hxxp://232[.]168[.]11[.]51

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://232.168.11.51

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{FB243CBA-8C4B-48B4-B4FF-5BFFF2300FBD}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2300	msedge.exe
2300	msedge.exe
4624	msedge.exe
4624	msedge.exe
3588	identity_helper.exe
3588	identity_helper.exe
5116	msedge.exe
5116	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 4220	4624	msedge.exe	84
PID 4624 wrote to memory of 4220	4624	msedge.exe	84
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2872	4624	msedge.exe	85
PID 4624 wrote to memory of 2300	4624	msedge.exe	86
PID 4624 wrote to memory of 2300	4624	msedge.exe	86
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87
PID 4624 wrote to memory of 3172	4624	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://232.168.11.51
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce26946f8,0x7ffce2694708,0x7ffce2694718
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4040 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,7132191217658054832,16440111053695689349,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
41KB

MD5
9101760b0ce60082c6a23685b9752676

SHA1
0aa9ef19527562f1f7de1a8918559b6e83208245

SHA256
71e4b25e3f86e9e98d4e5ce316842dbf00f7950aad67050b85934b6b5fdfcca5

SHA512
cfa1dc3af7636d49401102181c910536e7e381975592db25ab8b3232bc2f98a4e530bb7457d05cbff449682072ed74a8b65c196d31acb59b9904031025da4af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
929b1f88aa0b766609e4ca5b9770dc24

SHA1
c1f16f77e4f4aecc80dadd25ea15ed10936cc901

SHA256
965eaf004d31e79f7849b404d0b8827323f9fe75b05fe73b1226ccc4deea4074

SHA512
fe8d6b94d537ee9cae30de946886bf7893d3755c37dd1662baf1f61e04f47fa66e070210c990c4a956bde70380b7ce11c05ad39f9cbd3ea55b129bb1f573fa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
38KB

MD5
bff21faca239119a0a3b3cf74ea079c6

SHA1
60a40c7e60425efe81e08f44731e42b4914e8ddf

SHA256
8ea48b2ac756062818bd4ee2d289b88d0d62dc42a36cb6eee5bdd2ff347816c7

SHA512
f9e5baefacae0cdb7b9c93afc43ad6ec3902b28c0cdf569e1a7013f4e5c8dfb7b389b5e2bc724b4ddfe554437320f4f2cc648642944c6f48ad2a78815acd9658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.2MB

MD5
b4e1a7f4858f6e2445b512e4a7eed0fd

SHA1
a32411a91c1b555e4908392134832fd1aed0b39d

SHA256
a70812446f79c690cf5a604ce9fc065935b6ab71e2fd2dfa0c17be9a7e31568e

SHA512
0738f43675adc488bad7abb4649556ff7d0980ab225a1a397737dfb60595a619917a467d6748c6521b52e36499c557196f962c9383daeb840adad4b1d1466bde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
55a6528f21b004061ece7cb6cb946950

SHA1
02255f2cf61f4ff2dd327b9e3c6d5b539e0ca6dd

SHA256
30bc3a048932471681b85f2dd2bae84df75dbcdd3488de84390a4bbc0d156ff8

SHA512
ccd469ea88829a89be22dc459389877dac5a829b4cd56de9f47e7f45a0e1a050a7926010f81dbca93fbc9b87b0945983626aca4734bb5f399eb5af378cfbc7ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d661c54d66bf8e5132395875215ec4a0

SHA1
b5cb969889238772009fb883ebedc599377f2659

SHA256
e2244187a8852a993a43466626f9b91efe8c87813cdb9362ea4620be5100f91f

SHA512
fc4ed8aedaf3abcdc5427cef0804603a91ee5894f416ff850f70dcd92c856fc93f719736c0b2a991f6ec9e855fe0cee4d0224384869c66dcbe92a03e7a650f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4788a35087137c32f699fcb4a6de1cf8

SHA1
711e64b7a261bde5a5806eebea3e8ca863648dd0

SHA256
549334dac14596777b899a1e742ff517bbd35605e1cea168201b852884bc13ea

SHA512
9ded2a6a5db973005c8bbf25fa13d060fa840b8663f33bf6c7caaa94697fe6065dbf589cd6ee03b7eb4a8b2526bfa7ad61428f1b8cbf2e1f4071e06d82367e35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34f2535ef856b59799a03b390f24142d

