hxxp://github[.]com

max time kernel
145s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-12-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
46	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1532	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 733205.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Love.bat:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
2052	msedge.exe
2052	msedge.exe
1112	msedge.exe
1112	msedge.exe
4288	identity_helper.exe
4288	identity_helper.exe
1376	msedge.exe
1376	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe
1044	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3492	shutdown.exe
Token: SeRemoteShutdownPrivilege	3492	shutdown.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3568	PickerHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 4748	2052	msedge.exe	77
PID 2052 wrote to memory of 4748	2052	msedge.exe	77
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 416	2052	msedge.exe	78
PID 2052 wrote to memory of 3080	2052	msedge.exe	79
PID 2052 wrote to memory of 3080	2052	msedge.exe	79
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80
PID 2052 wrote to memory of 4396	2052	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://github.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ffcc0903cb8,0x7ffcc0903cc8,0x7ffcc0903cd8
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1896 /prefetch:1
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Love.bat" "
  2⤵
  PID:2540
- - C:\Windows\system32\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:1532
- - C:\Windows\system32\shutdown.exe
    shutdown -s -t 100
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,834000827591249136,17770912397137934117,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6824 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4048

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
17KB

MD5
18a9531f05f4a3662558d102349767b1

SHA1
328114b78180b5931d651669bf0b21d3a5cf8adc

SHA256
2d427df292899c50caad69f5c59737ff07f39544e52ff6b9d01f4fb82ec0d716

SHA512
b52d9f81a88694bbb16551a50fefd69a3f3dcd0ce5d3d3f3e3a2c1d7de969b5f6e27ca9fd22f7e964108f9b39eb083a44ef161ee3b8c39f61fa5939a15d21b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
70KB

MD5
807dda2eb77b3df60f0d790fb1e4365e

SHA1
e313de651b857963c9ab70154b0074edb0335ef4

SHA256
75677b9722d58a0a288f7931cec8127fd786512bd49bfba9d7dcc0b8ef2780fc

SHA512
36578c5aedf03f9a622f3ff0fdc296aa1c2d3074aaea215749b04129e9193c4c941c8a07e2dbbf2f64314b59babb7e58dfced2286d157f240253641c018b8eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
d56666900c7aba60874d88954826f0cf

SHA1
992c4c84c6723119498f0bdb2ef2fc39ec28c92d

SHA256
4eba1292554cf5e637e0ce2762645bd7df85d9b596dd1e102b3b73ec4739e06b

SHA512
50b5d235420ebec5b6ea3ae227af732d89ac9a3289294b9c320cd033951d862c9e9c86584ef709eb8f6374db7e311586759b8a58d7c38985ec2437eb6ee6ed66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ae9d6ef62496c68622bdf1e0d194b36d

SHA1
3cdb68924966952968b91b8e241a3c6790869209

SHA256
ca431c20e0b52ed91740b69829e5b4568e27e2e8a02a9494c4e43c45def069a0

SHA512
9f9cc441d0ba1d037763e6e562ad391be58a0ffd7d7e80327e7957c030198cf07da3f59c62e4ce5757730d88721c5ed9eaf66f3d5a615624a3484bd0960540e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
701B

MD5
41efa10721107fe0cefb3b455d4bd2ad

SHA1
1136c04869c626f508fd9b31f1049c650c79f98a

SHA256
9ca898fbf19ece179aaec5130a9cdd1c3c8c0df003ea73412a7761020763e6b0

SHA512
a655e48500fdbad380640984c04ee11b24326563193fa080e35ed191abbc3667f15af6722556fd1760ef62fce8c22afd588af484cd2f882d0f3031cdb6d427a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
4c38b112db0b609b2409b6660bd008bb

SHA1
1756570f5e8001b93d94ab84107c8f866783916e

SHA256
912947b1919fe4e5279d1b41d3eadc6cc3000b97c7d642bc144628c8a7de351c

SHA512
8ff3963908a396ab752c96a9f45473cde96be1599f1e24c4fe6952214f264e16411669ab8ab808dc38d94467a29c2cb096ec176e975e4218053a3d6520dd55a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
071ab900c12ab65b812d44795b6c08d9

