hxxps://drive[.]google[.]com/file/d/1AG_pSVCiEi5IJ4ZXCLAHB6QRIeHFibcX/view?usp=drive_link

Analysis

max time kernel
138s
max time network
142s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-11-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1AG_pSVCiEi5IJ4ZXCLAHB6QRIeHFibcX/view?usp=drive_link

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5724	AngryBirdsSeasons.exe
1916	updater.exe
3880	AngryBirdsSeasons.exe

Loads dropped DLL 7 IoCs

pid	Process
5724	AngryBirdsSeasons.exe
5724	AngryBirdsSeasons.exe
5724	AngryBirdsSeasons.exe
5724	AngryBirdsSeasons.exe
3880	AngryBirdsSeasons.exe
3880	AngryBirdsSeasons.exe
3880	AngryBirdsSeasons.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
10	drive.google.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a5bbda5d-036e-4d8d-b292-38527d91dd50.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241119114553.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AngryBirdsSeasons.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AngryBirdsSeasons.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2036	msedge.exe
2036	msedge.exe
3868	msedge.exe
3868	msedge.exe
936	identity_helper.exe
936	identity_helper.exe
2616	msedge.exe
2616	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5428	7zG.exe
Token: 35	5428	7zG.exe
Token: SeSecurityPrivilege	5428	7zG.exe
Token: SeSecurityPrivilege	5428	7zG.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
5428	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 4568	3868	msedge.exe	82
PID 3868 wrote to memory of 4568	3868	msedge.exe	82
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2840	3868	msedge.exe	83
PID 3868 wrote to memory of 2036	3868	msedge.exe	84
PID 3868 wrote to memory of 2036	3868	msedge.exe	84
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85
PID 3868 wrote to memory of 1708	3868	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1AG_pSVCiEi5IJ4ZXCLAHB6QRIeHFibcX/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa633a46f8,0x7ffa633a4708,0x7ffa633a4718
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6263d5460,0x7ff6263d5470,0x7ff6263d5480
    3⤵
    PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,256380772551326483,4411725071807499370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3368

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\3.1.1\" -ad -an -ai#7zMap22889:70:7zEvent12402
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5428

C:\Users\Admin\Downloads\3.1.1\AngryBirdsSeasons.exe
"C:\Users\Admin\Downloads\3.1.1\AngryBirdsSeasons.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5724

C:\Users\Admin\Downloads\3.1.1\updater.exe
"C:\Users\Admin\Downloads\3.1.1\updater.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1916

C:\Users\Admin\Downloads\3.1.1\AngryBirdsSeasons.exe
"C:\Users\Admin\Downloads\3.1.1\AngryBirdsSeasons.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
63716c70d402b580d244ae24bf099add

SHA1
98a3babcd3a2ba832fe3acb311cd30a029606835

SHA256
464f0f2ca24510abc5b8d6ca8240336c2ed1ddf5018fbadb092e18b5bf209233

SHA512
dfe1a5831df6fa962b2be0a099afba87b1d7f78ce007d5a5f5d1c132104fdb0d4820220eb93267e0511bc61b77502f185f924022a5066f92137a7bb895249db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0f09e1f1a17ea290d00ebb4d78791730

SHA1
5a2e0a3a1d0611cba8c10c1c35ada221c65df720

SHA256
9f4c5a43f0998edeee742671e199555ae77c5bf7e0d4e0eb5f37a93a3122e167

SHA512
3a2a6c612efc21792e519374c989abec467c02e3f4deb2996c840fe14e5b50d997b446ff8311bf1819fbd0be20a3f9843ce7c9a0151a6712003201853638f09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
104ac4a685d0509e71b2b32f358e27b2

SHA1
f5c5da94f54d786545e5937ec8ec19e9fa5ff9cd

SHA256
4ba75b45b1efa4a82e11cb09fda1fbe1408fda7055310cefe38e4d4245c515f8

SHA512
4a71a3caed20c170f326c3fbb22ed6179e1826b55d441a95bdf0dd0efa47d70d908f0a8c4bf2d925152313aa2897d53d6daa581245debe60568492800b72332b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57df15.TMP

Filesize
48B

MD5
91671b5e69665218c5864a49f2616cff

SHA1
94fa80b7c1df99f3d0cc427c15d8155e98130268

SHA256
91671bcb3875712f85bce88eb89544d55e9da7e8a317920e47f25ce95a483d62

SHA512
785d0e9dd4fd7b54a53df147fa59eb87b055de468a0ce455f4feab74582d368a147f327fa1ce69093f92a09ee231ef123094ceab62eacefcf8afff1b45daddaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
55c13faee17d1d93d015980f924b93b5

SHA1
7fd580438e855d3e0a06fa97b98aa75972c24fd6

SHA256
d2c899867bd48c644b9f59f7cab2684d4c1c64502bb689c7926c491079b02105

SHA512
812dc7454c5c3244302b6854bc14e7ec2de26ac69ca700ec9ca962f4e78565bc341866a9028f67679b994276bbb61edc450c4c058b20d794b69849c3f21195c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
67593032dafa30bebb11843254a6aa3a

