hxxp://folder_flooder[.]bat

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://folder_flooder.bat

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
125	raw.githubusercontent.com
131	camo.githubusercontent.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\system32\NDF\{B54A0127-28EF-40F3-A128-E862CD7FBE94}-temp-08282024-1846.etl	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{B54A0127-28EF-40F3-A128-E862CD7FBE94}-temp-08282024-1846.etl	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{1c23f166-8f9d-430c-abcc-37b573c7fbd5}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{1c23f166-8f9d-430c-abcc-37b573c7fbd5}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-2412658365-3084825385-3340777666-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2412658365-3084825385-3340777666-1000_UserData.bin	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5204	ipconfig.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{A27D787E-54CB-4A88-A4C8-FEC2DB1A156A}	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
1352	msedge.exe
1352	msedge.exe
3372	identity_helper.exe
3372	identity_helper.exe
6308	sdiagnhost.exe
6308	sdiagnhost.exe
6776	svchost.exe
6776	svchost.exe
6980	msedge.exe
6980	msedge.exe
6132	msedge.exe
6132	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	6308	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
2036	msdt.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5436	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 3288	1352	msedge.exe	84
PID 1352 wrote to memory of 3288	1352	msedge.exe	84
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 2500	1352	msedge.exe	85
PID 1352 wrote to memory of 4704	1352	msedge.exe	86
PID 1352 wrote to memory of 4704	1352	msedge.exe	86
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87
PID 1352 wrote to memory of 4292	1352	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://folder_flooder.bat
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83a3746f8,0x7ff83a374708,0x7ff83a374718
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:920
- C:\Windows\system32\msdt.exe
  -modal "262826" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFBE20.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:6412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1868 /prefetch:8
  2⤵
  PID:6972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2052 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:6436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:6532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6704 /prefetch:8
  2⤵
  PID:6916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,11533714251690381503,11363007461620232510,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6864 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6308
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:6476
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:7012
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:5204
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:5240
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:5272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
PID:6804
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:6832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024082818.000\NetworkDiagnostics.debugreport.xml

Filesize
137KB

MD5
3b6d13e895fa99ddc3ff0ea2ba6b088e

SHA1
17699cbefea98407538b984df30cb0152b9a21ee

SHA256
34d632053360208143262f6ab4a6f86067eac36851a8922bd253085ac6ca8eca

SHA512
0ce94d99d9e802bd61296b3c704f8c3f59e3983ae516d6ba6a2378c320054fa806ee20d2c1c07f6edeb2f9d8f5c7007593365a421370193a5fb5c9e779433eb1

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024082818.000\ResultReport.xml

Filesize
37KB

MD5
d7869e3f227398bfacdababbfedc6da5

SHA1
6d5ff4cc84901333f6fd632669d9be90985acd0c

SHA256
6dd6cb74a8fde41672b73d82715e5a3432226a71589012c2ad5ba07199dcacf0

SHA512
1459a3a06887f0b87d1844ce682b8118dcf80db3de52a2a55ea8e57fa2da18ca816e785978f2292b0e1754ec57f6c3ea15a421c7ac7196fb351c318c8400eebe

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024082818.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
37KB

MD5
e35339c6c7ecfb6f905814a86caa7882

SHA1
2380f4be31da11f9730b20b1b209afdb42bf7f24

SHA256
3f2b391ce2229a0fd88b58ecd0e56b1113fbf27271411a28016394eac9df4984

SHA512
3cf03b85d72d40aa516d1be4315684f932437cc93fb332695fe069cd590b43c5e96c6b10208ec566c9db7875246f452b259e17ab567a4075ff484748070b8375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
37KB

MD5
00835eaf8e8f5ce1d5caa3ccedf12bbb

SHA1
522808cbdda5a5a1c0f774bf0b2b6793c951cc52

SHA256
2665051c30482bee9fb3b1bf1cedd1498b3f28ca81ab7b181838552a884510cc

SHA512
4f4d0661c685939182c53ea410b9c622a5fe910841b6222f43303ff10df95212da49d643ac619fddd08642890dab2800a5e39958020ab82509bbff1ad63147ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
21KB

