hxxp://Google[.]com

Analysis

max time kernel
657s
max time network
660s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Google.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{2CDE44A5-541E-4064-9060-A30B9AE62474}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4392	msedge.exe
4392	msedge.exe
4076	msedge.exe
4076	msedge.exe
3956	identity_helper.exe
3956	identity_helper.exe
4228	msedge.exe
4228	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid	process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 2124 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 2124 AUDIODG.EXE

description	pid	process
Token: 33	2124	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2124	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 58 IoCs

Processes:

msedge.exe

pid	process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

msedge.exe

pid	process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4076 wrote to memory of 2240	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2240	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4792	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4392	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4392	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 4048	4076	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9aba546f8,0x7ff9aba54708,0x7ff9aba54718
2⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
2⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
2⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
2⤵
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
2⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
2⤵
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
2⤵
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
2⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
2⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
2⤵
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5988 /prefetch:8
2⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5972 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
2⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
2⤵
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,11175306111346641550,4544123857725942209,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5980 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x2d4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7028e844-6b46-44cb-ab44-518833701d9e.tmp

Filesize
12KB

MD5
198e816518917587417a069cb485e3ac

SHA1
73c60eaecd44e440714c533d6554d9f7d47fd215

SHA256
1ac4a3c789e96139268ee03d98e11a2791e508e2a658837a39ca633d0d7488a2

SHA512
89401baa66282b23f30f52774ee6a7fb05ba894cc1e2df789ae4a403cfa21ebcf01994fd67f017e6cf9323a13795dedb01be337f019dd5b32044b1cf83c7ce6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
131KB

MD5
f8a08fa8f74f42d1d076e22accde05cd

SHA1
873e5027bb2e9ce57462f9d4e2f4ce8443e1b8bf

SHA256
cf300e6e96078719a21877182b9e7d156c3c9c557682acf7c36f49882172de86

SHA512
683c381fa82de2550455439e57b6a837ff2f3c883cebd3d64ef142067e7c8bec8b30d7a48a800286f770c55376965f34e1b5afa535bcd9ad15e329df7b127ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6bba5ed4763567bb4f851fd9c161c14a

SHA1
80b5d972cc4cd52012f85a3f6f053b65eeac393a

SHA256
e61293baefbea3addd0838aac12cd80a4b62c627229825a6a8e3057a7dd193c1

SHA512
7d6e5669a006a751c60582fb148a6e4602d6a85e738a7e0788a6fdce09d56bb9d474086cc53c59ef21c65d2596a7ee8be1d6aed28e0c5ddc80b306af1fcffd19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c994c9066d042e5f3d150d242308ad0c

SHA1
ce93efed6bfde6446dc4c9cf8d44580526adce06

SHA256
deffe18a94674c5f89f234ead55e7a0f1b6f1534b9e78c72f746f0a0095aefe2

SHA512
822353f1fbe33db2b40990877bf6f360a2c4f9f273ee830568cf5bc566451c667978770cccef343c0182fc7aefa2735726b88b6f91e009b748fb8e411efd2faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
73b5b6daa640ac726a89acc6b16a487d

SHA1
fb3a401e63a630afa9c0c300832e5c1e9aedd6f0

SHA256
557fe463473527ea159b7ea1572c37dc11a60e4dbf4766efc8c3ec349d6aadee

SHA512
f369f5ee7b5b67a026545c6db8b4f6c84231731a5bf54786477d5b6eb4842ca66f2910a8a3a20964dbbcfb3ecd7b9cc92e0d437e70a09c80f5ec7efbc5b8cf21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3559d68bfe94321ad38460ce9546c11d

SHA1
93d86d2e89746bb604909a82f7fc9fb2b875257d

SHA256
0daf7060eb767d8ba4df83da6462a0326d64ca70a81c603ab86e1ec110bbd6ee

SHA512
763e0575bb115788cdbb41b686ac70154c77984be08d8a5880371484f5689a8a95dc8631b0e0def6dc7e00e4c415b267e8584f11c20e3cb3f5ad0595eb43481d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7e210607791205bf6966c43bd1646a7b

SHA1
d318dd71b4ff743597f33655b4df6508195ce024

SHA256
cdbd3c67d6bc20eef3c04dcaffaba239fdc77aadce5ab49289fdc399d3182fd4

SHA512
d09e79e9436ec4cb7283c65be3d95ef9a5d69c9ce4b13c6c84dc8479c1db6c968730eaeec8c6a9ff89e9aa46ba96f86ea0a2b930a18f2e24d30b4c163e9cbbec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a9325317760bea360ee267905a03e09f

