hxxps://drive[.]google[.]com/file/d/11CfOCb3RCCWXTXI0qyjU9TRCFgo1TZwf/view?usp=sharing

Analysis

max time kernel
183s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/11CfOCb3RCCWXTXI0qyjU9TRCFgo1TZwf/view?usp=sharing

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
6	drive.google.com

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5288	4952	WerFault.exe	139
2228	2020	WerFault.exe	147
5188	688	WerFault.exe	150

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4372	msedge.exe
4372	msedge.exe
1964	msedge.exe
1964	msedge.exe
884	identity_helper.exe
884	identity_helper.exe
5804	msedge.exe
5804	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	5868	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2708	1964	msedge.exe	85
PID 1964 wrote to memory of 2708	1964	msedge.exe	85
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 1872	1964	msedge.exe	86
PID 1964 wrote to memory of 4372	1964	msedge.exe	87
PID 1964 wrote to memory of 4372	1964	msedge.exe	87
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88
PID 1964 wrote to memory of 220	1964	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/11CfOCb3RCCWXTXI0qyjU9TRCFgo1TZwf/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc10a946f8,0x7ffc10a94708,0x7ffc10a94718
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16655738258068570176,9687065712474715850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:5416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2212

C:\Users\Admin\Downloads\Dariop GDPS Windows\Dariop GDPS.exe
"C:\Users\Admin\Downloads\Dariop GDPS Windows\Dariop GDPS.exe"
1⤵
PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1040
  2⤵
  - Program crash
  PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4952 -ip 4952
1⤵
PID:5336

C:\Users\Admin\Downloads\Dariop GDPS Windows\Dariop GDPS.exe
"C:\Users\Admin\Downloads\Dariop GDPS Windows\Dariop GDPS.exe"
1⤵
PID:2020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 924
  2⤵
  - Program crash
  PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2020 -ip 2020
1⤵
PID:2584

C:\Users\Admin\Downloads\Dariop GDPS Windows\Dariop GDPS.exe
"C:\Users\Admin\Downloads\Dariop GDPS Windows\Dariop GDPS.exe"
1⤵
PID:688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 924
  2⤵
  - Program crash
  PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 688 -ip 688
1⤵
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
54dae03f780c784d0734f01145179fe1

SHA1
f8dc19261be00794a78081c04af2d215ee7d757e

SHA256
bfe28753442d77ea0d9eb4f0e01cc1e6ae5f29ea7a240cf278f2a53d3a5040dd

SHA512
6272442b5f61af04a46ce122d8b2ca3e0bcec4ddf342364f1994500c5afd907d33bafe1cb08f70a8912940a4c2d0c84b2199ba7bb64708c38c038e9b8e141d09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fbc4365cd2bf31434f42f60fa0478933

SHA1
0d618918e789909b38afaacdcfa97ff5bfd57157

SHA256
136d80de6f590ab9edc8f622872d6c7fff83db58fcd6cdc5c0485a1f6066ba91

SHA512
d3c96fd7a2ccd3b6426a1896c559f7b313626fba192880e3631b1a155c4b8a2f0913aba3207576f3f8603784492e2cafbda001fbbd68db8ece5c0c9c88a70e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
35aeee87374fb50a9a6a7c6b05b3ead5

SHA1
caf4ad26683c833dd59a07dbf93026b95495e0ad

SHA256
26c75edae508a6a43dadb1e036b89cf5fcc8c45a0ad2233264027030a3a1ecea

SHA512
9d08f359e64fc4eea5b10bfbf99c9d5dc18088e0d304b7fd28ef607bc0fade08b3afbda41f4fe7a318287ccc39beecc92384ee0b28cc581d9136675887ba9cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
65da305e4e0abb0d87427ed24b5faad2

SHA1
e787031a8f5ad3321797bde201af5c8a0a1fcade

SHA256
38dfc4972ba7019dc209563bccf7a46156024d1de51ef4c8cd76aefd13d9e36f

SHA512
3ef238caefa1a236fa0d5fbb33774545d66f31f86fdaf6845803bd8657223040e76113b1c6066289e27a8090c52f20c4bc58469b4b2861a3651eb9a184c70065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7dd29ffe83aa4839eea666b7d9e2035c

SHA1
2a71c1c77703966ffb433ab0fc276d4ce5f7af19

SHA256
cae69383a1339046963678064b8ff509732348309683e1604d27f5dd47ef906c

SHA512
eae713a43b3a2602097306f0e802cad12df56451fcecc2f8010a077216f7e72349ae401345be6aa46706d1ba33a57a9c55587fbbed4eb38a36861aed41c4e8d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
87f631689a250b969ccb4c20a66856fd

SHA1
4b6e5a41eaa639f8cdb0eb145319f967c7208b0f

SHA256
2824fb68cb000cd1ee62ccc2c16093de4d26dcb7312416b282aee8bdd3a9c6b7

SHA512
0d3be89324fa92663be45bd44f28bc35a4b78439f33bcc7ad5e83cca386713e65dee7e52dc4792b6084a22829c57b8d894a8a5b7967b5a794681836f1ceb18a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3e82faf189d5cdf8b60f12e1e5a46c8

