mimikatz | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

Resubmissions

30-08-2024 13:08

240830-qc7asswhlm 10

30-08-2024 12:52

240830-p4dbcsvdle 10

30-08-2024 12:50

240830-p25mtswdkr 10

30-08-2024 12:48

240830-p126bawcpr 10

Analysis

max time kernel
102s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 12:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.dll
Size

353KB
MD5

71b6a493388e7d0b40c83ce903bc6b04
SHA1

34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SHA512

072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
SSDEEP

6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG

Score

10^/10

mimikatz bootkit discovery persistence spyware stealer

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000002342c-14.dat	mimikatz

Deletes itself 1 IoCs

pid	Process
4020	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
5052	8647.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe

Drops file in Program Files directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\javafx-src.zip	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jawt.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jni.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File opened for modification	C:\Program Files\ResetPush.ppt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf	rundll32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\dllhost.dat	rundll32.exe
File created	C:\Windows\rescache\_merged\2229298842\2057081572.pri	LogonUI.exe
File created	C:\Windows\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "198"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	mspaint.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3396	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4844	WINWORD.EXE
4844	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4020	rundll32.exe
4020	rundll32.exe
5052	8647.tmp
5052	8647.tmp
5052	8647.tmp
5052	8647.tmp
5052	8647.tmp
5052	8647.tmp
2120	msedge.exe
2120	msedge.exe
996	msedge.exe
996	msedge.exe
3640	msedge.exe
3640	msedge.exe
708	msedge.exe
708	msedge.exe
2308	identity_helper.exe
2308	identity_helper.exe
1524	mspaint.exe
1524	mspaint.exe
2224	mspaint.exe
2224	mspaint.exe
5004	mspaint.exe
5004	mspaint.exe
2292	mspaint.exe
2292	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1400	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
996	msedge.exe
996	msedge.exe
708	msedge.exe
708	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4020	rundll32.exe
Token: SeDebugPrivilege	4020	rundll32.exe
Token: SeTcbPrivilege	4020	rundll32.exe
Token: SeDebugPrivilege	5052	8647.tmp

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4844	WINWORD.EXE
4844	WINWORD.EXE
4844	WINWORD.EXE
4844	WINWORD.EXE
4844	WINWORD.EXE
4844	WINWORD.EXE
1524	mspaint.exe
4576	OpenWith.exe
2224	mspaint.exe
1120	OpenWith.exe
5004	mspaint.exe
4708	OpenWith.exe
2292	mspaint.exe
1400	OpenWith.exe
2372	LogonUI.exe
2372	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 4020	3600	rundll32.exe	84
PID 3600 wrote to memory of 4020	3600	rundll32.exe	84
PID 3600 wrote to memory of 4020	3600	rundll32.exe	84
PID 4020 wrote to memory of 4428	4020	rundll32.exe	85
PID 4020 wrote to memory of 4428	4020	rundll32.exe	85
PID 4020 wrote to memory of 4428	4020	rundll32.exe	85
PID 4020 wrote to memory of 5052	4020	rundll32.exe	86
PID 4020 wrote to memory of 5052	4020	rundll32.exe	86
PID 4428 wrote to memory of 3396	4428	cmd.exe	89
PID 4428 wrote to memory of 3396	4428	cmd.exe	89
PID 4428 wrote to memory of 3396	4428	cmd.exe	89
PID 996 wrote to memory of 1772	996	msedge.exe	106
PID 996 wrote to memory of 1772	996	msedge.exe	106
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 1880	996	msedge.exe	108
PID 996 wrote to memory of 2120	996	msedge.exe	109
PID 996 wrote to memory of 2120	996	msedge.exe	109
PID 996 wrote to memory of 2788	996	msedge.exe	110
PID 996 wrote to memory of 2788	996	msedge.exe	110
PID 996 wrote to memory of 2788	996	msedge.exe	110
PID 996 wrote to memory of 2788	996	msedge.exe	110
PID 996 wrote to memory of 2788	996	msedge.exe	110
PID 996 wrote to memory of 2788	996	msedge.exe	110
PID 996 wrote to memory of 2788	996	msedge.exe	110
PID 996 wrote to memory of 2788	996	msedge.exe	110
PID 996 wrote to memory of 2788	996	msedge.exe	110