MD5
94a66764d0bd4c1d12019dcd9b7d2385

SHA1
922ba4ccf5e626923c1821d2df022a11a12183aa

SHA256
341c78787e5c199fa3d7c423854c597fd51a0fc495b9fd8fed010e15c0442548

SHA512
f27ba03356072970452307d81632c906e4b62c56c76b56dfe5c7f0ea898ac1af6be50f91c29f394a2644040929548d186e0fbcea0106e80d9a6a74035f533412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
23KB

MD5
bc715e42e60059c3ea36cd32bfb6ebc9

SHA1
b8961b23c29b9769100116ba0da44f13a24a3dd4

SHA256
110ccd760150c6ac29c987ee2b8f7c56772036f6fe74ff2fb56c094849912745

SHA512
5c0edd336a6d892f0163aa183e5482313dd86f9f5b2d624b3c4529692d70720f4823808f10ee7870fd9368b24de752b343570419fd244c33ad2d9cc86007bedc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
46ab0cdd9e4457f8290ec1b5f32aca7f

SHA1
4bcc09b885c3a211a34178437683b7dfc8229751

SHA256
7eab5fe72ad52ff9975ff3287a49c4fad060b514b3abb0e0d2145bb38b72e896

SHA512
cc81b66e58839bb4f82be71408ec5755027c532ec312def5857be00a671ac545f0a25eec13f24b8c7fa4b8b27a3d75fcda000e99779604dccc6b5297b46ecd1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
208a153f38dc0046d71576f05af529e7

SHA1
f227df7947ed6ce1435a7cdd7845ca4096f1d544

SHA256
69c950b3796a174c7157be2b947c4cb5e3d9ed978be1f794bf25e80359624fef

SHA512
1f4038263a4434306c701835e0ec0059895688e247b105c41db900939759c9ac8cdfac4b3fb6d7de839572a06ecfbac02baca1c53648f87032870c7917dca2bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8cc3913c7d0be9ae5046cffcf709211b

SHA1
9560b7f65a15022bd1aeba95db262f19bf33c1bc

SHA256
47bfdb907bcbafac23eb0f155e49b6f9946ffc1a92c3a5c643b3392aee94d5f7

SHA512
83c3f5b3cd503b807c64a19145198074563bdad000ae0a85da8292f97f48a8d4e1c1589a26631403909430bc563ff522d3f1faa4cf074475aae3fdb6ed849944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0b829842c38dbc9d8594bffb36d006fd

SHA1
6b7bdf9fffe5e07099accac7f91850b9e3a1c665

SHA256
b345769b6e87408d42db36a5112b72fe0ab4e8b0b7d65dca8a3bb7e2eb46a01e

SHA512
740ae74264f05dd0cf21cd7c71a67d80369c8ebc21679da713a786add92d32d5698c99e9a43676318196782bea627980bb7c24391d71418192404fabe606c966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e775d277b13c52a6ef12b0f6eb19d37e

SHA1
c0bda19f57f9eb7b4737448327ab71a26880d74a

SHA256
caa4dd414eecbfc46dbc2769028f1fc206d63b4c2aee8508e8ba684d5040d1ea

SHA512
f540deb01a3762ac6ea3420be54864114fd6a7c74a868b79374c1e1fc2abc018c5cb4a5d1d49eac3210b102a2c2fbf1b51cb528b0c8f3fe0a6de89a69ed594e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef80155cc58b7399d54f4b43f9e95dbf

SHA1
cba2089ca4555cb000a8e59f55071448474d2eee

SHA256
c79fcb570e939746c537d97fb7a4b3a2a061273f138bb8ad7b99f86443b96791

SHA512
72dfac72a8d0b1ad9424acd39f928f0936cc036d81efd13062a25b87d16052f2930126c4f453787771eeca3def3245df1bc6f3159eba501b2495cd082d4c6fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
75a52d2eeaf041b9694eb4737ca8db2a

SHA1
02f8cc000529da4689da1e1c8c220a9bdb7d9033

SHA256
80db297f0a2968309c1e2366b23192c1388a8fb287fda088b7952d46bcbcd87e

SHA512
a13f721de46a606feda015d6c2bf6b34116b8df39139c489a3b6766ee06daf04166f82fc54948e71f1fa765378893c33414f735e066c3744567cad4634d42f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
31ff89c4b62b2b1ba107b926cadd632c

SHA1
ac24a844657d345932a953b63e993546da454943

SHA256
ae21f743d179aafe6e5bb31a8bb98aeddf59e69bc8870c657fd026f1114906f2

SHA512
48215aeacd0ad61a053ae3b4f36c21cd2dcebe846a02259b964a712cbec7cc8bbd9ef7ededce8c94b34f755d45823bb4f096e4ec7fd7d0ab53c9d66861c2c330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
39cd430f5d1c19eff6d14c654f74a656

SHA1
fbfcc7eaaead624e156959c1973fb13bcb91d12a

SHA256
e2607d226fcf33e0f2ea47067a76dc9a4fbc6ff2ea1831951b1ecceb74cc9d59

SHA512
2c1c1bb5cedfca25fa1354d7e7316307affc65d276c5383163b94aaf69e90524483decc33e452400accf7cfdae0736933cccc062d4ffa65291eeca788c4361f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
54e6c5d91a61fdd87953bf0fdf2b09b3

SHA1
f29429783927fa2329f61711e18b14b9db9cb39f

SHA256
350b524a55b0d961ce9beeba9c626f7b7130c6a99051be98227bddac6674dfad

SHA512
177dd70c676206a5d143d2b7a987e157d7a07c26bc8810749d03c2fb75a2aebcc4fcc0f64036430fcf59839616b2e8db9c3aebcd0b3366d64970c42de6542cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
81c617fa29dee96b53a60df41f0cd721

SHA1
37aab84c37fe9ae3156a3f1f2827f92f42af46ee

SHA256
e575297cc403429d235d9680227f7beae3432b84d15225aca8f86a4d9510f327

SHA512
f957078764e14e77105135b026c6cfd4efa7b2a4d383d9e125a38c129474bd6eb48e6e3ca0952529b3970518b060ba12e29b03cae98a7de2d1881f9c20afba9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3cceb7960224b302b2cbdce280766a64

SHA1
2b4f76db32b1b4744f7c8215428c3bcd15896218

SHA256
b87af8e3b4d5055d56c0723dc15e59d88982233d5b70ddbecbc50cb08de49ed2

SHA512
1aac2732fb32a70099a790f967b2f0adb5b030346f44a360cd0048547e2a36d403cb9ae5caa3faa7c71375d801161e27bef041ac59ade150d33e7095ddd36eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
253eafdcdc2d173b4f01b3f99cd5d669

SHA1
d6c1dc49c51b005c2d39659a9504f9007a65c106

SHA256
4fa94a3afddba124764fdc0915378c1abdc74dbd0e633b3b8cb99e6f08f1aa96

SHA512
51999656899e80d351f1d2b754678fffd696f497661fed5690a802586cd513c9f35d36ee571e94c1530943b2d5cf03ea970af2094a56adebc51a02299e937ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4c56b838dee85802227383b57f77efa8

SHA1
3b27783407a1005fa0c935b043db780457d38a68

SHA256
9dfa61498ff3a7728943dcfd1f3610e20f56f433f62765c97320b0602b2bac86

SHA512
5715da1c5cd7c0fcd09d12baba3531d4aed66ed1c80a32cb908e666430068d8f6ab772a9d264ea391a06d893ccd6241794ec74d66e18e84295fc2c2d3173b3dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c251.TMP

Filesize
1KB

MD5
ac0d4a1f69dea0580bad4935366789b5

SHA1
b70b0bda61294a426e33c9751b98e764542de759

SHA256
fffbdff54cdd3538e0c6c300370554d05ac52a3513bd9c25efe199d5c09c36aa

SHA512
e670482b8d357a6473261c635ee767f0d075647f405f38bd5c63b40a4ebea1ffb1154935ea946fc912e85205b8b68ced32f0639c869575b5763a4f31cf9f2d97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
17cc6d12fbab1d4b4cb5e4116908e1da

SHA1
d291cc916483b98058b036903ea62b2b004c0030

SHA256
56f029caef578de228fbf79a1dbb8dce37734713905e001b762f5b521ff8482c

SHA512
abae5bff58b7bbec98611d72c4179c3d26584112b5d7bea61fe30367d1cff0d2107144318edfd2073238d9a30ae34ede3c98290e6083e556a20bc35d369c2139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ef5ea788313462a6ade4b882e9d061f4

SHA1
d1bb9f3b68b9066d82dbeacb424ae4998d8e8550

SHA256
ba687951da66ec3efb26fee2aeed3b882da42a6f16a720b45df6a2b54bff5263

SHA512
e113b643f1964787545e4a0f7c058bc0344a1429e379e23a93246ebbcef4c454528c4011fc41a43e9cbc1dc9915e095c691cd4e153b3baf64e8f5910ffb1d111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2dfbf3d276f6fb7f1282a663648af442

SHA1
e6c3e2318b31c9ebddd2b934363d9d84a5b1558d

SHA256
c98518ebd267ccdf89ef1375565522485d4fa17ee807758c3a98d506ee26bc55

SHA512
4ccc3647fdabb787a040fc687c8ecdbca1c879ef226cc4eed32d17007a74e5e7824a2b8a0a5bae61c77e888c3fe345abcddbfedf4655f5b7c4aa2e10abfe8b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFBE20.tmp

Filesize
3KB

MD5
50419054cf6cc21f77437cf1a4366c20

SHA1
cbad54e4bdac605038a978da67a239d53cf7870a

SHA256
f6243997a496bf6f4a1ede2e903866b79f146ed3877190019ab9d71dbe697dff

SHA512
a9ac1ae51e814d7d01f79a2ece2a5f3357136d974b5d5a1020deb1771a81e9aa5f3da936efd8453bc3b19d5f5f03f9d4b22fb8076b312e8c4fee1825922f452a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3ohsblp.03s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
253f0ff6356aafd8b80d0e97941f51f2

SHA1
7ec747671463bc70c28e4f9011f286fc999423d5

SHA256
bdddd385917f6d2443dcfc5694a4d472d832ef6617602254d8e2452b3283a2d0

SHA512
b5fd5354205d926b8acbe6e0726f8e138fdd1a6c4538214e37b13357201aac4fe082d5f331fd58406bdedbddcc7c474632aaae1d6dd6c734401cd4f114e139db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp\ipconfig.all.txt

Filesize
1KB

MD5
4a78e45dc27bd2c7f156f0d1e3b37828

SHA1
2d9113a9a74d1058f743b549b6eb30cb5a1bcdd2

SHA256
2288535eb1af086d7cdc5971ce2a7df1127edab2a6e9083416e01a25d4756042

SHA512
e157da2d848a79a53775f59af2d3213162625c009fc6c2964d54b4c5cd8864b95e9571628b3de63122279600e51ef289e62600e41f419ba05da7f69c6ec8027f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp\route.print.txt

Filesize
4KB

MD5
1efd24ba18f9c7cdbd51f181dbed6b8c

SHA1
d2a0f4fa993ad37adec69a069877fce578f9f93e

SHA256
4cefbf8a60e1613650dbf0fb8a312f81a3f56e26d0136ff224351627797c930f

SHA512
5df9bca06800796de65ec2050e6a214e8c560150f89596028f05e4fb1ddadefc364677d4740d0e5c4431af531409ef4d2c87a9a45b533c476a857d9c39bb03c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp\setup.inf

Filesize
978B

MD5
daf7e9556e408b05fa10954b20cdca97

SHA1
e5a7f6903dafb612c9f15a69701564e84697c8e9

SHA256
ba9e63f6e6be7e50e0cf201dc8635cf6d565ab94a40ce4078f5b5d5066e32da5

SHA512
a972f05593dff04e705727936801ccb1c95266d5d81ad91e6c58671c033395a233536b83c35f7f2524e6507e9f828bbb3a8405c8c02abf115f48058440794122

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp\setup.rpt

Filesize
283B

MD5
38edfa32bce3bdbdd086e487c91b3eee

SHA1
2be2ae0272af357c9943896e6a5a55051902755d

SHA256
c84ca587fde08dbd2b215dc803a4632bb570f550bc8fc48bc4bfc47e4aa5146c

SHA512
908f1620e939d84bbb0a4a65980966f7dd38c64adf6da15a143c591a7047e287f212d149c9782baad7eb55c510c35c05a5943fdfa1a5ff08e7068e658efeccce

Download Submit
C:\Users\Admin\Downloads\Awesome-Hacking-Resources-master.zip

Filesize
31KB

MD5
be1a7494adde7db38dff82bc0572d6d7

SHA1
2b9367eead63df3440f292643525347309b1244c

SHA256
1f8aa1e2981cc7790783e1a6221da717ddefcc1c93e04f4368d857faecd3ab87

SHA512
340220a94b95f23d2f74faa897d08da118bb99636f2a1e309d955c30ceaa9b26a91c1da7ca02b6500f418c01f495d30754c41f29e16507217dccb343417cd8ea

Download Submit
C:\Windows\TEMP\SDIAG_54a93bdf-e709-4859-b8fc-159cce2074a6\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_54a93bdf-e709-4859-b8fc-159cce2074a6\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_54a93bdf-e709-4859-b8fc-159cce2074a6\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_54a93bdf-e709-4859-b8fc-159cce2074a6\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_54a93bdf-e709-4859-b8fc-159cce2074a6\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_54a93bdf-e709-4859-b8fc-159cce2074a6\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_54a93bdf-e709-4859-b8fc-159cce2074a6\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\Windows\Temp\SDIAG_54a93bdf-e709-4859-b8fc-159cce2074a6\result\B54A0127-28EF-40F3-A128-E862CD7FBE94.Diagnose.Admin.0.etl

Filesize
192KB

MD5
ca00ea146821f50fb406c61b0640d8d8

SHA1
50456da1a73a8db5ae94022efb61a3056d14d01b

SHA256
3f070d60f9754f3a818ba19a6fdbc3017ff9736ab081024220e63a08b26a2e45

SHA512
806745cd0a2a5a085b5ba94681bc9076b4a6da035392d5053e6b85056e9b6f07ef81ea271445e2b3e24e7de13f6f2651639ffb93fc8927b638c7a7f0f7f1be9d

Download Submit
memory/6308-412-0x000001FC6C3F0000-0x000001FC6C412000-memory.dmp

Filesize
136KB

Download
memory/6776-432-0x0000028D9AA00000-0x0000028D9AA10000-memory.dmp

Filesize
64KB

Download
memory/6776-436-0x0000028D9AA40000-0x0000028D9AA50000-memory.dmp

Filesize
64KB

Download
memory/6776-440-0x0000028D9AEF0000-0x0000028D9AEF1000-memory.dmp

Filesize
4KB

Download
memory/6776-1210-0x0000028DA0E10000-0x0000028DA0E11000-memory.dmp

Filesize
4KB

Download
memory/6776-1211-0x0000028DA0E00000-0x0000028DA0E01000-memory.dmp

Filesize
4KB

Download
memory/6776-1213-0x0000028D9AF00000-0x0000028D9AF01000-memory.dmp

Filesize
4KB

Download
memory/6776-1214-0x0000028D9AEF0000-0x0000028D9AEF1000-memory.dmp

Filesize
4KB

Download
memory/6776-1216-0x0000028D9AEF0000-0x0000028D9AEF1000-memory.dmp

Filesize
4KB

Download
memory/6776-1219-0x0000028D9AE40000-0x0000028D9AE41000-memory.dmp

Filesize
4KB

Download