hxxps://anydesk[.]com/en/downloads/thank-you?dv=win_exe

Analysis

max time kernel
300s
max time network
299s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31-10-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anydesk.com/en/downloads/thank-you?dv=win_exe

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\066cbb4a-8a1a-4d53-be72-79478fcbdc07.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241031082338.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 776154.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
836	msedge.exe
836	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
5696	msedge.exe
5696	msedge.exe
5596	identity_helper.exe
5596	identity_helper.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5040	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5040	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 4032	3964	msedge.exe	81
PID 3964 wrote to memory of 4032	3964	msedge.exe	81
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 4688	3964	msedge.exe	85
PID 3964 wrote to memory of 836	3964	msedge.exe	86
PID 3964 wrote to memory of 836	3964	msedge.exe	86
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87
PID 3964 wrote to memory of 4968	3964	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://anydesk.com/en/downloads/thank-you?dv=win_exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ffb3bfb46f8,0x7ffb3bfb4708,0x7ffb3bfb4718
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7024 /prefetch:8
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:5308
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6f75a5460,0x7ff6f75a5470,0x7ff6f75a5480
    3⤵
    PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4710828753697439492,13763892296292406010,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1064

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
290B

MD5
082c9c8f00ab00f4b1dfc893ed646666

SHA1
706bc874e44042407deb1d724ef5eca79998acc6

SHA256
f55173d73f79a859f26610490d33d8fb1af1ee83356d6a8a106e600af2c95bbe

SHA512
dcfe25c1c6fa03a64bc94c0b3211764d1d8d15dcd7f7d77756931cc3d21836814833ff65a4f024d8e3fc7884f3d2f2da0f481fa6cf8ab7b642b0bc73f2e39faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5fffb9ed7c2c7454da60348607ac641

SHA1
8d1e01517d1f0532f0871025a38d78f4520b8ebc

SHA256
c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73

SHA512
9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
32d05d01d96358f7d334df6dab8b12ed

SHA1
7b371e4797603b195a34721bb21f0e7f1e2929da

SHA256
287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e

SHA512
e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
cbdeea05518233fe5c61d847d614001d

SHA1
4ffc7d742a5708afbbc59f6a940177685fd9946c

SHA256
f2c9018873564e60adb2e716b25a1994cb1752829df0915f59abea50a5c94780

SHA512
1ca2802b990843543ad31d42df32b2a50d5a21c0db344accb80c371440673beb9675f687792e2271bb7dc05c5d3158ae6c2b3cd77c3d48aa10f1f31b5e09f887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
548f863307639000f50d72133ad84211

SHA1
0e011e54f4c4460e949bb2f8178907130dc8cba4

SHA256
75b85bfbda15569fcb83c9eb50c8b6ed5dd7bde8cff98e03e456e12b80be7cdf

SHA512
e2d3b6c270848584263a772dfa651424292a7c524fc7801d0dc7d47ac14b589bcffe11a2a59b9f5d979e3dca6e2d108c22e3f556a4f39b283aea3970cffef964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
885c50cff6d9585d2c6c7cbf8c83c8b1

SHA1
03b568c2606dc23a9330f09b76c6b55c6b07f4cf

SHA256
9de9a49e9ff164c5e2f6b5e1b9e25bb85655db0a8ccb3a01ae4a9f4151efbcaf

SHA512
c8a19c48bf8253f9d7a3756ab056724bdc28893094ca21196f21b44527d66acddfa7db6a5fdc15366bc883a6c60c2364cadb3f54d25162ff4f00fbc3be608070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58df30.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
39d44da1840ae53cc0d735729e6eb28e

SHA1
b6608a979fae871bb12926d662817f1e324802fe

SHA256
1f90fb974c9b8fc63600fee5dda50c751260b382fc817494ac20d9f87708e59c

SHA512
cf4c38bd2c8190a89b743d65575a48a7a0896c79dbcab57de4b958fa18427e312196e01326d39ba04a14b240828e541c5751077cd9965488cafa809f1ff0cbff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fd7e62cab2ba732300b3d417f9f46133

SHA1
85dfb36cd7583fcc8dd8bf94e58e3d465f4c588d

SHA256
aa412a1dba6d5f571944066b21ddb25f94a339d0e69b28bd4bbc94d96bbe2209

SHA512
702fc0b9e650b5c22ca124e8dade329dc21281ccd160a0afdffcb4fa96963adfc346e60cb44f659829b6873b230c36d6488a0028c56c2c1720203c8cc85b757e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
61f9f3bb540760e2593190b84eba8b5b

SHA1
dfce23d1aa33e1b13b3078faeb9f5528814ea20e

SHA256
c273430ebbe8a240bbfa24456515f1a54df8cc83a36560689a765f5074a2702a

SHA512
4e50ec8f90c1b8ccd0d324bbc9364dc114b6c1b45fb13362a0ce09f611e6499d3d24ef5267c1920e05041da0d6ae5e5afdd08ddd4d5b5d0ece8bdc2ea48c2880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6e466bd18b7f6077ca9f1d3c125ac5c2

SHA1
32a4a64e853f294d98170b86bbace9669b58dfb8

SHA256
74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc

SHA512
9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ac2b76299740efc6ea9da792f8863779

SHA1
06ad901d98134e52218f6714075d5d76418aa7f5

SHA256
cc35a810ed39033fa4f586141116e74e066e9c0c3a8c8a862e8949e3309f9199

SHA512
eec3c24ce665f00cd28a2b60eb496a685ca0042c484c1becee89c33c6b0c93d901686dc0142d3c490d349d8b967ecbbd2f45d26c64052fb41aad349100bd8f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt

Filesize
86B

MD5
9b5779effc84a85bbe68a865424467b7

SHA1
1ca22c92855a2542d51518ee700f46b1e46f702b

SHA256
23444faafaba83a9a0d16d14660a2576a55b47e76ee8cdce0338b8fad18a40dc

SHA512
9bc335944e51acc186dbd4a30f0212493b821b92333ca4888c11eb233ed9669c4a8fb40be5cad27438737baf48601ab464060eccbb41c0af6f8f23452ffbfa89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt

Filesize
79B

MD5
dfbad21dec0c397d4f369b80bf3699e8

SHA1
476ae5da20ca7b70d60640c5c85a6f8967945fbb

SHA256
83f324fa116d0f3bae24f3db87a36fe404965b93318a31b550fdf8a6d40f932d

SHA512
2b1b612d0160c10f8e67ca8a647902525bdcb2cb7d251c0d75ae89d40f59f34d54b3d51711d7873f11d8cfce6ee2aeddabd5ceb8f576b4ec79758646789b2c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b5fdc5fcfa3d3550a71d2acc50069573

SHA1
80a2a6553ef47ffa91965a245363a1b312aacfd2

SHA256
334d53c3ac70f9a4d672116efa8f3b3a58afc131669134f43527024a4bc729fe

SHA512
4d4b80041fd9f7ebaf0b326ed9775928832180f35d19d01ec2de62bf2deaf2720c38ca507f90fb6f66336c7c99e67151a0e42abb2444658ce3a555d61ca77576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584fe0.TMP

Filesize
48B

MD5
97f2ce920b0f54362432a9ea164733c6

SHA1
f0eb4b00d8e12dd9e8a216f94d6cd77dd3ae6791

SHA256
687251479a7959c21849b056b45c7f7e84ae6634eb4630dd8c6eb47ebf159bde

SHA512
8eb722eac9235b0313617466de855130f6a32a0c158cd88a44783552fa7b9ab611c2d105d6dd4f29daa0f085f84213d64900d913ac8a9953e00c0a001d096a27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
78fbc7e13679ab482505644ca7881e12

SHA1
7a22139ebe9c0e7f351077c243f36dc40eeb3a39

SHA256
3e5ca96f248fa6a7730861f3140d59e0306800a42048dadcedff9bf5eedd1972

SHA512
d3190295597430e9ce93a3e0343af6c43048c043e9a304cddd700328eeed2d9ae0a3b97611cc0fd414c69b80cbdb19601a1c6b2dc5f1ab9045c6f52f3eb40386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
814ca12574fa32d51e3103cc19267edb

