542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
12/03/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoEscape.exe/NoEscape.exe-Latest Version/vc_redist.x86.exe
Size

13.1MB
MD5

1a15e6606bac9647e7ad3caa543377cf
SHA1

bfb74e498c44d3a103ca3aa2831763fb417134d1
SHA256

fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14
SHA512

e8cb67fc8e0312da3cc98364b96dfa1a63150ab9de60069c4af60c1cf77d440b7dffe630b4784ba07ea9bf146bdbf6ad5282a900ffd6ab7d86433456a752b2fd
SSDEEP

393216:S1RPq5dCsKSR65cX7Eyd/qnejOFxP7OEnl4L/Vvc:yP5iw56oyleej2OEnlwc

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4040	vc_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{B28FB86C-A2DE-47D0-9EE3-B5828F0B8DF8}	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
4908	msedge.exe
4908	msedge.exe
4632	identity_helper.exe
4632	identity_helper.exe
4848	msedge.exe
4848	msedge.exe
2368	msedge.exe
2368	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1876	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 4040	3568	vc_redist.x86.exe	80
PID 3568 wrote to memory of 4040	3568	vc_redist.x86.exe	80
PID 3568 wrote to memory of 4040	3568	vc_redist.x86.exe	80
PID 4908 wrote to memory of 2168	4908	msedge.exe	86
PID 4908 wrote to memory of 2168	4908	msedge.exe	86
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 1644	4908	msedge.exe	87
PID 4908 wrote to memory of 3100	4908	msedge.exe	88
PID 4908 wrote to memory of 3100	4908	msedge.exe	88
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89
PID 4908 wrote to memory of 396	4908	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
"C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
  "C:\Users\Admin\AppData\Local\Temp\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{A3BF6EA3-0CCA-49FC-896A-A8640B5375BA} {546C6E2B-5139-4BEB-9DE9-524AF269D0E0} 3568
  2⤵
  - Loads dropped DLL
  PID:4040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbc3423cb8,0x7ffbc3423cc8,0x7ffbc3423cd8
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1960 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11595484391783319094,2174878521690635786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:1
  2⤵
  PID:4816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004BC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
15baf463051fc3ebc851e317def32307

SHA1
a86b4262aa703c5fa1b7db99d920bc0bae66a0c0

SHA256
044bc43f98b8873fdfa507a99f1d63e2aad02ae3effbcd96230af41d131a2467

SHA512
82da22b39069798bbf79cba9afefb195769ae3720c9e199ca5bbac58cea167df6c824852888ae29846c36f93a696d89bab7bdace8399a95dacb8335ffe6bc1e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d689460ea28ce7a8874f7636245b1c3b

SHA1
428ce328ac2236b21845ba2081186668fd4fcb8b

SHA256
2d87e82b3f18344f7128258f35470f6c57a01504d6a846da0fdd5e2574ada406

SHA512
644f310cf71a7d435541c8e8ad4f964bcd2d4f3674a53f7685c388a04b1155977121696a691c4af623974c9c5cf4334226ddb9ce9eacb02077bf44b83a6fd5d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e2a5970597ab885dcb7e54812fcf6a18

SHA1
0568f17e49973c85a35c5712ec1a2e78832cb296

SHA256
454371ef4726ee8fb6c78aaa171108944bb6c2aeee4e06c38394aab0dcf8cdb5

SHA512
60711db2bae86d6a7f7237b27470a92a1f1d22c78ceeb69c629d6e7bcbb34a784f031ff875c02548ca2fecc2e24581f050bad8493c7ed098f9cde5d24b912424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7961ffbc34c8d3d8f7b1ae538bfa5111

SHA1
cc05b1980ae9c9b8c27510f498633d3fb9f4098b

SHA256
7e33158358db4c28c9bba9e717ad34bb07557406e43f6ca9a6aad6aa5d666e6e

SHA512
8cf49223f62fe329922512fadcb7c7475baba651c11f4e6c7079cd848335eb67a87a2328de2d177e4cb26daa10e877cfce568ac4bc59513184a245754bfd2513

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
63eedfc819a7bb53016f218eded2ef66

SHA1
fa68025c3e2197bc25f5bdaa0857915704943fdd

SHA256
87522694ad20d44d520f8cddf45a6df3730e136ee9da7123f7454c79164e6d0d

SHA512
8692dc5ab1e0c41392e9807d3d25935fe31138e4080b5e1167c9ca641ec4cfdeff148f58c36fbd6c8be97807179e151524639ff60c72416aaa2dceedc53e628c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c24322483c3bf21333a174a8fd2e018

SHA1
528e814dcc33ca19244a38705e26ac2031c24c63

SHA256
fcffe072512eced8f6cf855932f8f4f7bfdab47491b92c00a4f5436b760240dc

SHA512
6f24ff3313737b94af69ca0bd0d017e7d66f133c66d6df06d6bc363cbb917d46d4bf497415f732cfc2a5e5de92ad577e9a077e0f1299b3d9687fa81d4f548ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
021e0e68282403164b6a7e756628be2f

SHA1
02ff0e6959faeda540bae2577008a41e13f0292b

SHA256
b13d7324d506146692a0f1f91358d52f7fd6aac826f723578035e3fb6c5eda6f

SHA512
87a78e52b6452cd90fe8ef2911a3fe5c0cbe4cf2f6ae1e93a58425e9540efa609d129202b568db934140bbb2a0ff592aa5b85e4d2c97db2af30c0b3c9a597f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\7340938b-6b91-41f0-a316-48c5b43ed0a6\index-dir\the-real-index

Filesize
2KB

MD5
cece5f553163ba7dee2df684208d196b

SHA1
1542f17429e092f4935d17e2e2ef35a0baa66d90

SHA256
5380f958a30ffb19f22469cba7a84a48a38ecbebd4a3723e3643a054c5122786

SHA512
42eb43dbc9375a42771ad4954eb00beb214b5ca7a5e41e425f26bb674082fd79364321277e34d77adcc704f399bcd5ef9bc341c54fb807153552db2518664d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\7340938b-6b91-41f0-a316-48c5b43ed0a6\index-dir\the-real-index

Filesize
2KB

MD5
1181e1898f9f42f038298382748a5ebf

SHA1
702a78e96a420cb4ea58be62c91ac6b758bbe8f2

SHA256
70c71155b0004dcf8b517c0fe69fcf21a777a60ad875fc9491657d7836c14282

SHA512
39df29f4734e69d025adddde244616625b947d2efcef800b6caadcc8ddc74767c64dacb8f38c1068286a880896742df5d69e1c62661785f616d91a91afb9845f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\7340938b-6b91-41f0-a316-48c5b43ed0a6\index-dir\the-real-index~RFe58fa97.TMP

Filesize
48B

MD5
e090cde6f459f06bff4bba2d240bb213

SHA1
d106f3c4842fb9545b09114c0c84efa49ff42ab3

SHA256
9e379b38289abb79513d0188750faf25406fdbbdbd2484caa146c3f788ae4d32

SHA512
0d3990326a45712bbced5bc26cf9ff8c5fc0f5853f6f99f3f35a03a61de18b3f63229f6b166197967f63f960704f198550cc52e945898d9d5b9d3688b49c143a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
6394aa64654b12e38ed118119e695e08

SHA1
f5bd5ac9a6d8f3cc4713b588b6de8419d5144525

SHA256
f4891c32d4debed3eac6d84f885798c746dfa999b1f93e4e5c1ac4518694d252

SHA512
8e1e7c9bbb4f10ef2cf9e5b7ffd85d93229d7b20ab70411c625ae53c999729e98b0a47107946efc133fe0055b2279ece2fc94609dafe3b9eb4e5780a6bd8afd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
c3ca9c5f4fe7d4f4c2a8f202ad892e7f

SHA1
78fb7b2766006804c08798925a6c359e7eeb3b5b

SHA256
71844384a701c79238a2b5dd1eacf4f30b41e590eff40c7fe6c0330d7c636f07

SHA512
0130cfbdb2e5dfb5bdc09c0826ff62f2dfd05278e0a4be86548504eb49f08d01a83c4ed46637d01780735b5a8a2ad9d9a6b91e7eec12ce821c26a8216b2c593c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
8875c2b751c59ca03f7a9554fd62a9d4

SHA1
5540374212f0618f3293a106c6a20ffbdd730381

SHA256
5f767eccd3304abceb0aadef89a99dc8e31c31837e2327a1c7837718fb625daa

SHA512
dbb3e4314b878a6d565e1376fabe5b9b9d84e2a98c7a712ab4a2f4c9a1da7b10791267a2537698bb7820ab6442cef7ab853fe13b6aaa9a8c3eeff9f2540d7977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
922c316238a79027075a828df368e4da

SHA1
6f3786f33e419b86849a97ddb9b0e399e73cbe3d

SHA256
f14dcf650f52a7431b9d792e383b33c544a6102fc156ccd4a331feda9f8a87fc

SHA512
b2d1809c408ad0c9994f47d8207acda2e0718c94e8924de17af88f2739b9ae7439568be808ecfcb3c05581c88e87906076923cd10ef6780d6e405528f0d33bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe589f48.TMP

Filesize
89B

MD5
88a8f221ad17b3c3cc6a6e91aafd2491

SHA1
51981bbd64daf1813c6245958683d4e2eec59a94

SHA256
6638effa3e53d7f62c3a3cae1e1fed7c0f47717f9eae3c06db49db8c81222bfe

SHA512
d229db287991963235e0b2e0c483081c4faf4c2489d5c769198e5762edefa6e511c147c0cbf62bfb5972c84abe11deb5d7a34dcfeb758ccd52ec3e96d04025a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b71f65ba10d276eba2b37908530cf844

SHA1
c18d8502ff935d2676a00ce5a7712d2d09d36754

SHA256
0213fc06e4f4d91f50621cab1132d78dd5e37e3d344ddf5965fab63e780a7158

SHA512
2fdc65980f51a1b656c211732fd6b1c257a649c546517b7ad05652120ae809fd10f93bae9d72969814ef2279f0babacff780527495597d24b9dc3244098b68cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58ef1e.TMP

Filesize
48B

MD5
0e69f98ee850168cb74b587b60908be9

SHA1
3b577b1a63d5139613eec7f13ab3c2695f1df655

SHA256
19abfc1a97d59aa3306338d334b9fa9593c22cf639d2b0ac40ac4d9baa8099f4

SHA512
c348e4b6a5c8a7bd794c8778fabcdef2070686e65df10a8b2b1358fc06ff30c0a5962441776d35bbe654f4a75b0cb4f8308e5b6e0aa002e4541752bed1f71c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2c9db68e475d3b1c51da4bd047bdfeaa

SHA1
5973a86cf6b86e8614aedc1b35e54cad78330fde

SHA256
eb3f31c1740f0b17bd7d45b5887b6e25b9a38396af36b265c7eb5e294ccde363

SHA512
0df0001756a21172ff29efd72136cda2444fbe9c1a7eda3a4047ba5c61a3b465b826e332d04184ce72de610c6c285cb2fbb4249559825e7ae3183cec16750ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58bdec.TMP

Filesize
538B

MD5
3022a019188ee95086baebd8a77e9779

SHA1
f2f5ea30f17b2edfde50b124ed55cf9328257824

SHA256
daf8f9149b078aa9ac278052667c3b208f8150cb26722be3d06558e328cc8ff2

SHA512
8aca81ba23e876c0364682cac510d02eb0013188757abd0770ccdf5702694971ff3165c4499d8a188ba339302bc2f7642fa6bb2982bd8f0f765c06e5886b2aa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
782478d851f3c840e97206755c0254d3

SHA1
2776e66fef36bbcccf9f8b021df8acb3ed657d53

SHA256
d4190361197ec3bbcca3d9c338f09016db14b8edea71301048ca706075f8ecb5

SHA512
1bfa793e8bf692b1f71cf31d9745b2d06d1fd7f9e448d0d2aa0fde827ceda62bc289f4c52731f8b9bb91ce42da4952be22ba3f3cf7cbe7eba63d6ee1d130a8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit