hxxps://wetransfer[.]com/downloads/23971070f33f1bd6e374dbdf62299ae120240520124920/0aa0f431c705d3b3a2c213a4682eaf9520240520124920/671598?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wetransfer.com/downloads/23971070f33f1bd6e374dbdf62299ae120240520124920/0aa0f431c705d3b3a2c213a4682eaf9520240520124920/671598?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4124	msedge.exe
4124	msedge.exe
3572	msedge.exe
3572	msedge.exe
3668	identity_helper.exe
3668	identity_helper.exe
5800	msedge.exe
5800	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe
3372	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1620	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1620	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 656	3572	msedge.exe	82
PID 3572 wrote to memory of 656	3572	msedge.exe	82
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 2116	3572	msedge.exe	83
PID 3572 wrote to memory of 4124	3572	msedge.exe	84
PID 3572 wrote to memory of 4124	3572	msedge.exe	84
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85
PID 3572 wrote to memory of 2360	3572	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wetransfer.com/downloads/23971070f33f1bd6e374dbdf62299ae120240520124920/0aa0f431c705d3b3a2c213a4682eaf9520240520124920/671598?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0ee646f8,0x7ffa0ee64708,0x7ffa0ee64718
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6256 /prefetch:6
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10704360813433642438,10275099982624081304,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6712 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
194KB

MD5
dc1f7ba3725be6424bda3b2d740ec8c5

SHA1
abbb422528a417e89d3dee422b268d0eef368e56

SHA256
038bc25211e6cea99bd1d1bb8213c7134ccf003fd3d91d8408beacf6bd966995

SHA512
11514d5a7f5a43cf496cf8f6f03da2465cf732b0af210327453e8eff9a75c33d71ed7a302cf342dadd6979bee783da6983ef356a053f453a5501e7ff246c7b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
a7dea4383b86b8d9b7301dffd6920427

SHA1
06c3584bb46a83dc73cf7553eda59930aa19c99f

SHA256
842c370ca062bd5e454f55e029a1780220f79ebc8c3022875b375de582594079

SHA512
69ace66e265cf7bb7837d97c0851e749f719ff7045ba324b0b721fb416dbd804884a43f44f68defd433c2a83a8d04a2c3854939b23480f86b60f27776f0cfcbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4abcfda7a5d16776489223f960043a0a

SHA1
e89bd64ecb0af18aace098eef848f4173729091c

SHA256
f210f5feaf715e8da682087af0b70a47f87fcf0c2124e50640fc79781bac19e9

SHA512
acae620befc5818af0315e411070491e4e1f5282f2feeeba61b4b9dfafb9c744066256fe9ce6bbdea0354678f7698c0e569535781bd26afd898fdb63fddf501e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
26f4ff9ed6f41839eb4f82636eda6a58

SHA1
f84bf3a83f9f4c796798a24e24ef6ffcfd684b4f

SHA256
2d45bcf3e774596e9aa1db94e6344ffbce129032648b368dff1cab68c8e11934

SHA512
2fc9b24803897476af141878295012bd8f1b3d2c3c2c318e44b15a3fe525faae6f9bdcf1219d6405b7481471d97c488db1eddad066c2848e054fa1a14a1128e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
324e6ba7c4463c47fe90f3298183a3a3

SHA1
3a0fc66590abda428ebccad44881630ce67249c4

SHA256
58ca22e5b254557aaf6f3368df8ee7f9397fb6111c72804da48c3601076bbbdc

SHA512
fbcb9db661c678af0e68d2f63badc596aa433f1554c57dfe8fef05431c58dcb3e29073bb83652a72d0038e027d8c4704ab760d8ecc8e4a2768119029dd9033ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
7db9e0498aca662c9c8b31cc2d0ad48f

SHA1
2e756d296a6dab426da2a7128ff9239d9da272dc

SHA256
215e34b4f38a86cc2c63ef076b394ffeb8121848d8a1524f843dafb9d70c5b62

SHA512
49b4c8a2f63b4be2f182068be909750ead77ae546e8eeef8a0e855625bbdb634043b61b8c11d34edf94cb37541477eee0ac934eace925ebb5482e6e8ef6900e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9f59397cdf7e8bd1aa547f1cba255817

SHA1
002c5f35b20ca498869c197beefd39155f8b462a

SHA256
d1b0797d7c4ef8df5aeaf086d3f0461fee4d29c0138e931650972b2061ca57a0

SHA512
7264f78c0dc480e2dd55d1f6ea0d5ac6c9460d2f6285f2eaf32306e8068d592e4fad81ff8828958af29cdef164d6ade6cdecf64079c2640ae4b44c4cbac957b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b565010c403b8a240456abe1a6c4c69e

