8cea4adf5febfa9528d01259bf9b70afdb814ce8b41605b8c619a9738a9c9414

Resubmissions

20/11/2024, 03:46

241120-eb3ensznbt 3

20/11/2024, 03:44

241120-eas5lszdmh 3

20/11/2024, 03:41

241120-d852ds1ckm 3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

memreduct.exe
Size

302KB
MD5

fe8eb129610e454ad17b9d6ccbf1df8b
SHA1

28cfddbc7faf2e66aee0eec673c7eb7beab25510
SHA256

8cea4adf5febfa9528d01259bf9b70afdb814ce8b41605b8c619a9738a9c9414
SHA512

4aa488a5844eb65fe0f72d1ab325ba07a40fa0cae658bba38f59260c1467d5c902ae8bcd6d8e2f15a5c81139147155948f99a0e303ecca001f24a58d5c5de399
SSDEEP

6144:62uLW2PbSyXuF4a4gLZRE65J3EvgxxEvM:6hBTavRh5J8qxEvM

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2732	msedge.exe
2732	msedge.exe
3912	msedge.exe
3912	msedge.exe
736	identity_helper.exe
736	identity_helper.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3900	memreduct.exe
Token: SeProfSingleProcessPrivilege	3900	memreduct.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3900	memreduct.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3900	memreduct.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe
3900	memreduct.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 2040	3912	msedge.exe	96
PID 3912 wrote to memory of 2040	3912	msedge.exe	96
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 4888	3912	msedge.exe	97
PID 3912 wrote to memory of 2732	3912	msedge.exe	98
PID 3912 wrote to memory of 2732	3912	msedge.exe	98
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99
PID 3912 wrote to memory of 1740	3912	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\memreduct.exe
"C:\Users\Admin\AppData\Local\Temp\memreduct.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffcd50746f8,0x7ffcd5074708,0x7ffcd5074718
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1844 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6747875961014788715,15025400916043516235,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
a36c1fd68a2a6ebcab0acbe4c50b2987

SHA1
d38cc704cb27158e23d2a25f513330cf08369555

SHA256
d81b47f6d80721ca7ce08d3096d562dfb60180054fe6a5f956e2afcf4db8704d

SHA512
fc8294a2174c3d244b463e6a72b15f5c7a18e9c6ca34e1d53c1735689a592d4e39f2e1e5df276aea55f582086f8dcfa6c7887f80e313db7ef1cc20818810055a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
61a515570d67dd220cc1f5f4088a5f4c

SHA1
659ce346424799c75f8aab9132b3e16011b7ebed

SHA256
de736547f19ad7979f1bfd536b18aab197e7f2f88616cf51820050e5533c7a04

SHA512
35af0f8b820341ce4d9e1a70494528f28a965593315c710bdb90068fcb65c8bdaeb433870bcfc54753c25c3d5932e5d6bd1d9f607d0ec74909737b860662d9f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1fe565737a5b96d37403ab124999221e

SHA1
2cc8e7242f0c133f5db834b61dac2d50b5a59c62

SHA256
d95dd133cdd4c8b1ba16f8a27149565c66707a0d164c326080e41a1cd07f140e

SHA512
13a471bc76acabc00ad59f0027aa9b2f22ecc138fb42568eb45d9846eaeb12a89fbd342646ada3cd871e6b14cb3cad8c44eaf33cf5e1a7b4533449db9d47f3ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20df84e124d07c5cdd72554ca274a17c

SHA1
46782c9c00bdcc0a11311ed5661b1be9acd6a537

SHA256
792d111502c81f2749e4496bb4db1f6d889661513b67c678f765d83a09c46d6f

SHA512
20279d9583268f486e958ee8c968351a81e53c9884b11abfca8d8a9bd556a78d98a7ad37d0a68740bec5c543bc9181e6b1b028f53a6233668103c18f6718aee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
92db789f784824eb4d02255451396c15

SHA1
6f721f157c906de0d8582e16635dbd4193f61112

SHA256
8b84419972fd92ed011b441253f7645c6d2336ebeade2a36801a001be5f97b39

SHA512
d017fc35148fa9f8dbe87645f30b361bc8355c3b85d944e460f34fe577525860bb8f3431b96af1ddb1e609e8c6d72456c71b23696c7c605cd186578ba93ae5a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
81a40a1d6e69899a9e33be597ea3f1d9

SHA1
49d317f827700fbee0d029642f52edf463815a71

SHA256
f8c6fe4920a9e320aecc67a13c9ad3197441fccaf58f3bca30bea705e7c9f998

SHA512
f53e949974ab415add64f99da6247bde8239fad8887936deec8ebbe7e319ebc89b6f3219dd0227658417ee991c04f6fe71ee774d5b3281b8f710b92264277365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
10f3d832ef865f7ea07572ae710b8d25

SHA1
7cd39b89b0183fa47f2d5c430a5f92c3866290dc

SHA256
bef3927af482600e23a3abd10f4be9a3775a627337e51363cef3446431513306

SHA512
0ac35e9a3c73d825fd0f837bf006c6a938a5c647863d6d8e97226f07c48f741e571095159421d333e7cc39457458b2db15688bcfa7f098888b960a0e0bb7fc49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7104ed56ff8df83cb504d409562541b4

SHA1
cfa81e90b9253983d2851b5845d80f4f94280f5b

SHA256
25610087df18154b4fe2494d2fc19eb6ae15b85833992b3b046d41d991823032

SHA512
d41d398d20ea857c310df68afd297b425958c7e8c54d40f041c90ade694dff05d25222e200534af673a5cc7762f87ef283f668deec381bf01112c650226a45e4

Download Submit