hxxps://drive[.]google[.]com/drive/folders/1M2hQLZS9Qjk9Ae__vw6m2XNjBBoWr2Jj

Analysis

max time kernel
1044s
max time network
1048s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1M2hQLZS9Qjk9Ae__vw6m2XNjBBoWr2Jj

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3520	msedge.exe
3520	msedge.exe
412	msedge.exe
412	msedge.exe
3524	identity_helper.exe
3524	identity_helper.exe
1192	msedge.exe
1192	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5052	7zG.exe
4172	7zG.exe
460	7zG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	5052	7zG.exe
Token: 35	5052	7zG.exe
Token: SeSecurityPrivilege	5052	7zG.exe
Token: SeSecurityPrivilege	5052	7zG.exe
Token: SeRestorePrivilege	548	7zG.exe
Token: 35	548	7zG.exe
Token: SeSecurityPrivilege	548	7zG.exe
Token: SeSecurityPrivilege	548	7zG.exe
Token: SeRestorePrivilege	4172	7zG.exe
Token: 35	4172	7zG.exe
Token: SeSecurityPrivilege	4172	7zG.exe
Token: SeSecurityPrivilege	4172	7zG.exe
Token: SeRestorePrivilege	460	7zG.exe
Token: 35	460	7zG.exe
Token: SeSecurityPrivilege	460	7zG.exe
Token: SeSecurityPrivilege	460	7zG.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
5052	7zG.exe
548	7zG.exe
4172	7zG.exe
460	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 5100	412	msedge.exe	84
PID 412 wrote to memory of 5100	412	msedge.exe	84
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 60	412	msedge.exe	85
PID 412 wrote to memory of 3520	412	msedge.exe	86
PID 412 wrote to memory of 3520	412	msedge.exe	86
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87
PID 412 wrote to memory of 4692	412	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1M2hQLZS9Qjk9Ae__vw6m2XNjBBoWr2Jj
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb02cf46f8,0x7ffb02cf4708,0x7ffb02cf4718
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13006500289431512688,3870518457718945812,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6392 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4432

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap16675:150:7zEvent22094
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5052

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap18309:150:7zEvent28414
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:548

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap16306:150:7zEvent3263
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4172

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap23380:150:7zEvent17055
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\378e4d4c-c84c-4136-a130-b12f0b50819b.tmp

Filesize
6KB

MD5
5450b80a598fb57f633375bffd9606b0

SHA1
5e3921bcb73d631dca7144e3c3cb7736905ac957

SHA256
70dcea6e824da5002754c7488562bafeb723bfb0178cf90077120f3e02d7b9c9

SHA512
7359a28f1f6fa55d5b793f976381c400764165c3ecc863b24e2b20f2e8c3d315f06c4db61826a66e8382c2ded74ba20dd1d86f8d052635bd5e9b24d643835e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
28KB

MD5
bfb4ad144233248db8f0b493c9f53943

SHA1
75f204ac49008ca945d35db03568db5ffa2ee27d

SHA256
57819395af403b8697d446c0ef64388fd0f4b33af5647bf8a79d0616cd903393

SHA512
0f5f4ffdc046a81da203998f22ce0f156036b3c14646faa1b1c30d6bd0cf5138b70b3d5ac60b2b6eed36d2beadc108b78119f757bea84705ac71a8f1b3d4dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
684KB

MD5
4f512e8687136fc522b71822f4d08e03

SHA1
b634901f9a7c364aa64e3f8eee5d807ed38af86f

SHA256
3a3bebccae5902561b81f814bc4f3edd8386a0da0bc8c2814531209aeadcf2c6

SHA512
92417361890d501144d7bc90e0936991fa66cec5fd1b3486de84c0a3c1dc7525a0878458dbcdd67d3e2d5b75f6cb3d92ef70962db2c0bb44e480a0b1b043a2e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1d6ffd8fd48f7abea7fef47b4cb66a53

SHA1
c1a5512464eeb3da276e1eef89198c2248dffce9

SHA256
b45c0227a36b20979b0357afd376532abad90b82248d537464c1ff15f73248d3

SHA512
e9d7042341d21121c5dd83d20a8aa6b25a8655105dd048180fd987e884d86a0da77f2022cc603c402b4348c1914c99803058a424adb7f64a1c774905ee2103a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c3344d185b0a00d977d91ef71d4b5786

SHA1
9b67a8d5026485e6f8831c2ef5458d2e4553e1d3

SHA256
c60f0e802c88e69358b1db7ddf916fd7409e3ee34bc2fb6bd930fd2d05167eae

SHA512
6534f44e9435e532148dc564fc6e34f2840eb7ede6e1c0ba4a9a91fc8f8b2f84039b8fa688872cf5c0eef08477658d875a193585ead1d274816acac1b20c8238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
b342fcfb7f301ef07992908f36729f6f

SHA1
cbfe607b62ca1844bac12be5227c369f269f5188

SHA256
166f6a5b2721f5be25c56cdf8ae13a75a2140aae5359ce75383c0bf51ceae821

SHA512
428b50703be4367e95fb29cdde59dbb19318bc584ed22e56b7801b867a8588fde5c2caac2cc4b19ef6c5ef729eeb968ae7606c685bf16df4242bba88ad5bc298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
1735935e7b778a0a04b9ee3d1ca30cb3

