9e25c89846782ebffd2814e14b232447b20df9105cdfbc5a662c721360f0c7cd

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hmc hotmail.4/H/MailBee.NET.dll
Size

1.7MB
MD5

6dde77d756621d00016945736760f717
SHA1

7094f0dea1b4c4bfd7f840b63b704dfc9bdd079f
SHA256

81632ee251474cb656dce412181e9f68f426ba20f3a0c4120c868a0cf05cd6d0
SHA512

e3389201e9d198be6304b79559d9d5d457cb33c74b441afb7ecafe4aaafb3cb0d583cd4ab8a5eb6045cd934d2c2a4007f6d1474beb5584585fcaae0060f4b813
SSDEEP

24576:sDMgcE4ilhMM9XBav0OvQRk/9P7miD6MaP7N:sDMgcWfMM9XBQ0OvRmiW17

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4408	msedge.exe
4408	msedge.exe
1492	msedge.exe
1492	msedge.exe
1288	identity_helper.exe
1288	identity_helper.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1708	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1708	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 2972	1492	msedge.exe	91
PID 1492 wrote to memory of 2972	1492	msedge.exe	91
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 2508	1492	msedge.exe	92
PID 1492 wrote to memory of 4408	1492	msedge.exe	93
PID 1492 wrote to memory of 4408	1492	msedge.exe	93
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94
PID 1492 wrote to memory of 2488	1492	msedge.exe	94

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\hmc hotmail.4\H\MailBee.NET.dll",#1
1⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffca55e46f8,0x7ffca55e4708,0x7ffca55e4718
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1884 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,7053236281792456560,3283049033231290841,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3492 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x53c 0x538
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
27KB

MD5
5f03ae107371cb079c1ccf88bb2ec46d

SHA1
3139e78d7e8f51d7aee1f192f3b648b5a2d8bac6

SHA256
07a0d4e41ce0b0b6ec2d5df1fccf70f401d22b3d9d3cbabc10678a6a8c509264

SHA512
2c3a735694aa483ed82d6e304fc3a21c2c3d0ad76c868223db8a82a24b3acbb2ae1ac3ec03efa85b6e278b22ec42b53e7189dca4aba1c68baac82aa0aaf22e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
65KB

MD5
762e514d75aa5a817e12392a8f7b1f5e

SHA1
903f8f94de9f5ebc3b247da91dfb38ea3289da5f

SHA256
325e1921be745f6a128b6da43434f79ba628004c0294673db13f84501ce5e248

SHA512
121a48cb9d555f7aaa956775cbdfce12efbe50536f35cd162ca66cb7b73c41ee85eef2ba283d784a58c9e44307c1804ad5095c3affbe6275c9abb93d5bacbe16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
91KB

MD5
7a11ab0adebe8143fc71d0a1d0ede6ff

SHA1
848329042ce557fd358e64910309e0ef473019f8

SHA256
d1d88e20910acd2785760a3775fea57d853f87329988a0f7671791352ecbdf38

SHA512
1039053ebe38df496ccf694a28f5807ced7dbf01ae863ab209b5c03d1eb0e91ee6cd6e1ee9d3fde6edcf24426d25f51a9608985bc860e9b452edcde7dae85e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
108KB

MD5
3bd0b3c414238f1ced8c0a90fe4cda0c

SHA1
9df4b8eaed509023a971f6c0c7d2acbfa04cf08d

SHA256
d026fed6cabbd937b0240c1cc51a099e2c3efe602ac01862c96348d285f6310b

SHA512
c9c9e69e44925761b58affa382e2ffbace3643c4e2c7097c1fb541f3a3f175f52643a316019f181294bbe35779f1bff4736f45356ef94819d5dc4f78044a4da8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
60KB

MD5
5d061b791a1d025de117a04d1a88f391

SHA1
22bf0eac711cb8a1748a6f68b30e0b9e50ea3d69

SHA256
4b285731dab9dd9e7e3b0c694653a6a74bccc16fe34c96d0516bf8960b5689bc

SHA512
1ff46597d3f01cd28aa8539f2bc2871746485de11f5d7995c90014e0b0ad647fb402a54f835db9a90f29c3446171a6870c24f44fb8bbb1f85b88e3ade9e0360e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
16KB

MD5
6c0949d2cafb4b0136e62e83f69aab34

SHA1
e15091c89e7c0e364993d8da0db159f5c143830f

SHA256
201ff0cba3dda97312a40f4c175129cc078beb4a51bf56684713f93cea14485a

SHA512
2d47fdcc9c091b1de9b040d51b4eb0e9ee01b904eafae3d6f284cbe437b955a5a69e5f1705d02efff2ed77c29e876a8a25115bbef26a12fedc3e64a20083ecbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e38539b5ec65ba2c2ba83be49bd473e0

