3f80c20fecafcfa264532eae938edb81dd04c8d0335c366f0b3c4c64ad529967

Analysis

max time kernel
1156s
max time network
1176s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data/HzkTNOg6s1em.ps1
Size

50KB
MD5

7038dc43406aaa195889f20880cb49a4
SHA1

2d398e6d8187c33cf00d10a96ddd32fd4218d94b
SHA256

9b74b2cbc8ec3b2cfbf9f6f6c20f5f90576f8bb9c44fe5a8ed0109aa97f21bcb
SHA512

9254fc4d470cfb633b98a748993b0bbc40f0ea0c2163ca56c2b99ab3c5700e978be200c99bc9be6f516ced04331391053dbe90b03e8d8844f0edd785b82f67a7
SSDEEP

1536:gboSBtdpjqVkGRKA/hTsG7sg72LavYGWC0e+gU0:gbogtP0RKA/Jsg7KeYGKe+gU0

Score

6^/10

execution

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
162	api.ipify.org
163	api.ipify.org

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3152	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2753856825-3907105642-1818461144-1000\{A727EE76-54EE-4689-A530-F371659154B9}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3152	powershell.exe
3152	powershell.exe
3656	msedge.exe
3656	msedge.exe
432	msedge.exe
432	msedge.exe
3228	identity_helper.exe
3228	identity_helper.exe
2496	msedge.exe
2496	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3152	powershell.exe
Token: 33	1144	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1144	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2788	432	msedge.exe	92
PID 432 wrote to memory of 2788	432	msedge.exe	92
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3100	432	msedge.exe	93
PID 432 wrote to memory of 3656	432	msedge.exe	94
PID 432 wrote to memory of 3656	432	msedge.exe	94
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95
PID 432 wrote to memory of 3580	432	msedge.exe	95

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\HzkTNOg6s1em.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd43be46f8,0x7ffd43be4708,0x7ffd43be4718
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,1320501713071176915,12111559321280946151,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5504 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f060e9a30a0dde4f5e3e80ae94cc7e8e

SHA1
3c0cc8c3a62c00d7210bb2c8f3748aec89009d17

SHA256
c0e69c9f7453ef905de11f65d69b66cf8a5a2d8e42b7f296fa8dfde5c25abc79

SHA512
af97b8775922a2689d391d75defff3afe92842b8ab0bba5ddaa66351f633da83f160522aa39f6c243cb5e8ea543000f06939318bc52cb535103afc6c33e16bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a27d8876d0de41d0d8ddfdc4f6fd4b15

SHA1
11f126f8b8bb7b63217f3525c20080f9e969eff3

SHA256
d32983bba248ff7a82cc936342414b06686608013d84ec5c75614e06a9685cfe

SHA512
8298c2435729f5f34bba5b82f31777c07f830076dd7087f07aab4337e679251dc2cfe276aa89a0131755fe946f05e6061ef9080e0fbe120e6c88cf9f3265689c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0e25d578878f019f0a33f99b135cfeeb

SHA1
35b2064295653e274903ca8cb045b84ca5e101b9

SHA256
cd6dfe33d3fb1d6867f2f7970bc8c63fd326e796e5a56ff55b702c322f8f1b14

SHA512
dd84624ab5c2ccff7cf456a27322a66fc57b39713ff40b8d7503c2ea5ba06eaca748e5b56322ae33563f9a73400f54d10803b416335155af662bc146b38d34e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
59fb038bb7c88499b0b542bc47513b9c

SHA1
19a9b4b5d4d7948a64e922f64f54edf52bc61336

SHA256
1d462b49d6de762125cfadcc2b29db57df453812df04515c50309da4e1ffeef4

SHA512
8122ad644ec92eda625c07019177080e601ac53b565e7ab3d8193dc374c9801445efee3747b1e1d82925e3bac8d2e962f624270b2f28254508162d97380e08f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
410B

MD5
902c087beaa2e8553652cc0d7c221ad3

SHA1
2d4aa1214ec540bc88f25e922f43e89a2704fa56

SHA256
c1478e3b8cb7b317d141ed3e7473d934b40d473be49357ee081a626b0556faf8

SHA512
d190ba6049b01f1f5517b64ef1d5b33481d6b1f4ac6ef0633d8cdc18ba84a5927bdcf50a032e461a83dadac96e63c542ecfbb5260a742eff13a901b688995e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7caffa65bf6e029ace9dbc2daeebe232

SHA1
ffb59c5aa8649d04e46450a2ad377915862a27f0

SHA256
3549969db07ac0c83071da03e26beb3a353ee4dab2009e6d81d464ea56f0ea50

SHA512
8686c2494a66194001cb23c3050da136bbc4d793d7f46a350a6a8f26f5656c381e294f524640cfd33c4ab7d2839217d2667189ba383b7e5e816ffa657d132616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ac5cda963d8f4e4c1df477041713a2ec