SHA1
1302743e8804cc8a7887213d431b583fef067f02

SHA256
6245316ab40c5168383d3cc787e0ba991efc958cce4bac1a2dd17d10d506371a

SHA512
1a928b56e2dd74ebc44381ff622298711df2023ee65f08d0ae5e2f8c7c6d534c75cec874fb06043b59a187b8178870edf84bc601f3f2f65c90645b7383cff112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
16a1e0ccf6e36d9159f83bcce5d49808

SHA1
4a36b5bfe8b1ac553a13a56332b9abfb69beaef8

SHA256
f7cc3e242642adc6c223a2cddfb99061d187d9a55a9f739d7d04e58ddbb462f1

SHA512
a89bfc2f9aac5ab6a055204a6f3c4acd73f2f014b7cca55fa1e69f3a64b97eb3ee21093569107c506480d61f4604481ef5deba9de33bbc7aed4d08e174f1842c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
086603d6e433810e792a4a32a08e0b74

SHA1
72fe4b2609227dbc7d2288ce462f3cb74d187ac0

SHA256
c7a11039688c9c6d2ea85467e536ab3b1f1b3928fac91d74160326b4581e6588

SHA512
ee2cb0d4d3633fcd08d67d92b926288e91734ce445e0a672bcf2e02017854bd46cc780cef70494a5a0db69012fa9ff3d98ad000a6bcba34845c632700967bb50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
81189eeea7a50ea9bd36b6b408f0a0dc

SHA1
45882ca7c86e21baf537e74ae5d4851b688bdb0d

SHA256
c7d08e3b914e81c9da945af382ef25e01b6755887a25a746681d96d53e522a70

SHA512
b75c2e7aa2136d97d0d08f8990ad335ecb14e25523d0d94d7a9a7085e776a8891acd332332ef8c116ed2c6800466f9c025da008743c365e11fce1da1a1351be0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ad398e4d169894e6634cf4f6af41d271

SHA1
adb334851a12852a63665964281336768bbaa417

SHA256
a47764cc9e166a8f8f5a30a5eae407d6acb482f553a6f7dd1a975013c2fa5be6

SHA512
216517505550a291c19b3a9cda7654de2f07b53d6e7f6040eb74bb1c6ae57a966a7c15f2cd53d0aae2b57d9c14a09f45c6d989ee3ae8e5f9fd961281f015fd50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
86912d908ed1f0bdbd566181cc2e1ace

SHA1
94ebcbdffeaf33ead0ad00699327338c63a40251

SHA256
3773d85f3b0238e572ac291a570b3f5cc05193339f4d408229dd68ec62af240e

SHA512
32a923fa04677993e4d5e7c46642f9499db2ee151b6ca758a4d29e4fa610a885e9ffdd976c59df32aa274640e01a60cc5fd61bb9f010d63e4f3949a5cedd53b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
7b4b5b52170c84fbcdc6dda67168aa41

SHA1
828ebd6f8cd94b7e00d03d8c5dc7da77f3285033

SHA256
bb83cfc2866aa47bc0d75e41c307692357d964ead535cb122830ab627a9d246d

SHA512
39f34230d7e5cd22060d3b6700ba588dd566f24044180e3de4b2b92539b36476da33ebe6e8eccd34d0098973592d923bfa13801a27681b28f00d09597e74c6cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c5fb.TMP

Filesize
204B

MD5
fa1ba55e3093b1694a61c422c6bc8982

SHA1
57e11067f530d5a7e9a043618f42e4390c3e436a

SHA256
bcb44c60f60207c2531495a049b92f1cccb3cdaa79d366d464a46daa6fa80b88

SHA512
790bd14c350d6025556e58c0b193a12c95c3c4f86b906b0a035c12cc4dca3ca05ea87bcfe0a6ec9f25bc4853c47bf08fa6394f2bc9c7445fbb1ac67913d52122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd377ce2560e3fe8d8bb444c4f3aab65

SHA1
7d562f1d29afa13fc9a0b5e88e7c8e5ca1a5ed96

SHA256
2ad657ba71619aa7eed38a80bad698a80d70c57549755ec31f5f4a54d9a4ef17

SHA512
a2a37101644a889a5e7edf49d48092cf3fe21a7fdd7c6f4192055c60780c80ad1ea18337e78f163c8bd716fac571ecb0345c5d2baa79be3f5af0209b16ad332f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_4076_BNFEACRMLIIQTXEY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit