db5a401e0ec664225283b740bb5a4388b8e81ba9698be7564a1c8c8e3067f303

Analysis

max time kernel
148s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

梦想QQ空间刷留言工具1.0绿色版/梦想QQ空间刷留言工具v1.0.exe
Size

1.6MB
MD5

196089e3c73203aeb09c60d612be9f79
SHA1

ae6de3b623d97b05c79b63ea28b9fc145aa02454
SHA256

91cda4d433d5072478c66bd524caaffd1e092f86556f27ac7bdbf0fb4719bd7a
SHA512

a17821f53748fcaf9961bbcd800ca945561700468858df12acb4ded3a2556eed24b9d3fa2ca458f62a3c1c534b4d69665de4552d3b63fd48610943782a389bbf
SSDEEP

49152:+hrYCuUhn+s8KuqGaX0ToIBAUZLYp/YLYDwYflYYJYgYv:iUNUhsJBAUZLs/YLYDwYflYYJYgYv

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/2780-0-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-3-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-2-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-33-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-45-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-46-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-43-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-41-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-39-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-37-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-47-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-35-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-31-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-30-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-27-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-26-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-24-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-22-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-19-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-17-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-15-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-13-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-11-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-9-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-7-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-4-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral4/memory/2780-5-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4628	2780	WerFault.exe	83
4092	2780	WerFault.exe	83

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
3064	msedge.exe
3064	msedge.exe
4576	identity_helper.exe
4576	identity_helper.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2780	梦想QQ空间刷留言工具v1.0.exe
2780	梦想QQ空间刷留言工具v1.0.exe
2780	梦想QQ空间刷留言工具v1.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3064	2780	梦想QQ空间刷留言工具v1.0.exe	90
PID 2780 wrote to memory of 3064	2780	梦想QQ空间刷留言工具v1.0.exe	90
PID 3064 wrote to memory of 2424	3064	msedge.exe	91
PID 3064 wrote to memory of 2424	3064	msedge.exe	91
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 4652	3064	msedge.exe	95
PID 3064 wrote to memory of 2496	3064	msedge.exe	96
PID 3064 wrote to memory of 2496	3064	msedge.exe	96
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97
PID 3064 wrote to memory of 4124	3064	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\梦想QQ空间刷留言工具1.0绿色版\梦想QQ空间刷留言工具v1.0.exe
"C:\Users\Admin\AppData\Local\Temp\梦想QQ空间刷留言工具1.0绿色版\梦想QQ空间刷留言工具v1.0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.juyqq.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff818b446f8,0x7ff818b44708,0x7ff818b44718
    3⤵
    PID:2424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:4652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
    3⤵
    PID:4124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:2444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
    3⤵
    PID:1604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
    3⤵
    PID:2484
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
    3⤵
    PID:4560
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
    3⤵
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
    3⤵
    PID:1876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
    3⤵
    PID:4984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:1
    3⤵
    PID:5208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
    3⤵
    PID:4564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,15503838098723671021,4165442408104175349,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5820 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 1184
  2⤵
  - Program crash
  PID:4628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 1184
  2⤵
  - Program crash
  PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2780 -ip 2780
1⤵
PID:1288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2780 -ip 2780
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9e55f5864d6e2afd2fd84e25a3bc228

SHA1
a5efcff9e3df6252c7fe8535d505235f82aab276

SHA256
0f4df3120e4620555916be8e51c29be8d600d68ae5244efad6a0268aabc8c452

SHA512
12f45fa73a6de6dfe17acc8b52b60f2d79008da130730b74cc138c1dcd73ccc99487165e3c8c90dc247359fde272f1ec6b3cf2c5fcb04e5093936144d0558b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dbac49e66219979194c79f1cf1cb3dd1

SHA1
4ef87804a04d51ae1fac358f92382548b27f62f2

SHA256
f24ed6c5bf4b734a9af4d64e14a80a160bea569f50849f70bf7b7277c4f48562

SHA512
bb314d61f53cf7774f6dfb6b772c72f5daf386bc3d27d2bb7a14c65848ee86e6c48e9c5696693ded31846b69b9372a530175df48494e3d61a228e49d43401ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
baaab20001f806b16d7068957cf87544

SHA1
73336db89af7a11bcf23292984f468ddf1d04844

SHA256
b5a2418defd4cdf6b859349e3116f701523910b7efaa47f7d0fb3595e64b8fbf

SHA512
86f7bd8b799e63a8b8aa6f0c22dcf39654f42d382ad45d4b9b9e66fd6f9129d70db51f7dde4cce7d0c6331d5cd38f5563d954793a38c9c225238bc7caa33f85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b90c01b219e4a81f67426630da074b8

SHA1
5098381e429bfd2d711ac2d6475bdbaebab12074

SHA256
26c13b7cab1fbf3a68b71d89da5fcef78f059f2aab6977b74677282e4fff2a64

SHA512
634031e76a75e5c3c5aef8e4aab6e87bcbd64ed5fc3027b906de75f345aa7501d0c51bdd9fd546fbfac64d806030f2cbc3f635cf19aeab2471dcac9900183305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eb739c248fd42ce7c5bf0ae74cb172fa

SHA1
3256411caeea8508db1dbaeadd7e84293eb9c9ed

SHA256
afc7d86c3220db3d7ebe9d38c67fae7e617eb18920cce999902489e60e03fa9b

SHA512
c51c6e25220a6f39e86048f9205431703b3ffc0c83f035bb0d7b850a9d9287bff603f7d42c1d55dae72f337269eee86e6f45e9531f73288f12ba2f3294aaff51

Download Submit
memory/2780-24-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-15-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-37-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-47-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-35-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-31-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-30-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-27-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-26-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-0-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-22-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-19-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-17-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-39-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-13-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-11-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-9-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-7-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-4-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-5-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-41-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-43-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-46-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-45-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-33-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-2-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2780-3-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download