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.dll,#1
  2⤵
  - Deletes itself
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 13:53
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 13:53
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3396
- - C:\Users\Admin\AppData\Local\Temp\8647.tmp
    "C:\Users\Admin\AppData\Local\Temp\8647.tmp" \\.\pipe\{47B37868-C5CC-4674-A9A5-6C768BF0E460}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\OpenOptimize.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0xf8,0x108,0x7fffe38646f8,0x7fffe3864708,0x7fffe3864718
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,11303222833755528325,8417628429112483022,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,11303222833755528325,8417628429112483022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,11303222833755528325,8417628429112483022,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11303222833755528325,8417628429112483022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11303222833755528325,8417628429112483022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3276

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Documents\CompressRemove.dotx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Documents\DisableClear.mht
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe38646f8,0x7fffe3864708,0x7fffe3864718
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,14883036566652761845,13857491295624687868,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,14883036566652761845,13857491295624687868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,14883036566652761845,13857491295624687868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14883036566652761845,13857491295624687868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14883036566652761845,13857491295624687868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,14883036566652761845,13857491295624687868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,14883036566652761845,13857491295624687868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4732

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\RevokeMerge.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\RevokeMerge.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\RevokeMerge.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\RevokeMerge.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c1855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
056902ae65cf72124b8d09bc0e050925

SHA1
8aa78afc395020e4a4ac2bacc51bf344f09de09f

SHA256
4f7ebabe599ac544a6e1baf3afb2e68ac52fca40aea4011318e82f52c7942da7

SHA512
2859527e4ffcaafa0805f2af105cfa39474699f99bf72a154141b144f0568c538401e8affe2cb2d63b68cc67b41792fb29039e07aa084929f6ae6db3d3bb0ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ce4cd7c81caca6329ec85912899b037

SHA1
e231cc63943c9880550ac8aa2654392cff392bd9

SHA256
dfdba7bcb2920c99e96a288a8f1508f044f1c4bbe33c5799db17e21c548f1cf9

SHA512
598c53c0ef6422c32c737e5e5a9ade119d6ce55887c14b19d4b84dcb5cea66554b0a732d37389c649ff0e1ee66f40fe4ee5b06088905041c80a0659c483b931c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
20f603f2d2d200ed7176762d39e103ae

SHA1
9a0c6f9e2df12c9e0556f26dc4cbfc29dd16bb21

SHA256
a8e18a827c8908561db76ab651e3c14521438074f102e2f404b9e75fa76441cd

SHA512
1da1ec6ac806b094df7b2ab71245a147f2dd11fb7d324992355fa3dccff36783e7a8f0ee10765fb500275af688777e9a0be173fda83286e334955213c200484c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
26677eccee5bc5250f645445678e97b0

SHA1
518c31058b983253d6d637218186771ce7a64b3e

SHA256
4df8bae9c05cb478e7f0e6e9b09aa7a92cc3e0eed9cd23ae17d0ace275ce1952

SHA512
fb4932ec051498d22a5d53b440935dbc461f66bef70d5ced74f72f7d446afd5b35f88065f0284662375613ee9ab7a0d0474a41a2d78e2dc27c74338fcfc91d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
23ff3f9a4e53708cd487d8533736e6fe

SHA1
1ce6baf82d84a52cd162c29e68c6e80816d09b3b

SHA256
ceb74cfc55ef2abe69e1d52b9b24dafc718311175c4d6ba36d3fb3dc81af4713

SHA512
3ac40b70e2ecad69ac83df6c5ec583455ff209ad52bdfa09b799dcaef24f71f5450b406acd6f690e0f3f2ee8c2563e6fb6288a6047ae43d1272937542b45a498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
508B

MD5
4612a5a37f7432c7ec0894758cbcfb96

SHA1
9633498eb0388aa5150c4743d20dd8e5520a29d0

SHA256
ab359bdd0cf827e93a379f5ba029946f8776ac6ee4c9b931d31936e7c40aca58

SHA512
e38a08a18ea4e6daf1359a5f938f12720383b84f3830a7bd32f58235aa2a1f0b5f294602ec95b2f15a8769e278c847277bab80329483b30389129a2efbf4d83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
530fcc50add1dc321493e8cb13d844dc

SHA1
886b7b6b0c0e0367ed856e0cf4ee4c269ef44cfd

SHA256
a1baf3931ab017a436ededc4cc512e7358d5bdfcdd4d7efa0f93dfea2d2c0fee

SHA512
7179732fd27e4f54614013c0b902fc7bfcf811777247defaee88b43783b5351ca9f81b5ddcbad950326b0b3ff163a787d4cf8bacc1f8fa39a24b3ad9873ec183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
73633e82a11d5bb8854e34f42ce88d68

