hxxps://link-hub[.]net/1208172/solara-bootstrapper

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://link-hub.net/1208172/solara-bootstrapper

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
154	raw.githubusercontent.com
156	raw.githubusercontent.com
157	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
84	api.ipify.org
85	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{05DA94D2-61CE-4446-BC24-8D33010CA91D}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 149413.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
4748	msedge.exe
4748	msedge.exe
3856	msedge.exe
3856	msedge.exe
2676	identity_helper.exe
2676	identity_helper.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe
976	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 2444	4748	msedge.exe	82
PID 4748 wrote to memory of 2444	4748	msedge.exe	82
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 1652	4748	msedge.exe	83
PID 4748 wrote to memory of 3540	4748	msedge.exe	84
PID 4748 wrote to memory of 3540	4748	msedge.exe	84
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85
PID 4748 wrote to memory of 1732	4748	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://link-hub.net/1208172/solara-bootstrapper
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff9984b46f8,0x7ff9984b4708,0x7ff9984b4718
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3640 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12384547381167196627,12132190763795008158,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5232 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:32

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\50e1a8c8-670e-4bd4-9372-22e985880626.tmp

Filesize
6KB

MD5
cebd81e3513ce1b5a1b61f0a62f7d7b2

SHA1
94b29536d4f5ecf53cc97266d62d0c764204f101

SHA256
d3a7d3733b2703c348caad8fb5d4f60054acda74d1aa1aef75e551e01c85810e

SHA512
9fdd8ef6a18685db6b461d58ea4a4e494e97c887d02d714b19b4e7670605b9c15b94875731a337912dda73334b2e967860e688fa8ecf845b95f863ca0d01ab15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
cc5ace4e3b88a14128c45a4fb0220c46

SHA1
7020192c4e8743518ccec3dd9e1862b7636ab1c3

SHA256
4fcf673300444797e4b0c5adee00db81467eb4619194a2d52de0f54ac2fdfc6e

SHA512
1d1499465065a83e9b1418b76a3fbeed60cf85aa2484f33da1ca6fa1a9c797e8e718e739c180dcdd46d7a4dd09f0df66bee2d437c62651c004e99d248d96a832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
767ca4095a584900b88af618fb33e932

SHA1
888fee673abf571af886c26034ba294e60e5b7e5

SHA256
04a9068de7c9399ab4fa6fec3c3b77498ee60502bd9fdbe1a98f7172882dadad

SHA512
278fe3fa015f27df198fa138e4b2a1d0a05646a198f745e070485373136152cd296b95aa109825e5ebe74e2d389ff7f6b8085e123ac9fcc04de633868236c83a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1203383fe47c16c601a086228d3b8eaf

SHA1
df82b8d3bc8ea2301719ac1825fdaeb1ba5507d7

SHA256
1771f936dc28e6f54fe98197ae50961d7d0c4189b90caf4cc3c9561baed9cf6d

SHA512
7d8cb305abb1051aee9dfe6256f2bfe6af102c75d02b4c7c0fef2d78f267ed7b9d15f8a13544e07dfb66b57f1464dcbe15275f32071c6bbd4179c364652ee24e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
77a286a88eb4acd35106dabee4e4945c

SHA1
f0297ed8191c11fadf2130bd277903fef586abe5

SHA256
b1cebc19bc484493d0509115e0f560b7655b755aad5bd130c084486fe65e58d2

SHA512
286854df13fec039690915afa1acfb865bda4f115e1d7b0673f4a3e3ee3df79e5e44329de3d20fc5669fa971a2832b381133d44acff917b7865e66fdf43652eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6205d6c79302076ffb3e495d432a0794

SHA1
780eabf220014352ce5a267092374982371ab18e

SHA256
17d6b4942f5f6b35f07296189b292936796b480f966db06c94aaa3362eb057f4

SHA512
487cad0b63f775e3803c9ce7ce1fbe2b2f5a6e8060a11b69816932e49c9a2b2090e628cc1270dcf2e69a5c1141dcf966ba3878936d0a46e7ad9583c1448f64e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
063b353f8763daec26353cf700b4eea0

SHA1
596dd296ed2655ed1e101920c0ca8e9e7be5c094

SHA256
2470be7c884b5e66e5ca7ae51328249d5465aefd15420850f33ffb77e50271cd

SHA512
dd3acab1fa5349c3fcefcbf4d3440b66b7a8db2d0f5da8c1bd45234626ad9f0fe7ec96efef82e68583f249bcd2ad50edab9ed79123b4c4189715256b230fdc1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
46f356ab4ec13c46175805a892ed7258

SHA1
6b792e79ac97b8e87ac46c59f81e9378ccde3326

SHA256
9d40238b816d35bd3d8def79fa810e440693618491e3134659c696bbdbd60467

SHA512
813f0711f6dbc0cfc13f92cc965603b0e04c915ca7bf12758a1b636ad4c1a58341adc8f5faa0b6be5dcfa296f12956e077b32639e379b0abd4a78457c68199a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588150.TMP

Filesize
1KB

MD5
0ac66a080c9c3d13e0acca93685504cc

SHA1
8e6103a0ea2b8d452315b87898643cea5392901b

SHA256
edee0b35806c637a1a665c97f2caccd2e59ad513bfc7c48fe5b519b6cb59fd3f

SHA512
d463b09da77afc4bab100691eda6425b28f4c90331f2fb3cb358233487d9d8dd61988d179f09b5aefaf7d5f471a763475250ce6afe4a362830ac21fd0a215677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f45806b661afbb7ee04b6cf51ea6f0af

SHA1
3839fe67bb3b71ff21b7a02575e271738f660b9c

SHA256
573de8384fb15489d2dc8b2542358bebeca5711948727df778db463a08e1a4a8

SHA512
91a15f9307e8a5fd43ca70ea4f6ecf499578c7ebbb0d0b4dde35d9326d8a68dc5619c802ec0b2223cad27d74086051ebb42e043f4f4b6557285851f444bb8750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9f2f726d0c3bae8f9f60b5cb308414a5

SHA1
18d15e28417174f35d071bfb93afc86fb4d83f2f

SHA256
b66c862a10811d97f1bd244d7826316820be79584fb9ff45d04ad0168feb149e

SHA512
ccca29154a100b8c42a3a45f1a5a7e8fd57790f2d90f5578bbc2b8b7b51a3cc488d7b0824f95b7f6b516b763e976b39d4df80dd61a92841dbc0edb1da826e817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
71dae3665a03c0a11a76addf06ca5e5c

SHA1
a4ed74d45152b722f14ac40c96963fc0a0b60df5

SHA256
40a360d0230f2031f1813851b4f3429abc5b11c280ec14d08f8999fadaa761b1

SHA512
59505aa3cee95ee641f94efa1370749cb19465732dc55659dee80975f5de2d3268baf3f7ce1319c282d4549fcee88216b56d71137ea4c2bf5cf34b9ae2d13c84

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 149413.crdownload

Filesize
795KB

MD5
365971e549352a15e150b60294ec2e57

SHA1
2932242b427e81b1b4ac8c11fb17793eae0939f7

SHA256
faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42

SHA512
f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938

Download Submit