SHA1
b9d480c5406d7e2efc70a72ea11b484556be2ee9

SHA256
68171b0f8b93bc5c46b5398a69cd3474513c30dc4600141471f1bf240e64fc0e

SHA512
2ee9bdd598a02397bb85fa308873a3b9b932dc648e96a1e7db55781e6fe6cb7f41e02e2b5b801548e6ffbdd267333d87106ef3f555e36876035c036758d3e363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a8eba66f4f57ec405853cdb8121b8b7

SHA1
c4eb2424961a9efe341db2e39306863bc4160dfa

SHA256
3915d3c7452b167265cf79febee3c97fdae0feee04e21aa47632eeebc34a1080

SHA512
ba5cb8c5405a35b1b9e8eec6fa54755e8c50bc70fbf16d279a65ed5b65d248d651cef23ebecb19261d342c79ce99c51cd416c54acc29d9e37cfb99464ea8f40b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
17a602ab28d7067625caa36f2a5806a7

SHA1
c04aa35e37fcddab2b6a3a412dfb1e85f5397fed

SHA256
4755b05be6a83f4b9ba3ff5e6c9e26d1ff21cf580a5d650b443dfc7f50d3126b

SHA512
d9015ee74088d1d8aca03bc5c84f08a0a8eeda82ba19a4afbf1cd2b1683a1ec90e95fcdd41f698dea7f1ef4fbfad3c19df91880dcabf11ba8e2134e67fa50c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
006aeb2dd083db82565d3cb77732ef93

SHA1
4f1a5a5d434edd5955af09a31b464ba00de6bd19

SHA256
4bd2976604d8c271333a3b46d1fe3da350cc448389f6cb2e677d7ea527ba46e4

SHA512
a814d337d258bbf9aca596e8fab027701b5be1750eda1bb48ef86f54f998be1dfdf8ec77535f361e9ec585a2866da42c06d00230924df66c540558e214397eea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
91668feffe4c2e42b531adfa81a13327

SHA1
5ca4c347e7b3aedc41e51bb352ae451e4c1baa80

SHA256
2ca46e0b3485a45c88c694f7e2347c8c6e54943e16c07331f538829f50df256a

SHA512
21a887b5e02594ae2dfd436d7c41f9f9cee64fdf9af0f78bad671e30f97517199b1f48e5eda3b84e5a6bec266813cdb42e8d2144b7887b9fab197f3fc3c32b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
df25c8b30632506d1fa1f29167bb2079

SHA1
b4bda458e1630507e6ee92b379074b818e04169c

SHA256
0639f6b5fa5b72efd8b248fd94b95ca6f20939c838ecdddf0efd2d2247a34016

SHA512
f73b67b8c94650c94cf4ac6caf66acc405ab758aa86cd7b0eaf95fb88ffba33e69492efcf4a6c6cc3e19706b1dd3e262b0c1947772e8094efeb9e4f2d8fa3499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a421b.TMP

Filesize
538B

MD5
52bc7fb73fcd784866ab112f7de83cc2

SHA1
1ddba52fb63e5e6c07e084c7c3d6c60a1a3277cf

SHA256
070e6711693cb367379a75c8d5194658ae8a84b070cf9d99bff5e71c483416f6

SHA512
092286857e717729d95f8f75cf999834a698709d328705530f8756f384826f3c5706ed5e23327d20022c0ff3fa58071c631dd4ea507cf9cc9a66237d3c518859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
39409cfdaae678acc0654c1bfe16af2f

SHA1
ccb411c494c71886a1faab6925160118a008f2ea

SHA256
ae79efb5d19bab69e8e0f04e973524abf12b0864580342d606f87db3cbfb7c3c

SHA512
fcefd94fa9f7e99b1e8c8985d86943620a32e0afd42348f0fea44615a44be0ef49c05507bfeceaa7811cec25da94c5e9f077213eb6ed86b3a895ec98338d48fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iaedwbhu.a30.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3152-0-0x00007FFD349A3000-0x00007FFD349A5000-memory.dmp

Filesize
8KB

Download
memory/3152-16-0x00007FFD349A0000-0x00007FFD35461000-memory.dmp

Filesize
10.8MB

Download
memory/3152-13-0x00007FFD349A0000-0x00007FFD35461000-memory.dmp

Filesize
10.8MB

Download
memory/3152-12-0x00007FFD349A0000-0x00007FFD35461000-memory.dmp

Filesize
10.8MB

Download
memory/3152-11-0x00007FFD349A0000-0x00007FFD35461000-memory.dmp

Filesize
10.8MB

Download
memory/3152-1-0x000002A5E4850000-0x000002A5E4872000-memory.dmp

Filesize
136KB

Download