338af0ad5b0fb47fbd9c27b400e85eb0204f227e00d6eb03a14df00b7a463d32

Resubmissions

14/03/2024, 18:49

240314-xghlkaeb66 3

14/03/2024, 18:45

240314-xec83abh8w 3

14/03/2024, 18:40

240314-xblq2adh96 6

Analysis

max time kernel
164s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WCD Board.jpg
Size

74KB
MD5

42f61aa98d6253e0f5243f816abcd82e
SHA1

8e2d53b71e084146a9842d0f9a3c6cc73f79dbbf
SHA256

338af0ad5b0fb47fbd9c27b400e85eb0204f227e00d6eb03a14df00b7a463d32
SHA512

f72bd0e5de6263d8a45b6a47f51694ee93bc88e8590ee9b47c8e3f86fb0ed805be101c36302a6a6a9366a73df62dd0f912eedd7969a0090cc924f2348ad50616
SSDEEP

1536:qc13SlopKR8x1LPfd3bQqXyXILKk63GdHH/VkK9VLw:L1rrDV3bQqCXILKkcGdDXw

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-609813121-2907144057-1731107329-1000\{B16C5B68-F619-44FC-8DCE-43EA067B3F51}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
460	msedge.exe
460	msedge.exe
3992	identity_helper.exe
3992	identity_helper.exe
5620	msedge.exe
5620	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 2692	460	msedge.exe	103
PID 460 wrote to memory of 2692	460	msedge.exe	103
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 5048	460	msedge.exe	104
PID 460 wrote to memory of 4060	460	msedge.exe	105
PID 460 wrote to memory of 4060	460	msedge.exe	105
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106
PID 460 wrote to memory of 220	460	msedge.exe	106

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\WCD Board.jpg"
1⤵
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc062046f8,0x7ffc06204708,0x7ffc06204718
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3596 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5264 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=244 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3078825932120575046,17245477746778389567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:2420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
32KB

MD5
216ba90a70717e27f48a740b19ec2379

SHA1
2c0e798cd24a6aa821970dbacfac3d8a8d87c375

SHA256
11ef0ee66d8d32b84e19e0e01a6b19c576deba56972a5d686bc73fff9eb2c28b

SHA512
77ac97a0e3b23e4d34bafa25c2267c0eb1f736c5523db4c72ca0f276f94e6f0a477bc7ba8640f81cb1cf33f727b5f4ec4fe65131fa8f80d9fc818c54ed0fad8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
88a552e6be1ac3978c49143983276b3a

SHA1
dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423

SHA256
927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5

SHA512
125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
cd44c87dbbaf120ef787ecab0267548d

SHA1
a4fbaa0cc2bfd613cb0998eaff52a8e95ba45d10

SHA256
5a0b80a0ffadf2bd7ee0567a288cd0c0531ce24f03607daf4ce7c3c20bd69e2d

SHA512
2d4a2ec3a77deec3146bbb89cfca1821e1c4ee9848bdc594f8b642207424b4e2437ba13d67da51e417046f6fb230f847db98de67ebbb0bfdfaf414a0fce03faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
31KB

MD5
ce666595b1e32c646e9b0e163f530126

SHA1
63b6dede619f50eac5a3f5216e34827a43cca1c8

SHA256
991e20c499ce8d745a29cff086be03431c628d78fe36ca0ad73d45ba265c515c

SHA512
262924a5e1f73a40826ad17e5930005e7586201246ee2e2290421f970d46959602d84f4a1e0ff16925bbfeba8009cc4ae55c6bd5d9fb5173fa70247adaffe97d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
63KB

MD5
52bdceb06201173e5eca9b2f9d7d727b

SHA1
aa520c6f7f0a5053b8d3c5a98c9a699714f00f59

SHA256
9514e251ab9403e407f5314006c4259ae7b9c0b211b67b767685bcb4d584a70f

SHA512
0d9af1cd449ef09da67afbbe5e87efb59e5b04b50923bb1271ea34c33d35e5eddd1b57a181c1efa126c1b5977b189d90e48ae41fc07e4033733ed776a43ca66c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
82KB

MD5
1ca1faa83cccc4e3bbe7136df6c9df0c

SHA1
f1daa3a89805d27371e539472f4c4cb5b29cacde

SHA256
37c8291ed6c20aa65e24da3c15eeaf8c8e1aea6ab7382f8ef38585c6765a1af9

SHA512
86f5e2e065adf2b16de165b8a576bb9488f456a92ce74819e4ef2c34875b9d81638b743bf08ed5b3a2c225b8d128ccd2b53d9b76bb5e214cdb2ada2f4cfae579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
14168cd0636083c2aa0acaffba659874

SHA1
e59558c0a738cddfd4185cecaa05a802d05df3d1

SHA256
55a513fdbc69b34db952f6069480f03a8a2af768883b099ea08c7bc84ab8ad4f

SHA512
e94fc8d671c3abaca3e230c7913aba004c01a9e9be1f0e199b6ad7aaaddb707c055d48c9fca03976a980dd5ada2297ff15af5dc3d60d51172e5d88ffca4eb6f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7d79b1cbc5df50c9cd79a5c0f0101bf1

SHA1
7d634a0a5fe1487580d293531b5a73ad72b1a1ed

SHA256
2a31dfadbbe65ca7a809ed534cde09479618bdffbd082572ff28a26cb3c05f4b

SHA512
6c23137a940892f6927f8b58247ffd675c78eed20e490c031de997b238ab1ba9e338d266a5dc4a850f5eba72788e3dc12f2c9c303159513da941155793f6537f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
674B