SHA1
781963c424eb152d1326ea62c58ef326f8c3eb83

SHA256
107e8ed5fe88fc70b70518a9afd4d60b13ff044dc047dc37c299143d1921acc2

SHA512
e579a22c3119bd88bacb3bcbf7548aa4b6f49dfc530a2f4bce387994958ed445359930970fcacf095dc99d89b8fa2c8ed4021b3d1594f24b72f2c2d95f3cbacb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4704be9731e5fdae4268dff237dbc3f6

SHA1
7476826055dcf717c6e0e00281aae7bf0f16f3cb

SHA256
0f929621184b08f6c380a73735da91355c55a4901c5d49bc99759b5a26daa1f1

SHA512
c83cc1e5a38d8a51cc3beb22bef755667030b3cc845c5fc403c75189df4d1ba28484867260f105f891c04620d94988618105db88845db7e2f29a90806f03f4e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
acd463ff97742ea1afe4f572edef5bc6

SHA1
3ef1a1658b5cb048d7bd4430351a33882d5dab0d

SHA256
be0206343d16e2d6d966a370b4fd9f8078be165dcfde2e7ede0eb8ae2344338f

SHA512
ffa5c309b2fcb6c2f2c06263401172e7f0e2327c4fc5ec6d4f71919b58737789057c2e9605534f22760cc034b79c5f259e9d0c6a5cc4b757a0a64f3d4e9dd2a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
024a61a778d133c93fb5f50773bfa353

SHA1
be726d6c44cb5df271de8411b6fbbab0f832f8eb

SHA256
76bcb53cb9773cdbe8893ef649a37340774792a923469f169439cb86f7ed3678

SHA512
2fed6ae2dfc149b69623c7fd6577e6b6e4e1e3e62953eb0963c06aca9f0a14841c1d5d27b832d40cc56983f61aaf4ecea9a363d066859723e62808947537276a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
63ad691457d234670f5d862597b9552a

SHA1
125e603ad84046f92c7c9b38f06197df499424ce

SHA256
7f531fe649be5b6a39a872026603a614e88e57356d7aaa8b4a61f4d5b9101ceb

SHA512
7b9616ee14cf4e5eefef908334a85d9459862f6c3fa476b0af53b709f888a63be1959ba379e96dff89262fd6353ff38e10fe2f99830656e2c4ceefa00ed832b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
c63a11848dda6537d6e325e8028700b5

SHA1
d899b95bf391adeecc12d21be712ba5ff0e46497

SHA256
f3cfd84d3e3a46273851aa2f31ed2505f39d4c4aebf6a47bc8bb7c53658ae287

SHA512
229555225ea72b0e0063a24b77f81923b96e98c513690d9aa58ac92333fd2113113b402fcc19f501ff330a9dcadd0772aa93a77b457b0b6224ce71befff09353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fcd99d50fe935dae57a13b21017fcb5b

SHA1
1fe7d46434698f637bd5a33f7d93ae63ec2204df

SHA256
c1c1863ecba2c9bcb97c55a63023369a607cfe43ff5a73423261ce70e34e92c7

SHA512
dcbcdcb9895b92dfdb2909c6065b9fb44393f5b1ecd6d450dc455ca6541265502cacaf951266074a87c7fee7d9bfc899359cc971afc24911995d8de81ad0100a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
586559a49052b4d3e1b7fa4743e5ffbd

SHA1
c72eeb5a9eee56120b6879c5c955d88fc30cc443

SHA256
bbc81494b301d4cbaa4bd8734760424d0af96fc7bd3cfaba898d832b4ffc25a7

SHA512
79ceb7e311e1e6481946d4511ffc90482fa6df097f41328a78fd14f1aa214f1f045d1aa0879a92f07a7f68803eab4f6006960552169b50691d7dbcb567503958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5875a8.TMP

Filesize
538B

MD5
a660f54e6fdad18aaa6e02fa392ded87

SHA1
2f6981f8bdc5b6423df8b9d09ec3cb18a42ab031

SHA256
86c847528df32856a299dfc97609cfdc5c58b9d321d4ea2cf46d0e1a764d31f5

SHA512
361bd8667ab45d301631bee5e777ddb4cf4fc07838885f39cb9f7185e8d11c9330beb965b369876f3b666f012892f1f4286046c6e33ff37118a49dcf4620bb78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6743a27cd82abce2bd6c8c76c2b56163

SHA1
da31f1d97833d7c46b0a0473683a1978e4ed5828

SHA256
457ea80a50e4108e34189352e6f1bf9e6ced0c78bfd4b470a13114139ef99719

SHA512
e459b72a5f006ab1954a2ccd9f3ea403a4a3088470330945706acb60be2959e7a8aeed8be63b7402c1a9326aad8b365ba1e9afeb30bb5935a79884cfb45d2bae

Download Submit