SHA1
eecd5c2c0b1b9d6189919bd526a1752d5be074ba

SHA256
53e02540d16df3907c1a2f5d0801340cd781bc7acbc9e27ff69abd7a7aaecf25

SHA512
3609aee6ff87710a5f9d2f52719b78009e85a1220cb70c045ec8da668e1704216d178e86e0b90f754a25beb592d1ce79d6c77f9330c805b698d1f8b54bdc924b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a9f4cbd3895f0cca0aa36adf8ef65398

SHA1
f3c05f648a761b7e3414ef00329f25880bb1740c

SHA256
98286a736916903d13dcaf9c4fd76c30f9b32bdb143cdd4b431f50f105589f45

SHA512
ef5022508131e256c2cf91b7ffc39114c1383d1cb4e1d373a85bdc33c8652e43589c24840ba1cf0da37eca84df2d9905377b5f4a8bc5e11d82ade63f1b0ce2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c88467760ea9c76bd85fea1a2c1944d0

SHA1
2d8da59d6ba6f343c81ee6283d77425f66b3129b

SHA256
3bd2c6a0436150fcef981961873dd4333a84eee43c21282adbf82b98150273f5

SHA512
7dc9f159d640cf29b994c148f6277c23863b8291ebf68d091c0cba5ecad467a365d2c6e01e12b59197419b5a3afce1eace76eaa952a71c38153616e14781b4fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
dfb04dbfe708d0d5638d6a16781f10fe

SHA1
a34d9b130aa473ae71c30b5dda0e266e9619f8b6

SHA256
d3e0563cb97239c9bcab5fc995ec2c6ab300a66514ba94f3dc54f5244d52c50c

SHA512
f8b067fde54b704590d2989a6031634343defb920d7313fa89d6940b37550546aa49d9ae4702d66ebb159e7231150ccf7ce8ee63b02573cc982ac1a16b336ddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
36273aabe3c3e5933cd561998812a8d0

SHA1
33d5ca7feb6e5b8d06ba808cc96fddb69631e187

SHA256
4b50c57217b160cdc145f9d030b8225b0beb3e2d0d236d27c7b6579b6057d8b9

SHA512
d981dcf9041c40b81b8a779a63021bfbf78eab9dae3459775999a102382d20462eefb842bdcd7dcd8f689d94430fc624586a89e01a4dc08dcbf6918fc4766640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
769a7edd117c90dd17a5231ec2cb619c

SHA1
44f608368318260e3e6c5babc135c48ec4ad8b3e

SHA256
c5fabcd87debb017f15cafdd6ebe9af02a619c4b8e860db910e7f5eaf57bbccf

SHA512
ab8a2373ba478c04f2fe9b0cbf188655b0695b8f4f9109a56ca3f1da22496f7f5c2e3a86854c9163a87ddb69d30b198b90587fb0a636ce75ec1b0d06407346a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
062a2a543a7204a16cdd11ce0656bbaa

SHA1
e80774f39684a7a39baefe1c84b52ce4d751a970

SHA256
1006d5a27be63e61aef22dc86da5de8bab978b0920a064e2e005a4620632a0cd

SHA512
ce5b2b8d8652857ba90591894f226c46d3c041aa97b8b9a423999c19556d75a2f3532be1f00148710f0ba65dbc59520f7bc0397ae3cf5b8f0da1ccb47928399c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
afb461d2fa570eb1d2a756a2f5c42750

SHA1
f43adf1ba6fe17eb6abe5158a361a2735a399f33

SHA256
6b52e07b20ec1361eb331c098097505017ee238be292550bf90f8f7b36813d96

SHA512
05c7b5771fb738d0263a04a5f60d1a702c7d814d4f18368101d37ceee9e4ec133ab406ecc00d74b0bf2db43bba954d0f5a9f1f81ccebd3029528ea886ef78927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d716.TMP

Filesize
1KB

MD5
ee919aca57203bd319ad89de5c922c48

SHA1
87b79e5d5a0583f7e24fa0b17954f1f08c56c176

SHA256
6226855103394c35b1822a66e27bbebf8a3a5d2fad3737388f10ce37494e1757

SHA512
ac0daa1f2e78da06263b993e6ee5c2b2e6f7b6d0f702df2ce7e13d678dec84b44320f614d7fc6754d43bb285f8b4ce2dbcc6871bd3576f78f1f7ad9b3d9f1e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
edb0febd9aeedd5c434c806e3bac3c4a

SHA1
fd44bd7b4d158b98ba00975d442a0496c47e0cf1

SHA256
a21d33550aca8b0668cc260457b40f93bdd3e42393d382ce79fcbe5979a7551f

SHA512
dfdd03c91db43995aada1cf2d46c5258a19d010c6cf0273350c430cc435efce44c393a59dd9179646cd2dc53665e8f806d759f0f7a9a17ce76b7849bc8d4ad32

Download Submit