SHA1
c378f3a167aaf536f748f07e9315a09a88ffe1cd

SHA256
f7f20374e68c4ba807da685496c7c27c5690c27c89c5407caaa0e561169f7896

SHA512
ed067d1a3e420c670a05f66bb2b3c9bcc7c5ad6826ae7855afebecdadb44255da06b29e117aac6bfbd1f26f6d25b4517ae7d5f14799ed28dfee4d8ad778f6388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
0de85547e10c8e4742ab970941303006

SHA1
772b0a67e1d140b888700139627abcea1d60f280

SHA256
655ec5c3389a862de80831747737e5c0622251cde4b2df3039b6e0240d461b76

SHA512
6124e8849833f136b90df9e8f825ca3bc80472a4d789e9a849475cf47d4effdc406cdbd387aa598ed220a00ead7a02c18bad54322ad83eb7107ee78a33921580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
99ab7a53d1a9a149e309718870dfb950

SHA1
8fc0b734680c0453476984707e5b8edcac742e52

SHA256
25d2f76ed4162360765bdbb2f58ec5052f5a736bd4e3e9003fe4dd00475a1fac

SHA512
44e478d004c3c5656c3cd306e49988f33005d426cbac9b12be62c9151ee3dd684fda9148ad16d31963931c9b5e3eae145b8d93d2f531e19e53e8bbce27d04f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ab26a76a2931f3f235e0650f84cc1e5

SHA1
039222ed6c0c4f0db5f73ffa0b5d7acab9533928

SHA256
16195821b8fa94c66b12c7b95c7b135961608f801dc14625303ccfe5a5658d53

SHA512
67ffec9c8f1f84fc1c114533ebd05306c793391e936ff54178fe297744132ca46532a577a25a1c2f51f246ae620cc9224e0b6a248d6944f1e544db5519b72014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ad16068f7d45b277aea03985078dfb7c

SHA1
919566ee885e1ce1f752e1d7e815a0e1ede001ac

SHA256
b037764296c56f70eb97dd8002269e0f68e20ce755c5a596a509f18fcbf429d0

SHA512
d5f3038faa5cf244f1184c7c38a358ed4f00698df850450df5ae10772541525c8c445dff2ff9fa4aee19949868e3e2ad9d98349312166043c53bc47e98fd52eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5add12d56e01c52205b1edd19c993bfd

SHA1
e0ed23b056a1a3546100468300fa92946a4aeb73

SHA256
5d2c219068d3552b5dbe88b5a15270d304f4b5144e561bb2ed94d41057148818

SHA512
8e4220c34fb761e0a31bf935b41d9141336e6b8d8f48d753a2ed6d3fb648fc59a8f6c92200e696c9218df6e530e4a9886bf1616b5255b09374c3467f8ad986a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9891bf9bc93ab50b3bd5245f03e3a774

SHA1
b7b0c21e0901bb02e3d490fd7cdb273705c93e6b

SHA256
ae8d0f3e4dec610087e4a898e6b838248e118b00522feec4aaafe81f9971e5e0

SHA512
dc4eade757bca210f2f0f376c08d6a0f3c1df0ac3a9b3738329723c33bcf4a84176ed929880bd8c340a7c9c93326da8d72374a1d8f17f5d492020666286fb13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4de76053052a4986672ccb29ae934743

SHA1
de92ea21d73ec4f1e19e92d0bb03e7fd797ff9d4

SHA256
0f40b734f995c69d98362fa60a25d2f149390d0b0211ddf005674b14aa078929

SHA512
2b000edd3da5223d4dc4070beb710d014253ea456fa9581e7e7df33012ffac002aa3ea5192ca0cfbfb240adb0eeb2e85217feb1ecd5116ac04d2053171a65ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
4KB

MD5
12598fd381b7151666be489f95df46c1

SHA1
054bdcdce909c9dbc77800ebeba9b8d4702a26a2

SHA256
5787b0d4b140b726b5f491b0c85105780fc0d1c198def340260377fd5318914d

SHA512
e05cbabb76ca0b157fbc5a6881ed07f8553a8eb58559851a7a14ca8be114c0beb1fd6a96f0c0070891908ea13e60c74acaa9b13e0cc392dff1e2319f1f867d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
2KB

MD5
4ee652f0dd81119a3f756e8132ecca45

SHA1
97c54ccfb1531dd6dc80123f4b9a6955a601221a

SHA256
b0a39c6a681b5566806844de42903a31fc76c79e1d2de8a683d39e28fd2a7e81

SHA512
2d06969eb1bef515e1b8b725f30275c56c7f7b75cdcc77f2aa667ad630c62ef3074757d005adcde9cedf7089465240fe7bbbb056005b4098e7260c0e1908d1de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1

Filesize
3KB

MD5
5b1894935093b8989f2dedd89ed9b321

SHA1
a5b666079b18ef03cb8e425af08272a6e6b3e68f

SHA256
721122e188da433b98953a62052e6330f32ac2af416cc2ae078f461725df3f18

SHA512
2ba97944bbf4db2503082c1ed0eb6883609bc855137af07336fc6c6a2e1e460bd028cb2f693924e4aaddae8cc8791e3aa1685798e381d781979f99b4c3af6c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
cee2730e6abc3761502d5f3192814874

SHA1
549f65057702423a6fb5649e5c7724ff00b80e0c

SHA256
67365501976a336b20efc9d1175ccd6b387bdb3f62bb23f41c31c9b8dcda0085

SHA512
95971a811b6b02aa2243847d33b55d5e7500cb595114a8d36f84078fb25ecea3557a5fa25c7191440affef573d374626f5555bc1a765e43dd74b55d637735233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588ece.TMP

Filesize
48B

MD5
bc4b8ddf1536a3175a098f994c4b7a96

SHA1
58c14e0046ef2dbaf6afaccca83b5ee62745dbbf

SHA256
5ce65d7d358bee358bdc3018acc00055f18e84128791ad3049c98eaa2696d9a7

SHA512
0f92b5e1db529cb9fc825deb76d725f8f436aadb43ceafcc5dd4796ad2c0a903c589fd73fbb4a1d5f6c21fdd5f81e7a15f3cadb4e2a2faded56c7796db3bda42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
05d633914fe2cfdfd1c2d9d4cfaec167

SHA1
77431932fa9fd62da5424948686f2f35f63f2689

SHA256
9cb5d39940c24c069d6c0fe7c35df397e436f584b24875cb92ad3c58b6806b6e

SHA512
67e9b81cad3846482e45a712d015bf8b59c2da081a7e9d650e100878117059aa4b27a74c4a8b0145cc4f04d115817669a23132abe0af79ae95fcb405d5079dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
df09a2d722fd21725bed8607f4ac68f4

SHA1
f16e775169356ff32f0a806b33b674f62eebca67

SHA256
a6823a08d3a4b881890fd19f7c5be55f6f3f45e9b16104d27ff7f95cfc96f374

SHA512
f4cf0eb2221b541638a75d6964eec5f2b9122153d1b8d01eeec8ba2dae707d0aa23ff8de566d3807300ad810422b3cd4310bcfe59b935cc5ce048ad0fd3f7db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
b5328b0c1db608e7b64c8c201a9d945f

SHA1
884e7dcdc4b41fed4db691ebfea00027c93416ce

SHA256
b46a0dbff11ec8efda0d0e97327d5bed1e30ab80353aad55e2c4d68898f92155

SHA512
0b73ee716c7b25c8aaff88d09a5269ba736ea90128b59dd1a8836ee022d0e57aaa4159bfc8887ccb3c6ddc2260f202b75de3ca3907361ad2f584d56d177825ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
35606d77f59ac54082d301de983ebd90

SHA1
a185c14e26f5d6b58172fc8398be1331945ca7b2

SHA256
71caaba3b545085703b610399bdba844e5711110d2ebdc061965a0fa0ed3f9b7

SHA512
c735964e0de3a3d92df0b2f1786159749400e2a7df311cdb6837d3d8000b88fa5c7dc030c288b9def58ca5cc9515c0c36bc2816614b3f269ddd446b43a717b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58cadd.TMP

Filesize
537B

MD5
d2a835dee8eff3865d5eff404e2308a8

SHA1
e1b27805bb362d1d3254ca28187fcbcee33e797b

SHA256
6db0cbc4cbadbdfb58d98e5e87c804cf84daf328075193b1e4fa2d94253e6a57

SHA512
b6d6d24ce30c55b41e171f8ea223bd973bf29faa80c87c17cbe05c099edebd6d8b34d8abeda1d7b8f4f3786582406a0b5fbcaef40dfe78511f82e55b7f62a494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
07996d6e9e45d9cdeeaae610d9c751ea

SHA1
1cef53ffd2aa3e12b0d455238db6189ae0ee4b07

SHA256
945d9a11c425dd965d8cc0546d5ef14e3e03d5ff360486cdf7b2e8b631b6a263

SHA512
d2ef888c51723786b8a3e40245834f0a0bb91fdb03732a080c4225792207c1d67a3ff469ac298aa03c091490617d19dad998282bdcf0bce6b94cb1edd2235759

Download Submit