf8af57f5411322c1

SHA256
7107602948278f5cbb74ac42315d8df2e70164a22829038ce5d29ce0f48efb7d

SHA512
59150e8b3576f1503bf3d2ff4056e20659cf8688614b2f2122da1a07da69857a2628c3fa2a4505e4f2869279fc4c21b22d4bfca75b2899945404f69c29ac865f

Download Submit
memory/3848-104-0x00007FFA9F190000-0x00007FFA9F1A0000-memory.dmp

Filesize
64KB

Download
memory/3848-112-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-103-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-101-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-106-0x00007FFA9F190000-0x00007FFA9F1A0000-memory.dmp

Filesize
64KB

Download
memory/3848-105-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-107-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-108-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-109-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-110-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-111-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-102-0x00007FFA9F190000-0x00007FFA9F1A0000-memory.dmp

Filesize
64KB

Download
memory/3848-113-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-114-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-115-0x00007FFA9C990000-0x00007FFA9C9A0000-memory.dmp

Filesize
64KB

Download
memory/3848-116-0x00007FFA9C990000-0x00007FFA9C9A0000-memory.dmp

Filesize
64KB

Download
memory/3848-117-0x00007FFADE760000-0x00007FFADE82D000-memory.dmp

Filesize
820KB

Download
memory/3848-99-0x00007FFA9F190000-0x00007FFA9F1A0000-memory.dmp

Filesize
64KB

Download
memory/3848-100-0x00007FFA9F190000-0x00007FFA9F1A0000-memory.dmp

Filesize
64KB

Download
memory/3848-151-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-152-0x00007FFADF110000-0x00007FFADF305000-memory.dmp

Filesize
2.0MB

Download
memory/3848-153-0x00007FFADE760000-0x00007FFADE82D000-memory.dmp

Filesize
820KB

Download