SHA1
f0398d9f2e2da91572254bdaa95e2420e7881d6c

SHA256
add237ec5f86b7b30c46c305d226838be4d2569b8120cd3ea349870c18954b60

SHA512
d868fa80d2d4983f203e89c35d867deddabe2c42633219f235512efa77961612ac7c630bcc1e2425385bebd2ab07220666b6d0e1db6e5c2218ee2e2efba7a90d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
057c3da9a2c98031ff1d332ee125b68b

SHA1
b5e1261ad58876c5a3b388ec9b600d4acab0893a

SHA256
e21ee87a5404008b492cd133daae5b181551638f7d349cb74c8b65f784d18aa5

SHA512
008b164abefc60dde9cc34a246a6f1c7ddcd5ce1612f9d173d2c498f06151ccaff320c80f7c8271af9cb6b2ee3184bc3d77c71d0eead9332b80e5ee1d4d6ffcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8ccef558518271ba9c2c37f57db83c5e

SHA1
fe6fbf1a85498488e051e721dd0401937b0570d7

SHA256
a0f3c93e44de344c3a227239204ee4150c069723df08b25e8949518e7cc2baab

SHA512
9fde9dce379880969069e7c1d0ea589dabc79f2a468900ffd3db65ad86882e08b747cf55922441f7d4222a339a4fc1a4b4b8d3bf5839f7cf8658d10ef072d297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df41f299d6683b01b5a4ed8f9d50c798

SHA1
1285379faf701e80f4160b1a8f2baa5662c1a183

SHA256
732149b0c7177dfd01e3840121f13892258027bfbda3974d162c7f4403508a1f

SHA512
35c7ccaafab347261716f178d88dfd251a4ca6242c924fe7c10d66ccd1bf8ed421db5f157139e9fd49d161ccfa6c17b2a403a3ab276139614520b75f3166903c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c42d74ea86e852dcd49e68b16957396

SHA1
6bb880a0dbf1a6a6d4f700bf714cb92b55627308

SHA256
184e72d0429abf365674a399b984bbe9b2f8b4a1a77d849da32adb1d60761643

SHA512
7246cb0531c7deeebc198a36b0d41b240222b992eb40400fa599a6fbd2e162b4d95d66dbb3a60ddcc55c8cb73daa4c983c55dce13c24b6ae9f2276e917866d09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0a682ad1c8b4bbc7ade69577fd9aaf5e

SHA1
64bcaefda3adc2e8d1387f9e02dec4043430a86d

SHA256
fb3a26ef5db65c5fc9cb3f9fab6e38010835d2a43be2689dbc4d40a895d3c09b

SHA512
1e040834fc0e333b3b54972ec402099e3aeb797cd8b04cb8bf31d2858b3b8573d54e6067cd56b81a62a9bdaf71db60ce2913ae4dca288e9ca61f4541aa2b4ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1e0a29fb0d8a687fd48ee3ca5cf36e38

SHA1
eb746076e732db313d169a0c43579e213e26613c

SHA256
3960e4c5f06898824931e3cb0d5117048089b75173aacedaf5a4bbf1b67bda86

SHA512
e8e6ee83988650a93ae027cb668a8ca2d8ead62323f5e5a96975f382785c47f01f5964876372da481e6d1ae44bbd4e6b763d2732b1f391497ca36e529be013df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bbd1847497cccbfbe46c2343b465c415

SHA1
b6deb64e22c34cb2ee9b66e4c36893038b39ed68

SHA256
af9de9cdb523b5e15297c7d79f16e73f0c8e355221b862a16c1e7324595d4f62

SHA512
846456a85c571773eca54059927dbbb14df0ca2a151f1c675b3fa124921496ba4faf282daff89d5647a94007065711e94bf46fad18502dcad2137ce46cdd7646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
702B

