1cbaa4d4c817743a7ec88bdc3f8d15200e543a86e0b3374c6d05a15a0762970f

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/08/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vibranceGUI.exe
Size

776KB
MD5

6cc583a1f3f4500a524b61255f1d2710
SHA1

7c1a236e291746b781aef5dafbcdefa648f36357
SHA256

1cbaa4d4c817743a7ec88bdc3f8d15200e543a86e0b3374c6d05a15a0762970f
SHA512

7fe177862b1aebbbe32de1aace56cba69d35667a0d337847984380f039fed7c61cda60c2e6c02e6214d4178f715e808089f5a6b4396d94dd87d01a97a88ec8d0
SSDEEP

6144:LPaQf/VaGtX5RlJxeR2CoDnpYRkIE3IRv7I1:LPrHVaGtXV6RToNYRkh4t4

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vibranceGUI.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4676	msedge.exe
4676	msedge.exe
1888	msedge.exe
1888	msedge.exe
1816	msedge.exe
1816	msedge.exe
6132	identity_helper.exe
6132	identity_helper.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5964	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5964	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 752	1888	msedge.exe	85
PID 1888 wrote to memory of 752	1888	msedge.exe	85
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 248	1888	msedge.exe	86
PID 1888 wrote to memory of 4676	1888	msedge.exe	87
PID 1888 wrote to memory of 4676	1888	msedge.exe	87
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88
PID 1888 wrote to memory of 1292	1888	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\vibranceGUI.exe
"C:\Users\Admin\AppData\Local\Temp\vibranceGUI.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fffca843cb8,0x7fffca843cc8,0x7fffca843cd8
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,15344476247597463803,11998023903769130499,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1320 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2880

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000494 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
a2daa7bc6b9d432ab6fce72ddb0e0da7

SHA1
fce4e40dc50d12f776fc380a478f1f9611565aea

SHA256
38ad08c7dfcca4da2af1f07e0236f14f7becfc536905f1151b3ccb66e33067cc

SHA512
f469d398c2183d35f7d0fa8ec2f55eda86bcc718965d56d2c8be23d3a2c75044d3780a284ee363dd0529b5c07b762c9e8a97d3e4d7669b8bfffa827ee03591df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
36863a43ab1cab759919f057f5265471

SHA1
6dc6d947e15af6e4b0d136d2d6e109d014b05b26

SHA256
d3ab9be96c459fbccd220e0b6cb2531af3d3016b2dba6d0eadf8f8d9c517c8a8

SHA512
d27b0aaf356192bb6489969b730d42a02809fab2cf9769eb0a2b217f8173390fdeb597f811f00ab438d36532155a6d34469461fd6f21d012b231ac36f16b9a43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
33ee24b817f2b710a3ff6d6344ee1e69

SHA1
bad08b285f1a1f3bd872b0dd4ece2fd13d50e72f

SHA256
02dcb346a22683f31181cbdd2cff6e88f85598b786b5fe359669036d29f7ef3b

SHA512
7fd572fdab2fbf0ece4eced8f3dc4d3578f2ff0e16511dc6ae0f04aaebaf909b39c6280cf1a7f78a7614ea6e45d7c679f4ea16d0b92235ac8d356006b97bf201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
80359f9745a1b8860b4960f81b36255e

SHA1
d397b95ab790654c2767e7475a7c44f7cd0d40f0

SHA256
4f0e836c5874bfae4b7570e3df023f58b72e83cce2c4bfa942eccea3972dcd48

SHA512
253dd63531c126ddf40e8631593e776299c2fcded50222cf86039518ed2531e43750223b69a48e923445d99e8b3341572cc5ed81fb92825bdad67138079f0400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d1ef31ff915b1320d2da23132951abf

SHA1
f66f2cf2d9661410dbaba460cb73d9ff851ea75c

SHA256
6d92cb004cb5ce8c4ca484e81a0858c8fdd9d38502fecee3c89a56752f37d1a8

SHA512
d38b5f27f4352e5048e33c6d53992d40db3ba40ba235e297c2b2faa09158edecf1392128fee31e10bd1b67ec4e2376778da2b386abbe0c698d0980573ad83a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9cbab5179c4a2e2c0141a607c5d879a4

SHA1
8b0b2dfb8ba27c178edc393eceecf16a38773f71

SHA256
a0a2d0ffc9bc2a89e3a005969bf93dde83b6d1196eec738d4929741edd20c968

SHA512
d1001dab425d3659de48e158ebf7163d4ca5b207780cd9e0c81b221c1511348823c96f3deaaceca2b38622a73b36b48314602b83051fc8338b01c6a20ae31d82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d40d6e70bf482f4b8b8a84e85f03421

SHA1
cba87df1f231c282b132cec7190d6eb625cf2e61

SHA256
5cde6a503bfbecb534fb02854d865c838bcb2d8366700450a34c4d0c5eed7608

SHA512
72dc6c6c6ab73a9beec2769b8a6f3f7bc61fd7490437ed07bdc11020df81219bc03d881e7cfa490cba6fbe318cbc243af3a40c60d902c4a40c115905490138a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7fe19ccff47bc973b7fedc7f5c7a89e0