SHA1
d5cc364a71df5fd2c6c259b88ba26e380072c1a2

SHA256
e0b620479123d0a2d83f85be426cea8ce3b9980cd732cae335490e7eb1bb9e2a

SHA512
815817bb35e3388e0bb27197b4d0483bb2b3f9597ba4ef07a4253e92fa95b6086a2befcaa3991b2f5ef51aee2799f3ae5a584178587ab11cc20bbbd15ceb795e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3a65d0661554de6185c3949d4e690cee

SHA1
b1ab48ba6aca28c674a231f1c3903e9f5f3aa31b

SHA256
b70ff4b1d07c0083c5f58ac498e798febdb653524b5769fe157bc25b134d5e1c

SHA512
97612d91e73635e9b0d4c947109bdc1cfe5521b9d57082c23554583fca02c14c5a3fb31806ecbca4e8b8e6f4937db56d3bef7d8519b5add02c57386dcf8543e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ae9c1b65bb2313cefb2e4b56efe07cda

SHA1
41caf0965876cceb0f6a2cef4bb6f134e5a56bb8

SHA256
04f0b59304f6aa299ba33b5a7242cd4a2353ae3262dd023bcd19adb7130afb22

SHA512
29e6e2717067a90e833ec8c32439026be59840ebf1e2b89e8097ba44541227dcc7e6d98322e4a1611fc924e838285d7038429deb474feeec3c3002fdbcb6b6ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
94509720cc051d2b9dd2d08f920570ff

SHA1
1748ea7bb8072f428e3ddeac4ad87bef1ecf06d8

SHA256
b27b9cff62c7ea9c048e11b6f013fe19adc0cc0517225e3849d732454716f12e

SHA512
e0d8c88c13e5242a8f8df1c433400a54c07651b815cd9375bd09c6487e900ce7067c109b52b11c709ff9440a25429eb092ecd71e0bf193563cfacea29f55f06f

Download Submit
C:\Users\Admin\AppData\Roaming\Goldberg SteamEmu Saves\settings\account_name.txt

Filesize
4B

MD5
654e1c2ac6312d8c6441282f155c8ce9

SHA1
b601eaa0f87fe94355f635b77a7608b971ea8825

SHA256
bc3a7860cd4f58f3e1e66a20e3cb2930477121c46b9e030636bc6c5cfd050071

SHA512
a3adcc6bef462dcea21dd995bec6b4466c68ee85c8059c27fba7bb33ec57ec00c6bed9528be92d1044100b749a68ee439f84c9b8a37d1dd13d7fccbe231ed31a

Download Submit
C:\Users\Admin\AppData\Roaming\Goldberg SteamEmu Saves\settings\language.txt

Filesize
7B

MD5
ba0a6ddd94c73698a3658f92ac222f8a

SHA1
1b669334dae8ebafa433f0175b5fd418a7bc0975

SHA256
b6234d2ea0d6022be63db80d7b80e221097fe4a469dc44febcd2a9241effdeba

SHA512
0882b702e0f4c1db1701789796ab1d12d72627811b67299bf36b9b25c29465cc24e72483d171c435368dc9f777837d2bd45ccff293de2207d32ba58a6ac01023

Download Submit
C:\Users\Admin\AppData\Roaming\Goldberg SteamEmu Saves\settings\listen_port.txt

Filesize
5B

MD5
76bf79e9a0a4c128d97dbd6900773f4b

SHA1
8abb38a924d5bf8a1ee12fe96aa2d2be942704d6

SHA256
45095e3e3f29ea73ffab2e23158b7cd2afa6532004b5a9b6f06d4e5e068a89aa

SHA512
8cd54c07d87c41103d963eb7dfd2642b07bb67ceb731b477fc9cd9b736ab03833dc2e2d0b2eb399002d76d405a20d5816d19d77ef760d7dac0c1a67d80662535

Download Submit
C:\Users\Admin\AppData\Roaming\Goldberg SteamEmu Saves\settings\user_steam_id.txt

Filesize
17B

MD5
feba7835e2ed71152d93844265d04f6d

SHA1
138eabe515760811c655fac6aff5b5fb6ed4c3a6

SHA256
90c4d53ca1d15b9621720ea3a2a672bd3ed8d4405b0b6b3a4ca1c20a8b23e130

SHA512
7c4e405818e9bd87d1aa91daa5d5067035de6ab44863dee46dac150862a46ad17e0651495f7815e43a34c27b8c6fa6288955f45fc1c346fe0fc08e500ef0f266

Download Submit
memory/5868-143-0x000002B730F80000-0x000002B730F90000-memory.dmp

Filesize
64KB

Download
memory/5868-127-0x000002B730E80000-0x000002B730E90000-memory.dmp

Filesize
64KB

Download
memory/5868-161-0x000002B739320000-0x000002B739321000-memory.dmp

Filesize
4KB

Download
memory/5868-162-0x000002B739320000-0x000002B739321000-memory.dmp

Filesize
4KB

Download
memory/5868-163-0x000002B739430000-0x000002B739431000-memory.dmp

Filesize
4KB

Download
memory/5868-159-0x000002B7392F0000-0x000002B7392F1000-memory.dmp

Filesize
4KB

Download