SHA1
18b4d9acf54c1e47e634f053431be97fbccf22ba

SHA256
1f964a4ba3bddf27baa0879c92c032b6835ba229258af7ad49db4acd7627b1b6

SHA512
0f3591e4a6215d9c335d1a7de25fc900bab6d1d7d2ad7cc1366f304f90547a5ce1d6f7562988d14a14f7c5a036f470678b754fc7aecbfb8bb192c0f4d13f473c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a430314075cfe6a21a8d1499a572581a

SHA1
278d7d64026cf04aa20b3be61610e5f4d284f370

SHA256
db89607149870dbb6ee203df0a8c6eb1207e55ec21410c908352bf52d17704a6

SHA512
123ac4b90c234b47dae009f47fa031e12f08b0c707c11fe997f50de86569ac1f740d4b2194a886ef90f171b60e84de8445ce5607c945ec6066d2a8170e133d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58a0a0.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
58e26381642e63549487bcb72a630476

SHA1
bf3451865c076fc4071b83d5a582a659c240df97

SHA256
cb27306a7bc5918b8112e0b965d74b48bbb5a71ed03e6e2fe93e23f2ab27fca6

SHA512
bd1e9e63c6049994294dd6365cb81f0862ca499287fd05b9c338862b39ac8096722848e796388dad3b3f05c08dfc2f488ba6a14aee2aff863b56bbafb1909ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec7d81a947ff9b377fa7a5fb53586368

SHA1
64782e8d399571e3f0bc1b66d28c7f16fc5a06db

SHA256
6457f02e6da2f344559bb2caf901afd3da209e2a763c0af341a27f00480ab914

SHA512
9e034b18c47dbd700ff40a63363356788611c972ec510499d14a010b40fba25e282733a78445d9492f02ae51a5a077d08e07e84e88cbfc075459409a54eedd31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70e7ce8611eb53ee1aa2c035b640bd93

SHA1
4eff40814a21197abb876ce88d9931c8dffda4a5

SHA256
68c52c0a5a7fa34ca08e8854f7415ffc46b805d072c44461798d711696a4fce0

SHA512
61eaffbccc852983b51cf401056b7012f4c8b65ee635e77003970f1e8f65f3f6b8080d7117c9ec3a9738b3fdbe7c066e6052accd412ee8fc7a6f5329a9cfdb56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fada18dfc5466d91b71ae5b67e566fd8

SHA1
4b61ed69ecb215c7731b6ad4b3eff874de36cbda

SHA256
5b9635f1e8f0a0a531ecc5b6e2e4f32d690031349f98fcc3595aecf5edfd95bf

SHA512
079f1630b1bba057f3a07e2216bb058405e11f941bcb05f96d6d5c6a67131617c22ad88e9ae360269090d6c2d1ecc5dc10ee7ab9b2f1decdad664a1e86e02331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c66a0332ef2a1c17e5631fc7253efe5

SHA1
34fc75687187de0e14144be13f312ba1ca9f0abf

SHA256
51492008eada29273c50ad4fe0d82e70990e6e4b10e08561682c09668d4b5572

SHA512
8b87ddc2d05bde81c5b8b629bd99e5cdcf8a5ac085d4affa4755cc837bd5b5d446d2bc163adbb3536f6f204f154a42908508d302896e4299bff7e524e1123aca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0a83634f5126efebf02f14dc3365445

SHA1
3ba33fbec54396f41662cb6a0f3dff48f015f28d

SHA256
3a0a007a55fceaee6ed30c1b03d3be3d5847d2da72be5cbbe05ad85ece27ea1c

SHA512
238d56b2015d34d5c7410a0534213695505c03447bd4f1b04cfd8b40b7bc5ca36889b4de6d4321fad81ff6eae74e66aa9b7062ad96ded11c2094a16cb4a55c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
aa10f656cc16d036a580048ba0bdac0b

SHA1
52c15a55cc3b56bd1bf5dd0efcd2b66413b7044c

SHA256
166d97573db5472f64c5d066f2b07e6fbff2f1f9d5858fd7757548e334e9220d

SHA512
748fc7d5155285784ecea52d01af8168213210231a698073945b30b4989ae28463a7fee01e24792fd33b17744cd54587f801c5e836c926d700724171bb0000e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ee8e616a03201ab31e032c60a6d81b15

SHA1
4fa72ee1a3ed74f7798b3b58cabe174c675adc12

SHA256
2d77f4c62538359ca9c795a3be97c3817adb7954e004fe4b85cfffbf216f64c7

SHA512
97640f1aec0c917ca0bdda6f0228eff1d4274d2d681c73206be660697d3a7fefbdeeda23d6e3fa853228be633b4988e543a41f84bd027493c7d633089c863151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0598e7af432c5ea36e55b48a45a65772