SHA1
2950d2dbdc5125d2540da4e59577129c12e1111a

SHA256
9b0d3c50a5f5ec8cd719f532d2a3a90e4e658141004d5231045030da7ad79f91

SHA512
28297607618a823d4507480a6da9d9d28b7a491bf2969c293379d076876cd0b5a6f33fb7a019c5d8afcec35ddfa8cdd2e3b77fe136138c082336925a119dcf4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
faf6777b2c6ae0867a0902d4c064172c

SHA1
102d7858775c403018e306eeae33f29c8f09e0f4

SHA256
2c796af3dff9b412f02f6b7fb3f355c24135e6bb90f2dfae195d688d045b410e

SHA512
3819917befd3d000085dc314ba03734adeb87fa4154d2ce745fd7e72b6279885c777c9fe62192067a273d17648df73ba23f2dd580cdcf01ff111b523d954cdf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5ec4b712e16d580713f207d0b143b7a4

SHA1
7b88de9b55b109badc3b11c0c6a4b4d807d8448d

SHA256
2b56a45c73050ffb3d14f36684b4517326f576246111c3e58de2c470fce99de1

SHA512
4333bc77f58c7278e64db431a70ae4dc90945a0fc450fb485ee8684eba14f3874c929ed36b6fb032dd92e0dc19476dcf83e2d4eafcaf67a5fd4fb93d6392176f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
449b78364dc07e6105db48b6a580c44b

SHA1
fff1a5a9cd1e389c7649ab96dc24b80a88b119b0

SHA256
96a70b78a5fc2e8374c4bc81be0372ee6c952c8379ca179ee7f81c3ba37a97fe

SHA512
bf2edfb77be05a41333c2acd987489b6303b401582ef40d524c4b4dc02365fc18ffcd9e5b3462524a148e0793f8a3c94ee3cc40281219f534d0e813f9286b935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
02c707dcc1b444efb8e47edbf9c3bf8b

SHA1
6e5576f7cc02336cda83607858ec4a46a10a3d16

SHA256
fdf09b565cc3e64814c98aa0914ecc8f55fa451603b23ce66dbf473e6e7d5318

SHA512
57ffd976f6aa70f84793b52a754da721cb97858bbda291970cfd860472a43629056633cf4e1528a47c641f472681cecbdcee99c0bcdc02d6ccdce699bef8e850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aee5f0d6262b3649d18bfe292239c17e

SHA1
1e285362e3769f1750af507c924420c9978da43a

SHA256
abf4340c5ecf7fc1be8a1613f2be874eaac74a7669b7c631be547c89582678e6

SHA512
c7cba08aa18b478eb4af6bb3d5bab46cd97581b0cee47b93c9bce7ae1c87ca19e1a128f63eb5ce2005d11f23acc7324bd8c4676a508c5702e4161b3358749aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
608951a2dd361c9920bd60b21564a54c

SHA1
f75c4a730596261e1d4b4a9b54b8a7816dd90020

SHA256
c2bf4c9d5d74865ff98a6ae6bf0fc5bda66156bbc59a9265ad336031c2ed8e4e

SHA512
4c9dcb70339d98729812171851ff36ff19cf323c5ed92d96a3ea32a9212979cbcdd3a38df761c734d96b9dce802ca603788f55417f531295c0c5e97cda93e1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7079d1d8ea64432725a1b58e04c259ac

SHA1
e9d46cdc0fec9cded45e335179d10151275154d7

SHA256
37fb3a32629f54c5c6109d654f1cd54e620b7b6625c5af9c4d5be039ad4ca3a1

SHA512
5d087a2bebbe94272c83c6a6d2a0f5dcd3df1a4b156fa6c311637f5d0d358cca8a2c3d7b9aaf367ec12fbee00e0ca916ef4701b41bb938322e3b7dff81e7a660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58463b.TMP

Filesize
1KB

MD5
c951a51b4c267d647700af4168f9a203

SHA1
3da184bdad456f6be061f152a55c167919882449

SHA256
fbf194a4d126a681b4aebf6de02739ce413f14f6dea3e508fd8b23e11056c3f6

SHA512
8168fb499ef280660ad2bc90bc907808a0c387bf827b2839ac917f846174102a783fb3e246d1db63a3514ac3fde2ab887a826700d3055efa0541fd320874c4fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
61ea439f2cce272076a333446317a403

SHA1
048f0f7cdf856c39e5cb6d39d6544ec190b54b4a

SHA256
38c713a7eca856475efe1e3f44e03e39a3a06a4a506d9a1b2aef487142512a41

SHA512
b430173f2b2d7f83b874de489815da34cbf32113ff34894f15505ec6a857abd7087af8e0461e715bf7fbbf77367b2f6047d3dabfa154a7d069367f34b4850e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ecd3aa178d03d02dd9c1467071a744bb

SHA1
f0eb8dc112a0296bb7b8fa8b20f961198bb0a9e6

SHA256
dd6ec016ccba2d43b8c367994bc5c6038856f3773040f97f47010c91e295cc28

SHA512
5c9199a4609ef25b64b36fd2e598f85e606bfa8c3245e90fdaf52e1c7fb8d283db08bab2bbdfdbeb244c4cae40d8310bf4b59b63fafb8425f4127868fbe8d63e

Download Submit