SHA1
983b64e728cf151195a3838200ffea45000e5daa

SHA256
cbd2d9d1df8cb80e62c6d48a4ed1bab621a68bad41703370b0b3ca92837b8788

SHA512
f045a8e972aaefb21ef05983f9635a1eba625603f333462e5f31cd1c2b897f79d9c50c8f41a404383afebfd47bf70199629d4e882d0d95400e61a805c9a3aed6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
965a7a5221563d208627035363d5b9bd

SHA1
b848ed6040fa2aa0bcce988e3da30c581acf9024

SHA256
d2f552f59fd9f82d4cd1811725b59025e914192d439346e276e666fa8495bbfe

SHA512
483b7f3162e697b89b53f7c99beb38596066be386c2ce7c34d58b20954d9da12b3d36149196d682555d21e57af77d3c84f495cff020abaf3aa03c535a04a395f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
004704920b6999a5c7036dcbb24a4014

SHA1
68eec02a21f96e2bc4dfb0f37ade7f8c7da4246c

SHA256
567b93466b7d57a58561a5a3706904ffac0f9aa98f69a1891b2f253cd8442bab

SHA512
b125fdcc7fc77ecc051648730d1bd50199f37507f5eabe7587ab78b1eee8cb3b1b090b8e65ff52b7013c878ad1d9869d25b092a0710b5dd168109df731dd5551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5816bf.TMP

Filesize
2KB

MD5
d4c05da0d195984a088b14c6b016b350

SHA1
61efddb5e4394ef0ff1cda6316db75d5de408065

SHA256
d216501b20fbe07d663db3528e5383e9ee810f33cea8e5556fccae757259b5c7

SHA512
7ebdb9333eb6692696db3819f304aaec4b6e6033c6a0a85ca4e2ae32c4c08847220f7f26c95997688a263b777f8b70f2ca8fe5ae887655396fe0fa78e673a7b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8a29ae4520eac18443b6ce33e71cde7e

SHA1
93a47d6cac8b8b7e6d1dd19e17aad19b099008a9

SHA256
4bbac332cbe4beec8d05d6eb832ebd8738a76e21b9335ee84dd54207e2d59b46

SHA512
10807b12b3368aba911080b3e866a1110285b3352938751eb3f20326ac840f09fa0d29e1c7caa504c4d8d7d0d63a36db6e05624a8bdc73d98db3d1035d55e7de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fc09a80c713204af7755e02bb3dd53b0

SHA1
dd1fde119a0c5e27b828a3d1bdaca431ca6be748

SHA256
ab20de56b63905cbf6e769bd02d46dab17ec53d2b64667a9a6a5a09cbd9cde6a

SHA512
8ac94fb4d8eb9c8dd65acca5897b368b92ef9e0276df42a5b356d24cf1883e44bd60b3667940a746a3bb462bb8eefdf4c8b0b885bf737bd3c3274e65cec371da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
be085a7c1a061b73e6e2e4da4b83fc2b

SHA1
9001de54284cabccc8b59f79e9e5b04f2c509e8d

SHA256
f0a48f46f77d7dedc0eb6198f4d6b1a7e3d1a432af98d37db03e41ab21bbcbeb

SHA512
65cf978832442c47d48804fc17456ea0bc85512e3f99cbd58201f55debeb44f4f4ca55c09245d49b0b9d4d207e471238def82faa8162f36a72b60cb80d48ff6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
56f47ac641de2567124c04088d6f3a43

SHA1
7580b4cad5a96132915211667da75559d3a8ba7b

SHA256
773310088d08246c678c4bb12165e0c441a5a24947da5e15840772370f961d65

SHA512
a33ef35a999f728767769188652f31cb20115670933ed13ebb1dc72d67bdbcbc19428b47cd961054cbb2701e9dd6b5474d6b1c413686cac13cd6c3008565348a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 776154.crdownload

Filesize
4.8MB

MD5
ecae8b9c820ce255108f6050c26c37a1

SHA1
42333349841ddcec2b5c073abc0cae651bb03e5f

SHA256
1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069

SHA512
9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4

Download Submit