SHA1
b8e54c15c5be8723b68da764824cb7ca00cc3e2d

SHA256
a997758c4c7024146c82a33a114ca1dee47b7bd690a07d9048d09fcfdd3a1e94

SHA512
536f07f0111a17c4ca403c894e1e9eb74e3fa66608fcee7059a0c0d3997e1c4ba68ee393e4304cac04e606d96596f8b34c06ac159befdba91e8ce6fe37a58180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2007c7afccee3c00237a7da533a1da30

SHA1
6b909902f8c7910e9fa258b53f49aeb2482461f7

SHA256
40a5bee708a0b8cbb2974ccc8280f7f443e6f219ce96c2de4168dcba548747ff

SHA512
793b9a04538243f1e5f0eeec57c676b7b633bc114a044456f1c3346cd24a781c4135f9adb4ed226ce2e8423cba36faa72086e574c8cb8e026a44cf6929452f72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
82f1064496b7fb3925f846bd8db67359

SHA1
e938c463f88cf8cf7938e38e11a646b2c9e30568

SHA256
2b510957eafb6daf07ac026745fbe6a110d37c9987eab13bc1c5e09ca014fdde

SHA512
f8b0739f314f46cab6c0df0ca77a4d02f15adfd4063d49d9d0ef790d3577aab29b3ae52c7f7dc067f7c2b77ec0d1e6b2949e1c1d985a15e24ddf5f103fb5bf82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7b5e9e8c8eca9cdb5313b9116fff66d0

SHA1
45d640b565b36cd0e8fd8e1149abdaef6f1d123c

SHA256
90f8faef4aa7f2bfcbfd2e5d1086c7826af84652a4dd3e01c41d55c2f355b7f9

SHA512
bfdfd6e38670263170bd85e19c8822b8493c915c834fab4de410fe0158c8d11c0c51cd1c35c9362393bbacadaaa90bf4f0d86646cdac32f9ae4d6526f83153f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
893f691d9f34e859a6a11bda64bc7ac8

SHA1
20a5313436332d6c3d1a38294dcff09f8128343d

SHA256
a55c3637ba4734573ee78bb682f59cfa1300932e317c0b9e8fd459796ceef1ce

SHA512
429279bc1bb48cf483fd0f8bc3318db02c40b9a0a9845a2f5e1422fcd1a8ad0c4094bcbad4059bb2552659933b269369edc6834bb522d2753b83f043da46d440

Download Submit
C:\Users\Admin\Downloads\3.1.1\AngryBirdsSeasons.exe

Filesize
2.2MB

MD5
ae36b3d8986d311d1398ae4878c20c00

SHA1
2b9db0250594a32a27c43aa5b59c4055e4b4ed91

SHA256
6788c36fdf54303c69e874391f3f2360628600a768091a8b9be50e9977a2efc9

SHA512
ba0e462d13c3f5c9af35c97d31d4b3227718112002e15c524c5c01d0a9560c0d08030dc6d2a43f6c92f52e8b0b05cfc717940bc5ce9b3bd1be14db0ebebbb187

Download Submit
C:\Users\Admin\Downloads\3.1.1\MSVCP100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Users\Admin\Downloads\3.1.1\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\Downloads\3.1.1\config.lua

Filesize
466B

MD5
605a8722e6313cadfb2416246c22c3f5

SHA1
63602f464e515af6269dc49ed489bbd1985d48e0

SHA256
5d31cda853cf6480940c7e74bf892b164fa9ffa908a92a9579e40b2bbf1cb602

SHA512
6a792d9453ff1e631f1ae51b244f07b4e74d686e1ecd07b37e5d60a7ef63aa13674663aeaa2344cc82c14c9fdcfbb44263a26e71a683ee2ab8fe1cac879d44e5

Download Submit
C:\Users\Admin\Downloads\3.1.1\grgl1-md.dll

Filesize
668KB

MD5
bd02704e336989bc5e619edeb5c2e72f

SHA1
27d02cc66b8537965f9e0d4986fd6e60c4f83b5f

SHA256
12c7e753b7c5f1d10db7f417a62eebee2fba1453333cbb50ae93c65b2655e165

SHA512
23d7d3491707f9ba49c7c00d054b2beb6f82a571975715559f90c509cf3ab71363480659a76d0c0e9e70b71b7e3f2cc507908bdb936b10a1e8e9004e169cbb51

Download Submit
C:\Users\Admin\Downloads\3.1.1\updater.exe

Filesize
208KB

MD5
8330d62d49b157b12f7b8f92bf31b14a

SHA1
f71dc5a6e8bcd976b52b4b8f60c5f150c62a827a

SHA256
ee06fc2bb668def3949aa1bac038a40fd448ac0ea7da3eaf5ca0d99c05d6b891

SHA512
0600114b85c92e49aca7e8535e4575e8a05e2909002f62551a5122fa9ebf6c205b3282fe06f388b4098f12b7c2aeec5157b7e6d160c3741daa52ad43d58e6392

Download Submit