SHA1
5ab567fe51850fcb93e914b029148d0268afac70

SHA256
df1cad3aa5319bf52aafd7a59feb4da4b04c90ba065ff395abe2194a7e638e1d

SHA512
f20930410d1ee9ca1f343d8ef4c3faa5cb1c611108fe937c461c208064bf3859a46dc47c6996fced897bffe1bb635e4898d5e926ada03dcdaf70f914d7e5acd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4be9114ed6dae253178a6992cc29e06

SHA1
4f2a876a799a9082d3a6d775c0048d0a88679ffd

SHA256
a63e813b95687ee5dc2c4b7be219b8643709a5cb9bf2fbd380449e873507d2f7

SHA512
6cf84a89206dbd153642beb034bfc84066af778b94d7623440242f31518d7a39526679739a81a024bf3e5bc64caa6eb9b81d088b3918d47bee69cc794d55705b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2ecb1600ddb892db895ee3f64e4712cd

SHA1
7a070427abe2c3d1dd7c6f5a5a8100924641ec87

SHA256
0f51c815f9f3ecd733b28aed3aaa46164babce218686b5ad073a4dd1e4a64572

SHA512
5cb5fe2ee6567f94fc628c4498b87db0ae91e9ba9213b843823dea9c1341485175bd98e8ca8f1bfc62cff39256a43af276539234c5d9dc8eb4ea2627911c2370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
d03d1459a3dea073667b87d5f0b5f453

SHA1
803c4a79f0d55c0c6ff18513d65777896f8c869b

SHA256
c6fba751d4422fca860b9c9b5e8c663c665f582f5d030c88de00de554bc5ef33

SHA512
15c4ba3c6ac14a60538c8d4575a4550acb9399612bcbbcadc70d2649a857f778bd95fcc42b8b96557f38577b5d473999697bf8d95d9b97075e7d7683b45f009a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
20f0e9d2beb1df5a144609c25183b0c3

SHA1
02b54daafc82ef673de46bf8e142f8e3f359f019

SHA256
fa3a02b9ab2c76a231a973d2410f99d9241c6d1ab3f534178f9b7f5a974f1d3d

SHA512
e20b4c4690048137a8beadc3c2255d48caa9a3e2374ad8a4d5166fc5df20bfe91b5b544e4d3efed351d9d469acb3bd690f8a3a129098ae3a2e1c84ddb19497ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9baa9d42ee73983adee169ca01b0c966

SHA1
8878b967e0a94519a96d8281537507006aae7596

SHA256
f4ac767adcc552fbea0cf5442ae7ed04153744e4a3c905cfbc660512c826b526

SHA512
32f842615d2e9fc7fb7eaa6262d2a311486ed991529b2035985a3313e4f68182ec2bb036d648ef03e6aab33361b8ce8a221859e2a621f94334482d140a4c9fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6300b660629fc73c27d41fd1cae9f05e

SHA1
369f0e32bca448341b571bfab60941b35cc52e41

SHA256
0c0be92eafb8a6a4b2b779edfe1813bf4083963aeaf1b0ef94095786e4fad5aa

SHA512
16c6cf684ec492737d87522655413799cba6417c8c376fbb7289b8d094168be367635d0dba14ed42f488db692d346201df4c2dc9bf09d83a7c0e516ae1b28c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f0238ef55cc213f572f18952e3936fca

SHA1
d783361767c1d7b9c81be683777377dcfe875499

SHA256
58e79207373aa13926a800175524a78fed26798a31eb5c8ec838614df79ac007

SHA512
f866a96e801a1baa9ca79dc0992daee102fff509bbcc9365b0e012311ce2baa24b7a8351be67b5d071f017492c29c46f8b95652c8c8533b7cc2022f569c242aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e0fcc3f80bec7e2f5b8f472ce72c0571

SHA1
5b1c5dc5eec1d536949d4a4c643e8412cc891bab

SHA256
407ffa7701ccaa1aae83869725ca7df2cd4d3f92cb894e25d0881355e2861884

SHA512
952f84abcdc1f72407abdd0a787f2d7198a414e38d170b9e48b66c3a6770f53b4c5d398de286186b58d5dfb388044a5844c38c8785a82b85d3e3e84590b56d31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/4636-0-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/4636-34-0x0000000074830000-0x0000000074FE1000-memory.dmp

Filesize
7.7MB

Download
memory/4636-5-0x0000000074830000-0x0000000074FE1000-memory.dmp

Filesize
7.7MB

Download
memory/4636-3-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/4636-2-0x0000000005DC0000-0x0000000006366000-memory.dmp

Filesize
5.6MB

Download
memory/4636-1-0x0000000000B60000-0x0000000000C28000-memory.dmp

Filesize
800KB

Download