MD5
fe0f24d79551ea88c59d62bcc27ab6b5

SHA1
d523e3dfd7c08f7411f94f570de85563da3f1d71

SHA256
9959c79821c382d03a48811bceb1155a1e5308226abb69732b5d52b6b49e24f1

SHA512
957797c77043969bb6af1b980631d4d3a1b2067eed6b1ef92ce079cf0a0624ee47ed3fd9ee32fae532281dead869642d7eb43d1a56a027a0269489628c5182ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8e3139c37e237c2a86f9a0e58877cd95

SHA1
f5500317141ebe0af14adf71732e494e7a609e78

SHA256
b7e1ed33f4c62cf653e3ddf5904b660406fdcf1b10c219264cf6f59660f56d31

SHA512
7f4583cd05c9f8731943f02e2121d8c2834fc216c48de413ae5c99eefd6141d70d58ff242663bb360d2455e1e29b8008f57252ccff5b796ab517a33f3ff96825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585dea.TMP

Filesize
702B

MD5
70c92cace7e49e883cd06fcd0177163c

SHA1
c24ff845dba309973a8a6de4539f1bb97bd8f652

SHA256
748b6e6cc7f4658956cf0beeeb77072b91d5f575d31354d8b2386f96a5563955

SHA512
15456a050947298f992512c775a851365070b6cf41d8431d19136f28306a5492206a2ad00d93cb776964cdb199dcf803b00ad5526b6b9ef31b0c14a565dc687d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d883a090521cf710715428db6933fd0b

SHA1
b8e363f528954f8494e616851caacad7bba1ab08

SHA256
2b2d9cb7d4aff17f0c9687501fc082994c38706672b39d81be7546711a9eed4b

SHA512
f86a7574c4ff9c542a11a3ce63c0e311cdf8c580b152dc22f8f2f41f2f042350ff21849a40ceb4aed38fc1272fefa83d2e120619d78917961e1c31931d4b8fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5faaaf6bc3a57338773e818700518c1a

SHA1
5133bd21258c5daefa66b97312f36d9dd3910a9f

SHA256
a567f8da812926fedebfb0b67ab63a667cc2c3e6325475bfd55ff582d0c390c1

SHA512
e419756844f9f797641606a3acfd353608b47cb2c6bafd0d7a2bafea97f902844cfc21638c8f58bf12562ce06b02ab8dff11da546439ecf7d153e22d41aa428f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7ecf9811c085628960d7542778f41b7f

SHA1
9c3a4def9f31b58427b551a8e79d728f7ff19a75

SHA256
f6062a872f9c382771247bab0ea15aa48b17f2460bb059978d46050838cd769e

SHA512
692f84443faf44bb2470c6638f91c81d684b1df94e53ff2e96855913adc9a6087e44a55025b7f1c17d9ff9e5a01832951abc2d9776ce3a8eac724e564fd11cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1c69893d4a1aacc77fb041a6f1f27bad

SHA1
ed3808741dd7717049ea55594bb08dd5ae38ca7c

SHA256
c256373921f7bcddb482ca35fdaabfabffda289a26cc294c84d12ce77d2d69fb

SHA512
c7d4db340b6c113eb0a6d0afe10b5d366496ff1bd28e3f44fbf3560336b8931b71802b3981389cf1b58e14d1c9325f8492c51da1743b72b227ddf0bb805e326c

Download Submit
C:\Users\Admin\Downloads\Love.bat:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 733205.crdownload

Filesize
327B

MD5
0c248dcbe812d54aaac203162190edb5

SHA1
1392069ef7f3d5ec826b2d61d3056b264a945521

SHA256
07cc1cab6935312f39de3ae2734be3fcd4b41c9c4af8429e66650460cc74b471

SHA512
d69a8199af9a3473a28f14129fa136f2ff0e435229ebae7159a46df3026816df65f1c08011f3ec18115ec58898ed4db594ad689e0bc6822113183afdab2b78f0

Download Submit