SHA1
6dabfc6b78219ff77382b54e950ac50f138188c9

SHA256
bba89fc9563da06626d52dba0f3fcade95c0cd6716c8c2124a5e3c6db8d85304

SHA512
6caf953ff3d86c4b5746ab715ca97ad5209ccace5f79dc7865462527724e9476f25b0dffcdf67d9665b1882888d962ad149fa24a9a5dcf6b8bbbdec721cfff52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bae7f1b3b3b19c2a60209cd034f65fda

SHA1
ca1e4a95c41da1c50bdee57d0a8f7da32b0f68bb

SHA256
d278da1ba89f79c95e10d05aa59cd3a15f1d80bdee859ef0164dd1477f29a156

SHA512
a2ae582f2caaebb141c9ef9d9f1fc3dd29956e4ec5b785090d8740b5d03bfd8f277f7055eac17e4335a64512a0191b0338d4c12ca8ab0476eee63203eb3685cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea028eb830a3f9783c2c0f946b0dfb2f

SHA1
d7a25abe8333a6fadf6a775e2eb00f70b8b73b03

SHA256
39e3e11a1df477e48cbfd3cdf9d1c2627ae768deef00ca161d1b99974f2379c2

SHA512
b2a4d4787b8160a18a7dd398b1c4336991e72d2991e616e4822a8c113632c51d228704754d65b21515d83d68aa15922578245cf0883d598a92f3a99d16a492ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3045c7e78f55d82e9b4449626e93f63a

SHA1
4d54743c758c88020bbabb64ffebd795c635e8fe

SHA256
4fd65f79728c54d715f20cbaffbdce68e31d05894d1d9f7f63980a141dd31b21

SHA512
50a07da7d47dbb53fa335460cc896d2dd1a42580dd4a3869a2d8d90dbfc06386648fab25266d8a89b8a19f7ccad6541bb67c098342d41881a6c5927ac8687521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da5ee425e79d23a06ae89eecf4bc51ac

SHA1
b4a35116f73d428c025d11c73b83ed05529c279d

SHA256
bb05439a816ad8b58da07f6e8c73bd0c6da233f32f5d5636fd513126568f4a4f

SHA512
87f4e2191b30367aeba3ee1b89438e4e9ed984efdcc201fd066dcc6ab82ab9dd2140c360e620dfa6233c419d4e71e949ab2eddf1649d49513e68c73aa666f505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
f87b6ea77b8f9c1b1801e73984d3fe32

SHA1
84622af137cc997c328c4b267e9f76a88fb6d5ca

SHA256
2de04ed661b3cf7de3b2c7c5e435dd7a7365f5ef049ecf9b0a1fec5aa0f4d407

SHA512
5033ad57b8bb373ca2fef62bc57f76bde84263a51c8699193a0435f97102b0f36471ef05e4eb2f454f9f883e781ad042fc09301a263f1d644fbbfcf30c1b6fcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13369495866762890

Filesize
1KB

MD5
167e1271dee3d7c6bfaf00db813bf928

SHA1
4684f567bec7fe326c4e4a3a18a8e6a6aed775ea

SHA256
8037bd71f4a272d3a99069f88976acc3b6ea20fbcd5944c91dd6018c747b6636

SHA512
0d2d4f191f20b9d717ab0e4f4734722c8ee6e54c949ade2862f214af4019928a9351106ad973737e1af7dbdf519c85cad0b1283871cccc55f2f02dc17eceb119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13369495867031890

Filesize
1KB

MD5
9c1bece838d11f6e09e045d2b8dbd523

SHA1
898db01f40b9a2b41eda1d91029ced3bde9dd9f3

SHA256
56fd9d53a6f6231b0ac33d42a6d31d5bf3c2fdcc589ad70359635dd87914c2ba

SHA512
9b7add4706dcd05cfbda256f86defb38fb9f5b2619557a887afa463d5e851294bf046bee1713c6cd887251adba465d62083ca4c7ca7868d17177b8f95d335250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
393714f3701bab127069fc9695be0c54

SHA1
b274d66cd69f2a520d0dbb7250a05abcf1fd5ba1

SHA256
2cd1ed66d2f7b4c1748553b3af710030279ffcee04674da50bec829ce67345c8

SHA512
7ec7978859d7f2cafdcaefbef53959bb37077636909a60ce08a725b8ac56806fb19d4634f96b7a02f12b628e56cbaa4a32812ce4c23504bff74857e9a4d01390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
8c0bff3959bb2ee2827a0cc58b31eb78

