hxxps://drive[.]google[.]com/file/d/1DM8tHKG6iyf588IPQuJrUW6uiaKcwiXH/view

Analysis

max time kernel
553s
max time network
529s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1DM8tHKG6iyf588IPQuJrUW6uiaKcwiXH/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
10	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1372	msedge.exe
1372	msedge.exe
3532	msedge.exe
3532	msedge.exe
2128	identity_helper.exe
2128	identity_helper.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5248	msedge.exe
5248	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
6092	OpenWith.exe
2704	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
6092	OpenWith.exe
2704	OpenWith.exe
2704	OpenWith.exe
2704	OpenWith.exe
2704	OpenWith.exe
2704	OpenWith.exe
2704	OpenWith.exe
2704	OpenWith.exe
2704	OpenWith.exe
2704	OpenWith.exe
2704	OpenWith.exe
2704	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 928	3532	msedge.exe	84
PID 3532 wrote to memory of 928	3532	msedge.exe	84
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 888	3532	msedge.exe	85
PID 3532 wrote to memory of 1372	3532	msedge.exe	86
PID 3532 wrote to memory of 1372	3532	msedge.exe	86
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87
PID 3532 wrote to memory of 2756	3532	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1DM8tHKG6iyf588IPQuJrUW6uiaKcwiXH/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ebfd46f8,0x7ff8ebfd4708,0x7ff8ebfd4718
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6576 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,9656070467521317259,1350348928883090353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4420

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FuriousFade Graphics pack\How To Install.txt
1⤵
PID:696

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FuriousFade Graphics pack\How To Install.txt
1⤵
PID:4504

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6092
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FuriousFade Graphics pack\Fivem application data\plugins\d3d11.dll
  2⤵
  PID:5820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2704
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FuriousFade Graphics pack\gta directory\d3d11.dll
  2⤵
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
84a92baf8775837ea14a274156336356

SHA1
6ace45003c8888c4da9a33635b7b385c1e84e8d8

SHA256
3d812b848334476f5aad46c37535540963fc159f7d928ce9c6604e9210f60d9d

SHA512
cf0400b99d699ff3f454fecacf78e8c03d6cd9d439d9fb22ef6b7c40f207b149af6da82bba56720be877e5d1c1074ffba2f0ce4e94ad10ab6b873b44e57afda5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
186402d38e670616d56ef6e6c0705a84

SHA1
3bedd4ac0cfb8bf7981e8bf1f5e6796b80425861

SHA256
b52dd8a6dac16fac8a99fd7000f749aa9504733fa45b1638f3f0f9d8277784d7

SHA512
cd9567a2cf40af3da216d640e690a17924597fd919152e80d5f2d8a6bf7ad6af3c83a0fa37540899cf1d0693db24c2ec9179e63d5314405d935e529afefb9b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d8c540b38931008839009521e12e27f8

SHA1
2a7f61f4cac2b4cf8cc0449cc2eb23214de13e77

SHA256
239c388b6e92d2e20717dfeb0a114b6508d5cbe9909746f947d5d8130d94598e

SHA512
f3329bc7a7ddb8823b2b97390372153b2f4dd2f6857a89aa13eb98d15b1ace818485a6af3c7ea02cdc105c8658c7834bddb9c1178b3beb1a91dc56c9b862bbd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
93ef73c636644ebdcab2e12b7fd738b3

SHA1
14364a0092e2d0e53ab73ac166cd6c96bd6fd3f1

SHA256
6b96d124c63ce0c53a139f44c94394fcad5046a4fe222c63b7fca1ccf56be06d

SHA512
1737a35d459ebf0757e648059d80fcf7838f619ad0e95ef2d766f9c591d426935923862adb1578d3db4d15d1449a66203dc516020707e915191b63dda03c8405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
dc5b1185ccd3f23c4c8253ae5acbd7f0

SHA1
dff63f3141998c7d0afe7810965586782fe53924

SHA256
d0196a6c1bfe6ecbb9c0a74c2699ba83ab916d217e8f8039c18660fb253d7510

SHA512
ecd22d7706096d3884ee3fbd5b8a70598c90a66913064e96eb476a38470702f8ec09e86a87beece5e9117a019fac2b73266656175c4c4d1e89aa1dd4be42c06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f592c500b3a6bbe418ee8f6a47683db4

SHA1
125c295dbf7538458969a893ceb30ab3ca6aeffd

SHA256
2fdb77bd08f8ad77b318250ccb7a2d763bcf9fb5ab13fb2dd6315391ed5df5e3

SHA512
6ee18011be4a1cbe045281a217ea3aab31f7ef5caff04265a8ff20d6d72b152a538dc412789518fe25373dab2e1183886745c8194e08fc76eb988ea82a41b8cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1129ac9ffe3e58837d2a704e51958f88

SHA1
129f5ffb0b741f9d595982407aee1422fc002b92

SHA256
8db8088e3b440f9c4b820992c2f2b992ebfb4c43bb854cad741d53d4c7aacc9a

SHA512
2120b708cd73d2a83c075b11af42024f1779aaed3f094df695fc3ba66b787846dcd3b023295ad08cc40333814257d797162412e037b4d0e0c2ac9585ed935bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ef75e8bd1426d1a2a0dc46ea733bb7b

SHA1
d26ac1fdca31b76b987802d87fd15e06c3593706

SHA256
97285c47c6e92a351197a834330d6d1a2728605ccb5d7bb8e4033913d711f901

SHA512
d3049b2f3812a0cfa1ff6e5e17084fe4d494bb2455437afd1c711212e1022a38744233d55d4c4ae40ef4703bdaa5a6e303adf047bf2a55196ea46ed3dd8e4150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cd5d40e2eadd3d7e3a185230e98c8246

SHA1
809f1c53cdcc487f8f8b18fdff51333a5363d5d0

SHA256
8cf84583bbcca40752a115d1d24daf2d5c5c03aa8af4a26c586482d1f3f84675

SHA512
84470de1e43b3ff604a9154fce20f909c546512a2f06a90595070e17058c44b86d72b679d60a00c7228f8cd7d958162230fa684d92b6a1dabde5020c9c2492fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3af85c92a74d76f395dc8f8d8c2c2115

SHA1
7bfe49b2e68b509f6ffbde3a084a7f45f0a6d8f9

SHA256
959b99a0474fc060dfaba63631899b2b3924ab0a43123bc565f6490bd628c197

SHA512
ba3c5e2c5d3e09b26d1dec463a8170f5a827a3530a4e598a7da388494264ddd0e3d61a9821d7b876d55f427e681f4dc9f4d6241d0af61dc75c6411f085d5fcff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3e01429802e967481346e6a1b92d6628

SHA1
139460cf4347051f985d3712c1e0e2ad006e558d

SHA256
b4fb773b29e7d6e170d379ab9118d2d9342a992f442d55ac9608c49e34520dfb

SHA512
b9024d04806945a3041323d7f72325720a2a5ea33cedaa650d9e5fef83eb45b9122907ded18aa1c1170d69e18dde85d4014c5429d6704ef2ebc61181824908c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\acd114cd-9042-4e75-84fd-ff6a84eb4506.tmp

Filesize
3KB

MD5
77421441fbc0e1fc096f195a93a7063f

SHA1
b9a630043079db2aea40c2dbff39e9883e2e899e

SHA256
d3a4ad473d2ab6e0b195d4df8dcc5e27d3d38d3d2a64a3d65d82e995937306c7

SHA512
7840b28c2ac90a4cd26c7463a7e411ff47510f1ec4e6ae8608bf033b3eb604b2d938a6bc8fe97c1ae87bf2a1a7c87ffccbf6242b2fa8bbcc52e1a0cf4866edce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
18e76569994fa9510498b61fe4f2972d

SHA1
30b6b7e6a645d245a8893bc7ed8ee94d1eea53b1

SHA256
19535196bc2054fb1c384864c23fde78aed4e0a2ef5006f88cea0e6b9d07b0b8

SHA512
17be1ceb70bd07ccb0b90a78cf757f2d5436f489b267dba3e0a93333d82b6b19bac7c1213b658fbaf8ae3126d4f31aaaf8edc08fefe5722b48bd44aa36c94e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e07877c8f5221c19a2e41444ed163b0d

SHA1
c9d6a3c4969bf361e0fd9ebfac8f8604d12df14c

SHA256
469d042aa3db0e0a42460fe91c874b9e3e58b614103fc9ff9d6764dab4347417

SHA512
de42ab590cfc0fb2b64ccd387f4bc36c1dcc1964a4072c2d9eb31cc7b4c1729842652dd24e346bbb76bc6cdbc032b548285fbc21cd7d508004043433dfda18c1

Download Submit