MD5
1f48da1bbf6e261c62c75c92c2656dc0

SHA1
f610b2b7240af33337cba82d4f7af51a64af20f7

SHA256
367fb3e3b2aeacee92abacecd2f21e56cbd76ff15e7174ce32cb6d41cdce4d67

SHA512
4dd7437e038ee992c58df646fc0db559b6eb78e85c6d8223a0e51291a3b607c19c7798fab89e193df3aadeee5153653131359db28832d48b1ff0b610275ed52f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e3ee8f1302d92cdf031191202efce6f

SHA1
1299324ac38d6df56c34cfa6b2d5ed7bafd765b1

SHA256
7cb54381478b276d22d563373675e7af9976eca83ab0e3f23dd6c418cf61f251

SHA512
1bcc45694e9dfa00775bbd8f53cd0929f48ee9582194d303928ed1b8e1120d7a43df8df7c056cb5490110917100c9924ae0a373c804d95ec80e4db4bee5894c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f946a080873b7dabb7087476386f4d37

SHA1
890b9b00ddf32d9c35123bafea179443c343d257

SHA256
2affa0d4ceb73b87605dc6363297fd728c7f65c3e85300aff64494e38f98ce92

SHA512
91f71198bf64a2a5737036a5fbcaa6cf06ea7a04b2562a8a3de44e18d54ff114b67d4a028b1297cf472b168dd1602addb7577af52e6266946eef2bbbca5e4ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
434bb20e29a9b8cb9b0548eaaae0c92e

SHA1
6e43a633aca47741bea15dff395d9ecfe8abf84d

SHA256
4bedf9b9f2ea30ff5f8364f4f93da4983eacdfafc7e5ef997234948bbf2757eb

SHA512
96cc2ab4fe6cb7f0f6c50dfa39388313bd986f6b41a7eb704b697ca00d500970dec358f4cc20ad3c8294141041af2321cfc33f873cd2325ed02987d9b4ad52a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
10bc5f71135a9986f3483d7f3416d9fe

SHA1
9f4780b8da5a21842a714ec93e289d6b1abc354b

SHA256
2471e18f84f4e0fcfadb9f35c52a222b5640d457776954398256aa1b307adf5c

SHA512
0d980362059a29baa71fe685201e4cfbd37f0221ef9b56f5c03302a9b8df0a687129e099e69c2bd8310dccc35fa98cbd89b96ca9379d50f8c0104777be40f9e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69796bfeba9102d72c7dc8c459a55a47

SHA1
8af9a80e14e6b40117dc334329daa98a18ac5de8

SHA256
a9c14d307a2c31fdc9647b27fe85fad18516b59cffd09883f944827338c3a399

SHA512
f17b82ff867f6275bfca704257573116a495213c7568a25c93255d7f4b5799a92ba5a2fbca5b3540f1c3e3d1590ca8cf295b63f6aec9fbbf5ccc45a746132e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a85da30fa7e3909d2f004ab277e47abb

SHA1
5bac643fb836bb67200005f5f87a7d4f8570befa

SHA256
723f6ed68ee3220be7dd6ab2839efa58bf43d70a7a4e892a7b0df0f5aa9c7eea

SHA512
3a7ba56d64697ca832219172029cb8000e7dbed2637f243f5cbf9b1efa5a3230293dcc766f607de56e0cc529ba366f5b53558f7f9043931881c03c7491474bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
31753fc240778b24b229fe7dd472d408

SHA1
b91d4066837e99c7298bb3694cc031b434e08185

SHA256
60ead492151c7f0e421ad99c174991ab9d7a552e68877c4599725a859a024f8f

SHA512
b3c0d8ffc8fc6e00533cc7520f451e92667ebf2c222640cd9bf8a1a9256bebd340cdd5f2abba7cbaec4cfc908d8fe0c78952e1f67cc2ce8946e9fbd37ab6bb88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
457b95253c5f4faaf6a7dafd94862fdb

SHA1
b8822c8af858c7711b2c26ea966b8b3fc36fcfdc

SHA256
f12f1ab2c270ee39bdb507f59929268e4c83cecaf8f5e41a71bab2acd696c69b

SHA512
b6863313b58ca9d0832c755d7f9dee31f18088f42a91a7ae4e227f6660068ea2c68b147f7f8aa91b846df7ce20a9b4e126e56eff17157e6efc669f4d7aff5081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
59dc6292777102d353bca0af7a6cf453

SHA1
4ea6c444c536871cf1469214a14c552e5b0af83f

SHA256
579d738fd2d68743aec9fc4ea2a85d37caa1d728b6c542741dda1fc44292d90d

SHA512
74b0c3a58084d24e52e940ae4c2983a410ef55ea3e39098b195e48f36ff2d8b2e3e17946aba48ec25b8b229784cd5a1d5daa4b75981a394bf4199727b4153a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a11d.TMP

Filesize
203B

MD5
44e5200feaf0bf2834bd575b158a662a

SHA1
82e4a2c201b42d09d3b7ea0855998101b97fdadb

SHA256
585b4db378b5475bbaa8898fdad7017416e5f1cb04bf3e54c4c933e79b47a2d3

SHA512
f708db4d8bab5a902064432ed94bb3a52d08ffa4c867f1e1eed1a018f738312e69dba08131b334668ea180aaf920293c54990b1127d53e77a4465001c70221b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
26d188bb4b62a9b4723544018d2f83bd

SHA1
b256a89e9d22c99194822943f2de15a68551dfaa

SHA256
388f56bd9c17918b124d3796503b78e4f94eefae8d0c4776be73e0870f3d4c89

SHA512
ad929456bdf6965f98b98d26d2e01f825951d4683c9721f411de7ddc28f9bd730f0250dc4329acd8e40e1d26be6d53149856a93e9bc484b3a91fe8d1b650bc27

Download Submit