SHA1
6725a51f43753b32bd807340b6fa1fa47bb7415f

SHA256
e22a3013565b1a58c01cd06a35be6ad6169f1daddb5b977a4b24d2dd0b8d1c47

SHA512
328686691740a777810fc080dd01a47659f75848422da89f58661409afe1e27deab777da0cc1ed8ab8c5eba7d550fa4467ffc284db6e431fa37f12f04fdba2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
6651b30eabfdf0e08ec7270d24e36cc6

SHA1
31cc3a86329c0135405a2a430bc8acc9f64e045a

SHA256
7f71e78dea5c06e98f3fbd4c619dda6ea63e9a07378ea2b8535482bc84fb9746

SHA512
3a3740577cfa4fb12b14b09749f34d7e1265c36e05f9476a4622b422103df04f389468ffdc2bb9e55e8670d6068d867f1780bd39c9170b55971793e1641cf8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
4f2d47ceeb28b460d9fa7243379a9246

SHA1
c3224d2342c65fb4ea9e16615276489d91b9646f

SHA256
ee23203bf8efc6f5ba73cb71fbf64e230eba6cb7b4d2d617d3c7f3da0a18d849

SHA512
a98c4b015bc099096d56560f09fd544e0016d0cb80b0960adcadd45bccb8f14de3d9b9a0093628cdec61ad6f4cc5fd6cd59d40a7f88ea814ed266eff6c3e6225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
194B

MD5
a48763b50473dbd0a0922258703d673e

SHA1
5a3572629bcdf5586d79823b6ddbf3d9736aa251

SHA256
9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

SHA512
536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
11e27a0840be4a5052ef0902ac7c832d

SHA1
2bbd9a112c89a0736bae8fe9da5beedb82136bc2

SHA256
705b2181ff8756a2b2cfb327b7f5ba6a2af178808dccab31f45b94432454b08a

SHA512
a7b6eb08d5887ee90f1a91ad355a8f7b8ff06ede5f6fa5d8c53c3d2f25e4432c947ad8abde1a6cf5b056e5226e327cafa50b6e4ba17fad85cbf2121d489e6b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
a04cb91678c7248885368eec8d6a1360

SHA1
dbed7bd8b7538318c0b1b4d07c99cd206706c1d3

SHA256
58d0717b1cf3a22fc405e00a1e699ce9f26078a252496356cc65edc87127e342

SHA512
d3eae729aa8c3aeeb2cd314d95d6a630c3a2ab7d53ff9389b1cfbbe2515ae0fb49fd6362f8c84106467d5dd57b9bb309921ca466f950358fe2247005d73a5f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
800da42e3ca01f7fafcf174b63419e74

SHA1
a44ad3887b3fb405c89bbfb75ab0ccfe55aae9b7

SHA256
fffdfd7e19a30a481f35860cb60edb245aa8c0dc10c2bb9d0aa388275a1775f2

SHA512
873b8eb080e64abf8c8a2fed3b370bb8ea9582737b9ab9793c1c3a013604c34734aa99eae3655050e1184f50629a6e3456ecc7851afd4b4cfc4f6310863675d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
a7fffef2c635d7d308fbcb23a2d8b92b

SHA1
aa51a2343520c09016faf8c250a698ed9ddaa705

SHA256
9ef2f5600d4c660eb8d9efc24393cb241f1ba6e8ab077312753af818eeaf4803

SHA512
a98cc51cd1deb084807ff17e847e7003c8ba47adc559fa96f6de0106609b8efd85ec5294f1c5ea500986f80373888c46b0427bfc678cb5f41d910882b5edb457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
27d9c805a2caecc61f1a2ac8cd0a958b

SHA1
d7801cfdbc0752b9cb5513f20650ad29df03df6b

SHA256
ea14dabbd0e79b1d4b310ff505bf961f097074920d7edb90d3b94da0d7a0be02

SHA512
8185435b1f33ef76d4bc36bcc38a4a7aa72062e386d2e0bb6c0f032b091f44d5ef6af4b95754e94875bdf700e7315edaa428c5cf272dd419f4810309cc7ab76d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cd9410f0055d7c2654d992761b3dcba8

SHA1
e3a015f71d636f02cb7dc446fc766d3bfffce031

SHA256
6c9e6b080378d08becb99804adb1196fe0fd3cc25c7e2be5710e7aa15936433d

SHA512
ada0f91d5009bf9b98836daecc6175fd5c6d654fe06cf7999cd5e669cb67105bf0fb278f653bcc680f149e1c107b5e4abf0a1a24739e92089bbf7a7c79ac55a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
eccce5791c52eb92e1ddff18397f8377

SHA1
ebd03a2a7b173d6cbc650b0a864e3057f8687966

SHA256
a7652619b2aa88acc6f7b1a27adc9a79bf4fd570efb1e10311510cd1bca466b4

SHA512
2106cb4613d9d6ea94621fa2971eb8abb7f41afe2697c13f89cd0f11d51ca0d7fc6c80a876396bba82a6605815134d0496c6f09387019a3ddb7c6660354d53a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
9c73ec2ccfac4d0a316ddd02ee1eff81

SHA1
3b739c8c804d769328f1ac994e3898ac0e9b34a3

SHA256
76321019530c464d16960a5d7c1bbd0facaf61659edf8bd4bb97cbb46a8cd503

SHA512
a94de00484cf643d40f5777d47aad96652949005d42abbda24f2ce599aea33476f88152229ab85c659b254db06879920e8228569b92f0eaa3ae8b7a223779715

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

Filesize
2KB

MD5
8112f0677a06903bc583510781fc56b8

SHA1
891d282c24c531afccc160d4f34b3b56b509b68a

SHA256
7d5aafd5bf0c24cf07a8529a07b6fdec68ee1665d5a224836d5c0b22db59982d

SHA512
da689ddbe782fe314bb89d34cd4aaa1271bdf8afe8050452bca376c82af0ecda4c71888edb11b8023422037fae93234ea54b14177b63b866768ce37a1fe64d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8647.tmp

Filesize
55KB

MD5
7e37ab34ecdcc3e77e24522ddfd4852d

SHA1
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

SHA256
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

SHA512
1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

Download Submit
memory/3024-292-0x0000026DCBDA0000-0x0000026DCBDB0000-memory.dmp

Filesize
64KB

Download
memory/3024-305-0x0000026DD4AB0000-0x0000026DD4AB1000-memory.dmp

Filesize
4KB

Download
memory/3024-311-0x0000026DD4B50000-0x0000026DD4B51000-memory.dmp

Filesize
4KB

Download
memory/3024-310-0x0000026DD4B50000-0x0000026DD4B51000-memory.dmp

Filesize
4KB

Download
memory/3024-309-0x0000026DD4B40000-0x0000026DD4B41000-memory.dmp

Filesize
4KB

Download
memory/3024-308-0x0000026DD4B40000-0x0000026DD4B41000-memory.dmp

Filesize
4KB

Download
memory/3024-307-0x0000026DD4AB0000-0x0000026DD4AB1000-memory.dmp

Filesize
4KB

Download
memory/3024-296-0x0000026DCC760000-0x0000026DCC770000-memory.dmp

Filesize
64KB

Download
memory/3024-303-0x0000026DD4A30000-0x0000026DD4A31000-memory.dmp

Filesize
4KB

Download
memory/4020-0-0x0000000003010000-0x000000000306E000-memory.dmp

Filesize
376KB

Download
memory/4020-22-0x0000000003010000-0x000000000306E000-memory.dmp

Filesize
376KB

Download
memory/4020-9-0x0000000003010000-0x000000000306E000-memory.dmp

Filesize
376KB

Download
memory/4020-11-0x0000000003010000-0x000000000306E000-memory.dmp

Filesize
376KB

Download
memory/4020-8-0x0000000003010000-0x000000000306E000-memory.dmp

Filesize
376KB

Download
memory/4844-126-0x00007FF7C0430000-0x00007FF7C0440000-memory.dmp

Filesize
64KB

Download
memory/4844-160-0x00007FF7C2B70000-0x00007FF7C2B80000-memory.dmp

Filesize
64KB

Download
memory/4844-161-0x00007FF7C2B70000-0x00007FF7C2B80000-memory.dmp

Filesize
64KB

Download
memory/4844-159-0x00007FF7C2B70000-0x00007FF7C2B80000-memory.dmp

Filesize
64KB

Download
memory/4844-158-0x00007FF7C2B70000-0x00007FF7C2B80000-memory.dmp

Filesize
64KB

Download
memory/4844-121-0x00007FF7C2B70000-0x00007FF7C2B80000-memory.dmp

Filesize
64KB

Download
memory/4844-125-0x00007FF7C0430000-0x00007FF7C0440000-memory.dmp

Filesize
64KB

Download
memory/4844-124-0x00007FF7C2B70000-0x00007FF7C2B80000-memory.dmp

Filesize
64KB

Download
memory/4844-123-0x00007FF7C2B70000-0x00007FF7C2B80000-memory.dmp

Filesize
64KB

Download
memory/4844-120-0x00007FF7C2B70000-0x00007FF7C2B80000-memory.dmp

Filesize
64KB

Download
memory/4844-122-0x00007FF7C2B70000-0x00007FF7C2B80000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads